On several occasions I’ve written about insecurities of the Internet of Things – such as here, here, here, here and here. Recently, four US Senators decided to do something about it, and with the help of the Atlantic Council and Harvard University, have drafted a bill outlining minimum security requirements for IoT device purchases by US Federal agencies. The bill is bipartisan, proposed by two Republican Senators – Steve Daines (MT) and Cory Gardner (CO), and two Democrats – Mark Warner (VA) and Ron Wydon (OR). The proposed legislation is to be known as the Internet of Things Cybersecurity Improvement Act of 2017. It is a good start, and examining its provisions provides insight into many IoT device security vulnerabilities and solutions.
The proposed legislation stipulates the following requirements for IoT devices:
- The device must contain no known vulnerabilities listed on the NIST database. A waiver can be applied for known vulnerabilities, specifying mitigation activities, and a justification for secure use. Vulnerabilities which subsequently arise must be disclosed, a commitment made to develop a timely fix for the vulnerability, and an update provided where appropriate.
- The device must be capable of accepting properly authenticated updates from the vendor.
- The device must use only non-deprecated, industry-standard protocols for communications and encryption.
- The device must not contain hard-coded credentials for remote administration or communication.
These provisions provide insight into some of the security issues with too many IoT devices in the past – such as devices which are unable to accept software updates, the use of proprietary encryption routines, hard-coded default login credentials, etc.
The proposed legislation defines IoT devices broadly, as physical objects in regular connection with the internet, that have computer processing capabilities capable of collecting, sending or receiving data. The proposed legislation also has provisions requiring executive agency heads to establish and maintain an inventory of IoT devices used within their agency. The bill also stipulates protection for security researchers in some narrow situations (where the IoT device must be provided by a contractor to a US agency) working in good faith to hack IoT devices so that manufacturers can make security improvements.
While legislation is inflexible and notoriously slow to adapt and there are definite limits to what legislation can accomplish, even though the proposed bill only applies to US government purchases, the guidelines will no doubt prove useful in other areas as well. The IoT guidelines imply the realisation of potential threats inherent in IoT devices. It is also important to remember that the proposed bill defines only minimum standards – IoT device manufacturers should not merely aspire to achieve minimums.
The Senators have done a good job with this bill. It is a great start for an industry where manufacturers have been under pressure to get product to market as quickly as possible and security has often been only an afterthought. We should not be connecting devices that cannot be secured at least to a minimum level.