Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Privacy Security United States

Congress Introduces Bill To Improve 'Internet of Things' Security (cnet.com) 54

Posted by msmash from the better-security dept.
Members of the US Senate and House of Representatives introduced the Internet of Things Cybersecurity Improvement Act on Monday, hoping to bring legislative action to the emerging technology. From a report: Connected devices are expected to boom to 20.4 billion units by 2020, but they don't all have the same levels of security. Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses. "While I'm excited about their life-changing potential, I'm also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security," Sen. Mark Warner, a Democrat from Virginia, said in a statement.
This discussion has been archived. No new comments can be posted.

Congress Introduces Bill To Improve 'Internet of Things' Security More

Congress Introduces Bill To Improve 'Internet of Things' Security

Comments Filter:
  • Best case, they require a password to admin accounts. Worst case, jeez, I can't imagine. We'll start with IoT vendors who pay the most $$$ to re-election campaigns. And go downhill from there.
    • Worst case will be some senators getting some nice backhanders for supporting this.
      Oh, hang on that's just business as usual.
      Best government money can buy all right.
      • It'll be watered down to pointlessness by the time it passes anyway, like most of these bills usually are. As long as it doesn't override the California law, which again these bills usually do, things should be OK though, at least that has some teeth. The CA one is still pretty weak, but at least it's something.

    • Re:Do you really think Congress will legislate thi (Score:5, Insightful)

      by mentil ( 1748130 ) on Tuesday March 12, 2019 @03:24AM (#58258978)

      Almost certainly this will be a checklist, like PCI DSS compliance for credit card processors. Just like it is there, it will ensure you have a lock on the door, the window is closed, and a fence is around the perimeter... but does nothing to ensure the fence isn't made from tissue paper or that there isn't a large gap in the wall right next to the door.

    • Knowing the current state of Congress, they're require a third-party auditor to "certify" all new IoT products before allowing their sale in the US.

      The list of third-party auditors will probably closely match the list of corporate donors who sponsored the bill.

      I'm sure that the open source people will love jumping through this extra regulatory hoop and paying the required fees toll before getting their product on the market.

      • Knowing the current state of Congress, they're require a third-party auditor to "certify" all new IoT products before allowing their sale in the US.

        If you read the bill instead of fabricate FUD, you'll see that it has nothing to do with approving anything for sale in the US, and that the "third party" is NIST.

        The list of third-party auditors will probably closely match the list of corporate donors who sponsored the bill.

        I did not know that NIST was a corporate donor to any political campaign.

        I'm sure that the open source people will love jumping through this extra regulatory hoop and paying the required fees toll before getting their product on the market.

        It has nothing to do with "open source" or getting a product on the market.

      • Re: (Score:2)

        by dcw3 ( 649211 )

        Reminds me of the whole 8570 CompTIA scam. Come pay us (forever) for this useless certification that the government is now going to require everyone who touches a government computer to have.

    • According to the article, they're having NIST prepare the standards and controls, with a 5-year refresh. If this was the legislators coming up with standards, as they did with HIPAA, I think it would be doomed to fail. But NIST knows their stuff - the controls in Special Publication 800-53 rev 4 are pretty solid, and come with mappings for low, moderate and high security situations. Like FedRAMP for cloud providers, this will become a bar for entry into the public sector, and at this point, it has the poten

  • Not for everyone. (Score:3)

    by SeaFox ( 739806 ) on Monday March 11, 2019 @10:40PM (#58258238)

    Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses.

    This will become nothing more than special "government edition" and "consumer edition" product lines of the exact same item, just with different firmware. Remember the $600 hammer? Now there will be an actual justifiable difference between the product bought on government contract and the same item at a fraction of the price at Wal-Mart.

    • Hackers often target IoT devices that don't have built-in security, leading to problems like default passwords and vulnerabilities that can't be fixed. [...] Lawmakers are looking to fix that with the bill, which would require a bare minimum of security standards for any IoT devices that the federal government uses.

      This will become nothing more than special "government edition" and "consumer edition" product lines of the exact same item, just with different firmware.

      I find it hard to believe that vendors will create separate development lines for these products. I guarantee you the "minimum" standard won't be hard to implement, and you could probably sell hardware easily to civilians with some bullshit marketing like US Tested, Government Approved.

      Remember the $600 hammer? Now there will be an actual justifiable difference between the product bought on government contract and the same item at a fraction of the price at Wal-Mart.

      Sorry, but your own example tends to invalidate your argument. There's nothing inherently different between a $6 hammer and a $600 one, proving you don't need "government edition" anything to create that stupidity.

      • Re: (Score:1)

        by Anonymous Coward

        Those "$600 hammers" were beryllium copper non-sparking ones.
        They ain't cheap for anyone.

        • Those "$600 hammers" were beryllium copper non-sparking ones. They ain't cheap for anyone.

          Care to explain the technology in the $10,000 toilet seats?

          (I'm guessing it's actually a portable black hole used to teleport the mountains of bullshit spewing from those selling $600 hammers...)

          • Re: (Score:2)

            by dcw3 ( 649211 )

            Sure. They were needed for the C5 Galaxy, and no longer being produced anywhere. That means the AF had to hire some contractor to come in and create one from scratch, and to the exact specifications (corrosion resistance for example) they had. This inflates the cost of something that most of us would have just made ourselves in the our basement to ridiculous levels, especially when you're not going to make a large production run. They made 3, so all of the engineering, and overhead cost went into that.

    • Insecure IoT devices are a threat to EVERYONE, including the federal government, regardless of if they are used by the government or not.

  • Who here wishes the fuck we had a goddam act of Congress to establish best practices during our IT careers?

    THEN we could have said, "Security -- it's not just a good idea, it's the law!"

    • Who here wishes the fuck we had a goddam act of Congress to establish best practices during our IT careers?
      THEN we could have said, "Security -- it's not just a good idea, it's the law!"

      We're talking about congress here. The majority of them don't know jack about shit. They'd just mandate something stupid that would hamstring security.

  • admin/admin is not to be used as a default factory set name and password?
    Stickers printed with every device showing its own unique name and long, complex and very unique password?

    • Doesn't even need to be long and complex.

      A single non-trivial dictionary word, with a 1 hour lockout period, would be enough to thrwart the majority of attacks.

      Obviously that's not enough to stop a concerted effort, but this would serve very well as a bare minimum.

      • Re: (Score:2)

        by AHuxley ( 892839 )
        Yes to just stop admin/admin getting set as the production default over decades of connected devices.
        Make every attempt to login CPU and network intensive per device.

  • The "S" in "IoT" ... (Score:5, Informative)

    by kenwd0elq ( 985465 ) <kenwd0elq@engineer.com> on Tuesday March 12, 2019 @01:01AM (#58258682)

    The "S" in "IoT" stands for "Security". As in, there ain't none.

    Yes, having a default password already applied to all IoT devices would be a great idea, as long as the instructions on "HOW TO CHANGE THE DEFAULT PASSWORD" was printed in at least 24-point type. For appliances, the instructions should be printed on a sticker (same typeface) across the front of the device.

    Beyond that .... the users need to be afraid of IoT devices and be concerned that they could he hacked. Because they all will be.

    • Re: (Score:2)

      by mentil ( 1748130 )

      Less than one person in ten would bother doing so, even if it were clearly printed how to do it. They wouldn't understand WHY they should. Having unique default passwords per device (like recent Comcast routers do) is a better idea. That're changeable, of course.

    • Re:The "S" in "IoT" ... (Score:5, Interesting)

      by torstenvl ( 769732 ) on Tuesday March 12, 2019 @03:45AM (#58259042)

      The default password should be randomly generated and included as a sticker in the packaging, like when you buy a combination lock. That way each device will have a random, unique password from the start. You'd have to go out of your way to make it admin/admin.

      • Re: (Score:2)

        by MobyDisk ( 75490 )

        I love that you point out that this security problem was solved decades before the microprocessor was invented, and yet still manufacturers haven't figured this out.

    • They should really enforce changing the default password as part of the initial setup. If you give people the option to skip it, they will.

      Otherwise, the default password just gets added to that long password list of manufacturer default passwords that crackers use to get into your stuff.

    • >Beyond that .... the users need to be afraid of IoT devices and be concerned that they could he hacked. Because they all will be.

      I'm not sure I can agree. Modern credit card terminals are often IOT devices and implement strong measures very resistant to hacking.

      If an IOT device can only be configured using Bluetooth, an unauthorized user would need to be in close proximity to the device and if a unique code is required to access the configuration is printed on the device, they would need physical ac

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close