US senators set to introduce IoT security bill

James Pearce
Published on:

The Internet of Things Cybersecurity Improvement Act will seek to address basic vulnerabilities found in internet of things devices

US senators are set to introduce new laws that will seek to address vulnerabilities in internet of things devices by mandating basic security standards.

The bill, which is set to be introduced by a bipartisan group of senators, would force vendors looking to sell IoT devices to ensure products are patchable with changeable passwords included.

The Internet of Things Cybersecurity Improvement Act is being sponsored by Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden, with input from technology experts at the Atlantic Council and Harvard University, according to Reuters.

This year, more than 10 billion devices will connect to networks around the world, and that number is expected to grow ten-fold over the following years, according to Nokia. But with that growth comes an increased potential threat, as some IoT devices have been shown to be vulnerable to a number of attacks.

One example is the Mirai attack. Mirai attacks consumer devices such as remote cameras and home routers, part of the IoT to increase data output, potentially launching a DDoS attack. It has been linked to numerous attacks last year, and crashed an estimated 900,000 routers from Deutsche Telekom in November for example.

The senators are taking the “lightest touch possible” in order to introduce legislation, Warner told Reuters. This will include exceptions that mean the US Office of Management and Budget can permit non-compliant devices when other controls are in place, such as network fencing.

Tripwire principal security engineer said the bill could help to resolve some known issues currently plaguing IoT devices, but he identified two further issues going forward.

"I put IoT devices into three buckets when it comes to patching.  The best bucket to be in are devices which automatically detect new updates and install them without any user involvement.  This is the strategy which should be strived for amongst all IoT vendors.  The next is optional patches, which is what this bill will most likely mandate. Finally, there are the devices which do not receive any patches; intentionally or not.

“Along the same lines as having users install patches is getting them to change their passwords. The reason Mirai was so successful was not because users could not change their password, but because they chose not to when installing the device. I would urge this bill to add that should devices force the user to change the default password, but that the default password should be unique to each device as well.”

For an analysis of the risks around IoT security, check out issue 153 of GTB, which can be found here.