A Senate bill introduced today would prioritize security in connected devices, requiring providers who sell to the U.S. government to implement measures that would have been an impediment to the IoT botnet-fueled attacks against DNS provider Dyn and webhost OVH.
The Internet of Things Cybersecurity Improvement Act provides stringent guidance for the security of connected devices starting with mandates that they not contain known hardware, software or firmware vulnerabilities and also that the device have a mechanism for accepting trusted security updates from the vendor.
The act, introduced by Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (D-WA) and Steve Daines (R-MT), would also require the use of industry standard protocols for communication, encryption and peripheral connections. Vendors would also no longer be able to include hardcoded credentials, which are generally embedded in devices enabling remote administration.
The DDoS attacks against OVH and Dyn were a gut-punch for the industry as giant botnets of connected IP cameras and DVRs were responsible for outages that took down major internet consumer and business services such as Twitter and Netflix.
The Mirai malware was at the core of those attacks. Following the public release of the malware’s source code, numerous Mirai-related attacks were detected. The malware scanned the public internet for connected devices and from a list of dozens of known default and weak credentials, tries to gain access to the router, camera or DVR. The connected device is then joined to a number of IoT botnets used in DDoS attacks.
With the IoT Cybersecurity Improvement Act addressing such shortcomings as insecure credentials and update mechanisms, many of these issues could have been avoided.
“My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products,” Warner said.
Security expert Bruce Schneier was among the first to suggest that the IoT security problem was already too far down the road, and that legislation would be inevitable. During testimony before a House committee last November, Schneier said market pressure was not enough to address the risks posed by insecure IoT devices, and he even suggested that innovation may have to suffer for it.
“The risks are no longer solely about data; they affect flesh and steel,” Schneier said in a statement. “The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests. I applaud Senator Warner and his cosponsors for nudging the market in the right direction by establishing thorough, yet flexible, security requirements for connected devices purchased by the government.”
The act would also exempt white-hats looking for vulnerabilities in IoT devices from liability under the Computer Fraud and Abuse Act and the Digital Rights Millennium Act. It would also direct the Department of Homeland Security’s National Protection and Programs Directorate to provide coordinated vulnerability disclosure guidelines for contractors.
“This bill is designed to let researchers look for critical vulnerabilities in devices purchased by the government without fear of prosecution or being dragged to court by an irritated company,” Wyden said. “Enacting this bill would also help stop botnets that take advantage of internet-connected devices that are currently ludicrously easy prey for criminals.”