Slashdot Mirror

← Back to Stories (view on slashdot.org)

Congress Introduces Bill To Improve 'Internet of Things' Security (cnet.com)

Posted by msmash on from the better-security dept.

Members of the US Senate and House of Representatives introduced the Internet of Things Cybersecurity Improvement Act on Monday, hoping to bring legislative action to the emerging technology. From a report: Connected devices are expected to boom to 20.4 billion units by 2020, but they don't all have the same levels of security. Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses. "While I'm excited about their life-changing potential, I'm also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security," Sen. Mark Warner, a Democrat from Virginia, said in a statement.

9 of 54 comments (clear)

  1. Do you really think Congress will legislate this? by Snotnose · · Score: 2

    Best case, they require a password to admin accounts. Worst case, jeez, I can't imagine. We'll start with IoT vendors who pay the most $$$ to re-election campaigns. And go downhill from there.

  2. Not for everyone. by SeaFox · · Score: 2

    Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses.

    This will become nothing more than special "government edition" and "consumer edition" product lines of the exact same item, just with different firmware. Remember the $600 hammer? Now there will be an actual justifiable difference between the product bought on government contract and the same item at a fraction of the price at Wal-Mart.

    1. Re:Not for everyone. by geekmux · · Score: 2

      Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses.

      This will become nothing more than special "government edition" and "consumer edition" product lines of the exact same item, just with different firmware.

      I find it hard to believe that vendors will create separate development lines for these products. I guarantee you the "minimum" standard won't be hard to implement, and you could probably sell hardware easily to civilians with some bullshit marketing like US Tested, Government Approved.

      Remember the $600 hammer? Now there will be an actual justifiable difference between the product bought on government contract and the same item at a fraction of the price at Wal-Mart.

      Sorry, but your own example tends to invalidate your argument. There's nothing inherently different between a $6 hammer and a $600 one, proving you don't need "government edition" anything to create that stupidity.

    2. Re:Not for everyone. by freeze128 · · Score: 2

      Insecure IoT devices are a threat to EVERYONE, including the federal government, regardless of if they are used by the government or not.

  3. Re:Do you really think Congress will legislate thi by youngone · · Score: 2

    Worst case will be some senators getting some nice backhanders for supporting this.
    Oh, hang on that's just business as usual.
    Best government money can buy all right.

  4. The "S" in "IoT" ... by kenwd0elq · · Score: 4, Informative

    The "S" in "IoT" stands for "Security". As in, there ain't none.

    Yes, having a default password already applied to all IoT devices would be a great idea, as long as the instructions on "HOW TO CHANGE THE DEFAULT PASSWORD" was printed in at least 24-point type. For appliances, the instructions should be printed on a sticker (same typeface) across the front of the device.

    Beyond that .... the users need to be afraid of IoT devices and be concerned that they could he hacked. Because they all will be.

    1. Re:The "S" in "IoT" ... by torstenvl · · Score: 4, Interesting

      The default password should be randomly generated and included as a sticker in the packaging, like when you buy a combination lock. That way each device will have a random, unique password from the start. You'd have to go out of your way to make it admin/admin.

  5. Re:Do you really think Congress will legislate thi by mentil · · Score: 5, Insightful

    Almost certainly this will be a checklist, like PCI DSS compliance for credit card processors. Just like it is there, it will ensure you have a lock on the door, the window is closed, and a fence is around the perimeter... but does nothing to ensure the fence isn't made from tissue paper or that there isn't a large gap in the wall right next to the door.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  6. Re:Do you really think Congress will legislate thi by supremebob · · Score: 3, Insightful

    Knowing the current state of Congress, they're require a third-party auditor to "certify" all new IoT products before allowing their sale in the US.

    The list of third-party auditors will probably closely match the list of corporate donors who sponsored the bill.

    I'm sure that the open source people will love jumping through this extra regulatory hoop and paying the required fees toll before getting their product on the market.