Congress may be about to apply some real pressure to hardware manufacturers and software makers whose IoT devices are forming the spine of a new, wildly insecure global network. A bill introduced Tuesday in the Senate would require IoT makers to guarantee that any devices sold to federal agencies are patchable and don’t contain any known security flaws or hardcoded credentials, three of the main problems with such devices.
The bill provides a number of clauses that would have to appear in sales contracts with federal agencies, language that explicitly lays out the the security capabilities IoT devices must have. The key provision is one that requires the vendor to certify that its device doesn’t have any known vulnerabilities at the time of the sale.
“A clause that requires the contractor providing the Internet-connected device to provide written certification that the device—(I) except as provided under clause (ii), does not contain, at the time of submitting the proposal, any hardware, software, or firmware component with any known security vulnerabilities or defects listed in—(aa) the National Vulnerability Database of NIST; and (bb) any additional database selected by the Director that tracks security vulnerabilities and defects, is credible, and is similar to the National Vulnerability Database,” the bill says.
IoT security has been a major focus of both Capitol Hill and the security community of late, especially in the wake of the Mirai botnet disaster from earlier this year. One of the key issues with embedded devices is that they’re notoriously difficult to patch, if it’s possible at all. Some devices don’t even have update mechanisms, and some vendors don’t produce updates to fix flaws when they’re discovered. So devices that come out of the box with vulnerable firmware are immediately open to attack and may remain that way forever.
“I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards.”
“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” said Sen. Mark Warner (D-Va.), one of the sponsors of the bill.
“This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
The bill also would require vendors to ensure their devices don’t use hardcoded credentials for remote administration or updates, a weakness that many pieces of IoT malware, including Mirai, have exploited. Significantly, the IoT Cybersecurity Improvement of 2017, as the bill is known, also would create an exemption in the existing Computer Fraud and Abuse Act for security research on IoT devices.
The exemption would protect researchers who ‘‘(1) in good faith, engaged in researching the cybersecurity of an Internet-connected device of the class, model, or type provided by a contractor to a department or agency of the United States; and (2) acted in compliance with the guidelines required to be issued by the National Protection and Programs Directorate, and adopted by the contractor described in paragraph (1), under section 3(b) of the Internet of Things (IoT) Cybersecurity Improvement Act of 2017.’’
The right to conduct security research on IoT devices has been an issue for several years, as many of them are only used in limited situations, are difficult to reach, and many not be available to researchers. Some IoT manufacturers also have reacted less than enthusiastically to researchers who find bugs in their devices. The bill would provide a similar exemption for research under the Digital Millennium Copyright Act.