Congress to smart device makers: Your security sucks – CNET


Congress proposed a bill to up the security on IoT devices.

James Martin/CNET

Congress wants to fix the notorious security problems associated with the internet of things — at least for themselves.

On Tuesday, Sens. Mark Warner, Cory Gardner, Ron Wyden and Steve Daines introduced the “Internet of Things Cybersecurity Improvement Act,” (PDF) a bill that would force tech companies to ramp up security if they want to sell connected devices to the federal government.

While analysts expect there to be 20.4 billion IoT devices around the world by 2020, security on internet-connected devices hasn’t kept pace with the market’s growth. Gadget makers tend to make IoT devices as simple as possible, which often means sacrificing security. 

The trade-off has meant that thousands of IoT devices — everything from connected security cameras to sex toys to baby monitors — can be easily hacked. The senators’ proposed bill attempts to ensure that vulnerable devices never end up being used by the federal government.

The bill would would require that IoT devices sold to the federal government must be able to be patched and don’t use hard-coded passwords. The last part is important because connected devices often come with a passwords like “admin,” which are easy easy for hackers to guess, that can’t be changed. Thanks to thousands of cameras and DVRs with hard-coded passwords, a massive distributed denial of service attack, or DDoS, was able to take down a major portion of the internet last October.

“My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products,” Warner said.

The bill would also block any IoT devices with known security issues, and require device makers to patch any new flaws. Security researchers who hack IoT devices used by the federal government in order to find new flaws would be exempt from the Computer Fraud and Abuse Act, which has been used to charge hackers.

The proposed bill is only meeting the “bare minimum standard” for IoT security, but it’s better than nothing, said Tyler Shields, the vice president of strategy at security company Signal Sciences.

Being able to patch a device isn’t exactly advanced security, he pointed out. In the long term, he said, no bare minimum legislation has ever been able to solve all security issues.

The proposed security standards would only apply to the federal government, which mainly uses IoT devices to cut costs, according to the Center for Data Innovation. The General Services Administration’s buildings saved $15 million in 2016 thanks sensors that collect data on energy use. The federal government also uses IoT devices for scientific research. For example, the Center for Disease Control uses connected devices to monitor mining environments, and the National Oceanic and Atmospheric Administration has sensors to study whale migrations and underwater volcanoes. 

“Will this make IoT secure as a final point? Absolutely not, in no way,” Shields said. “What it will do, is set a bare minimum for the government. Hopefully it sets a standard for the commercial sectors too.”

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter. Here’s what they’re up to.

Intolerance on the Internet: Online abuse is as old as the internet and it’s only getting worse. It exacts a very real toll.

Leave a Reply

Your email address will not be published. Required fields are marked *