US Senators Steve Daines, Cory Gardner, Mark Warner, and Ron Wyden introduced the Internet of Things Cybersecurity Improvement Act of 2017 in an effort to fix the problems that led to the creation of the Mirai Botnet which took down Dyn’s DNS servers late last year. The problem is, this bill sets the bar really really low.
The bill calls for four requirements:
1. IoT Vendors would have to ensure their devices are patchable
It isn’t a secret that I’m not a fan of IoT security. Companies are so enthralled by making the next big IoT device that they aren’t taking the time to make sure the devices are secure. Building infrastructure and processes to securely send updates for newly discovered vulnerabilities seem to be even lower on the list of priorities. At DEF CON this year, a speaker showed how he was able to push a fake firmware update to an IV drip machine, tricking it into administering a lethal dose of the medication meant to save the patient. This talk is not yet available on the DEF CON channel, but will be linked here when it is added.
This might be the clause with the biggest push back, building the infrastructure for patching is expensive, and the time frames for patches are not clearly defined. How long do manufacturers need to continue to patch the devices? What is the maximum allowed time to patch a newly discovered vulnerability? Which organization will oversee that the rules are being followed?
2. Do not contain known security vulnerabilities
It still amazes me that companies are releasing known insecure products. Manufacturers want to build devices with the lowest cost possible. Fixing firmware prior to release is costly, and may require opening already packaged devices to fix.
3. The devices may not include hard-coded default passwords
The Mirai botnet was built almost entirely using a text file that contained the default usernames and passwords for security cameras, thermostats, routers, smart fridges, etc. An attacker ran a scan of open internet ports on all kinds of devices and came away with millions of unsecured devices that were used to launch the largest DDoS attack ever.
4. Utilize industry standard encryption for communication
They should already be using encrypted communications, but almost 20% of devices are sending information in plain text. Some devices don’t have any sort of authentication to the server at all, and almost all devices didn’t allow users to change the default passwords. That is terrifying.
The Senators proposing the bill want to lay the groundwork for the creation of secure IoT devices, but it doesn’t go far enough. Many of these requirements are security best-practices that are not being followed. I would like to see required hardware and software vulnerability testing, large fines for companies that fail to secure their devices, and restricted communication for IoT devices. Adding those to this bill would go a long way to creating a future where everyone is more secure.