Congress Introduces Bill To Improve 'Internet of Things' Security (cnet.com) 54
Members of the US Senate and House of Representatives introduced the Internet of Things Cybersecurity Improvement Act on Monday, hoping to bring legislative action to the emerging technology. From a report: Connected devices are expected to boom to 20.4 billion units by 2020, but they don't all have the same levels of security. Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses. "While I'm excited about their life-changing potential, I'm also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security," Sen. Mark Warner, a Democrat from Virginia, said in a statement.
Do you really think Congress will legislate this? (Score:3)
Re: (Score:3)
Oh, hang on that's just business as usual.
Best government money can buy all right.
Re: (Score:2)
Re:Do you really think Congress will legislate thi (Score:5, Insightful)
Almost certainly this will be a checklist, like PCI DSS compliance for credit card processors. Just like it is there, it will ensure you have a lock on the door, the window is closed, and a fence is around the perimeter... but does nothing to ensure the fence isn't made from tissue paper or that there isn't a large gap in the wall right next to the door.
Re: (Score:2)
Enjoy.
Re:Do you really think Congress will legislate thi (Score:4, Insightful)
Knowing the current state of Congress, they're require a third-party auditor to "certify" all new IoT products before allowing their sale in the US.
The list of third-party auditors will probably closely match the list of corporate donors who sponsored the bill.
I'm sure that the open source people will love jumping through this extra regulatory hoop and paying the required fees toll before getting their product on the market.
Re: (Score:2)
Knowing the current state of Congress, they're require a third-party auditor to "certify" all new IoT products before allowing their sale in the US.
If you read the bill instead of fabricate FUD, you'll see that it has nothing to do with approving anything for sale in the US, and that the "third party" is NIST.
The list of third-party auditors will probably closely match the list of corporate donors who sponsored the bill.
I did not know that NIST was a corporate donor to any political campaign.
I'm sure that the open source people will love jumping through this extra regulatory hoop and paying the required fees toll before getting their product on the market.
It has nothing to do with "open source" or getting a product on the market.
Re: (Score:2)
Reminds me of the whole 8570 CompTIA scam. Come pay us (forever) for this useless certification that the government is now going to require everyone who touches a government computer to have.
Re: (Score:2)
According to the article, they're having NIST prepare the standards and controls, with a 5-year refresh. If this was the legislators coming up with standards, as they did with HIPAA, I think it would be doomed to fail. But NIST knows their stuff - the controls in Special Publication 800-53 rev 4 are pretty solid, and come with mappings for low, moderate and high security situations. Like FedRAMP for cloud providers, this will become a bar for entry into the public sector, and at this point, it has the poten
Re: (Score:2)
Not for everyone. (Score:3)
Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses.
This will become nothing more than special "government edition" and "consumer edition" product lines of the exact same item, just with different firmware. Remember the $600 hammer? Now there will be an actual justifiable difference between the product bought on government contract and the same item at a fraction of the price at Wal-Mart.
Re: (Score:3)
Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses.
This will become nothing more than special "government edition" and "consumer edition" product lines of the exact same item, just with different firmware.
I find it hard to believe that vendors will create separate development lines for these products. I guarantee you the "minimum" standard won't be hard to implement, and you could probably sell hardware easily to civilians with some bullshit marketing like US Tested, Government Approved.
Remember the $600 hammer? Now there will be an actual justifiable difference between the product bought on government contract and the same item at a fraction of the price at Wal-Mart.
Sorry, but your own example tends to invalidate your argument. There's nothing inherently different between a $6 hammer and a $600 one, proving you don't need "government edition" anything to create that stupidity.
Re: (Score:1)
Those "$600 hammers" were beryllium copper non-sparking ones.
They ain't cheap for anyone.
Re: (Score:2)
Those "$600 hammers" were beryllium copper non-sparking ones. They ain't cheap for anyone.
Care to explain the technology in the $10,000 toilet seats?
(I'm guessing it's actually a portable black hole used to teleport the mountains of bullshit spewing from those selling $600 hammers...)
Re: (Score:2)
Sure. They were needed for the C5 Galaxy, and no longer being produced anywhere. That means the AF had to hire some contractor to come in and create one from scratch, and to the exact specifications (corrosion resistance for example) they had. This inflates the cost of something that most of us would have just made ourselves in the our basement to ridiculous levels, especially when you're not going to make a large production run. They made 3, so all of the engineering, and overhead cost went into that.
Re: (Score:3)
Show of hands ... (Score:2)
Who here wishes the fuck we had a goddam act of Congress to establish best practices during our IT careers?
THEN we could have said, "Security -- it's not just a good idea, it's the law!"
Re: (Score:2)
Who here wishes the fuck we had a goddam act of Congress to establish best practices during our IT careers?
THEN we could have said, "Security -- it's not just a good idea, it's the law!"
We're talking about congress here. The majority of them don't know jack about shit. They'd just mandate something stupid that would hamstring security.
What can be done? (Score:2)
Stickers printed with every device showing its own unique name and long, complex and very unique password?
Re: (Score:2)
Doesn't even need to be long and complex.
A single non-trivial dictionary word, with a 1 hour lockout period, would be enough to thrwart the majority of attacks.
Obviously that's not enough to stop a concerted effort, but this would serve very well as a bare minimum.
Re: (Score:2)
Make every attempt to login CPU and network intensive per device.
The "S" in "IoT" ... (Score:5, Informative)
The "S" in "IoT" stands for "Security". As in, there ain't none.
Yes, having a default password already applied to all IoT devices would be a great idea, as long as the instructions on "HOW TO CHANGE THE DEFAULT PASSWORD" was printed in at least 24-point type. For appliances, the instructions should be printed on a sticker (same typeface) across the front of the device.
Beyond that .... the users need to be afraid of IoT devices and be concerned that they could he hacked. Because they all will be.
Re: (Score:2)
Less than one person in ten would bother doing so, even if it were clearly printed how to do it. They wouldn't understand WHY they should. Having unique default passwords per device (like recent Comcast routers do) is a better idea. That're changeable, of course.
Re:The "S" in "IoT" ... (Score:5, Interesting)
The default password should be randomly generated and included as a sticker in the packaging, like when you buy a combination lock. That way each device will have a random, unique password from the start. You'd have to go out of your way to make it admin/admin.
Re: (Score:2)
I love that you point out that this security problem was solved decades before the microprocessor was invented, and yet still manufacturers haven't figured this out.
Re: (Score:2)
They should really enforce changing the default password as part of the initial setup. If you give people the option to skip it, they will.
Otherwise, the default password just gets added to that long password list of manufacturer default passwords that crackers use to get into your stuff.
Re: (Score:2)
I'm not sure I can agree. Modern credit card terminals are often IOT devices and implement strong measures very resistant to hacking.
If an IOT device can only be configured using Bluetooth, an unauthorized user would need to be in close proximity to the device and if a unique code is required to access the configuration is printed on the device, they would need physical ac
Re: (Score:2)
Because the environment and requirements of a refrigerator change constantly? If an appliance needs a software update, you're not a customer; you're a beta tester.