US Congress Passes an IoT Security Bill 'That Doesn't Totally Suck'

Shotgun (Slashdot reader #30,919) shared these thoughts from The Register: Every now and again the U.S. Congress manages to do its job and yesterday was one of those days: the Senate passed a new IoT cybersecurity piece of legislation that the House also approved, and it will now move to the President's desk.

As we noted back in March when the IoT Cybersecurity Improvement Act was introduced, the law bill is actually pretty good: it asks America's National Institute of Standards and Technology (NIST) to come up with guidelines for Internet-of-Things devices and would require any federal agency to only buy products from companies that met the new rules. It gives a minimum list of considerations to be covered: secure code, identity management, patching and configuration management. It also requires the General Services Administration — the arm of the federal government that sources products and comms for federal agencies — to come up with guidelines that would require each agency to report and publish details of security vulnerabilities, and how they resolved them, and coordinate with other agencies.

Industry has also got behind the effort — Symantec, Mozilla, BSA The Software Alliance (which includes Apple, Microsoft, IBM, Cloudflare, the CTIA and others) — and Congress has managed to keep its fingers out of things it knows nothing about by leaving the production of standards with the experts, using federal procurement to create a de facto industry standard.
Though it will still be legal sell insecure IoT devices, "for those looking for good, secure products, there will be a baseline standard across the industry..." the article concludes.

"[T]his is an essential first step to getting secure IoT in place."

Re:

[gtall]

"bill that doesn't totally suck"...wow, imagine the propaganda value of that!

Re:

[arglebargle_xiv]

NIST is really good at creating security standards that principally benefit very large, cash-rich corporations. Most notably FIPS 140 isn't a sign of any kind of secure product, it's a sign of how much money an organisation is willing to burn in order to qualify for government contracts. Which the new regs, which "would require any federal agency to only buy products from companies that met the new rules", seem to perpetuate. So "it doesn't suck as badly as it could have" is appropriate in this case.

Be leery of the standards

[Antique Geekmeister]

Backdoors for federal monitoring may be mandated as a requirement.

Re:

[DontBeAMoran]

And before you think "who cares if the government knows the temperature I set at home?", imagine being billed even higher for setting your heating system at "temperatures above government approved levels".

It's a slippery slope, unfortunately we already have people buying spying devices with their own money and bringing them voluntarily into their homes.

Soon, people without those spying devices will be offered free ones, then it will be law to own at least one of those in your home. Then it will become illeg

Re:

[mi]

If you think that's crazy, remember that we all thought smart speakers were a crazy idea when they came out and that nobody in their right mind would buy those. Just wait a few years and the crazy becomes the new normal.

Well, they are neither mandatory nor offered for free yet, are they?

On the other hand, being able to summon help by just whispering out "Alexa, call ambulance!" may be a literal life-saver for victims of strokes and heart-attacks, for example.

Re:

[taustin]

It is still possible to buy TVs that work fine without any kind of internet connection. Which doesn't matter, since the cable box spies on you anyway. So do all the streaming services.

In fact, it isn't actually possible for them to not spy on you, really.

If you're going to connect to the internet, the internet is going to connect to you. If you don't want that, say in the basement with your old Playboys.

Re:

[DontBeAMoran]

But there is a difference between Apple (via Apple TV) and Netflix (via your subscription) knowing what I watch online and a hardware device with cameras and microphones that can potentially spy on me directly in the physical world.

Re:

[taustin]

So only buy devices from companies you're willing to let spy on you. Nobody's forcing you to buy any of this stuff.

Re:

[guruevi]

It's called a monitor. They come in TV-sizes now too and generally better picture quality.

Re: Be leery of the standards

[jeromef]

OK for smaller sizes, but where do you find a 77 inch monitor for example? Professional displays would fit the need but they're quite expensive.

Re:

[Retired ICS]

Of course they are expensive because they are not subsidized by spyware and advertising. Also they are designed to "work as specified", a constraint which does not apply to shoddy consumer product which merely needs to function more or less as specified in order to placate the unwashed idiot consumer -- in fact, most consumer type product does not even *have* meaningful specifications so there is no way for even a turd to not meet the few they have.

This is merely the general nature of the beast. If you do

Re: Be leery of the standards

[t4eXanadu]

It's not 80", but ASUS makes a 64" 4k monitor, Asus ROG Swift PG65UQ. The price is absurd, though.

Re:

[DontBeAMoran]

I will choose ultra-wide over 4K any day.

Re:

[Actually, I do RTFA]

before you think "who cares if the government knows the temperature I set at home?", imagine being billed even higher for setting your heating system at "temperatures above government approved levels".

That's stupid. First, that's not how things work in the US. The government uses things like cap-and-trade to deal with pollution. I've never seen a step down that slippery slope. On the other hand, energy use in the US is already tiered. Using power has non-linear and escalating costs, just like tax brack

Re:

[Lije Baley]

Power usage may be that well-monitored in your area, but for non-industrial users: a) virtually nowhere is it done in actual real-time, and b) time-of-use billing is not yet ubiquitous, not even in metropolitan areas.

Re:

[Antique Geekmeister]

> I've never seen a step down that slippery slop

Please, allow me to introduce you to a step you may not have noticed. Power monitoring has been done for detection of household marijuana farms.

https://www.utilitydive.com/ne... [utilitydive.com]

It's another small step from there to monitoring for any social or political goal a government may have.

Re:

[Actually, I do RTFA]

I mean: (1) That proves that smart thermostats aren't even a risk, power is sufficient. (2) Marijuana regulations are totally different from heating a home or a social goal. (3) Grow lights are unique spikes in ways that temperature is not - in fact, this supports my position.

Re:

[Antique Geekmeister]

I see your point that marijuana monitoring is a distinct case, But I hope you see the point that it is a precedent for monitoring, and veyr much a step down that slippery slope?

Re:

[Actually, I do RTFA]

I mean, we also have court rulings that the police cannot (without a warrant) use heat vision to detect grow lights. But "someone using technology to detect what's in someone's home" is on a whole different axis than "the government will control what you do in the privacy of your home". In fact, on the second, we're moving away from that - especially in the bedroom.

Re:

[Antique Geekmeister]

While the improvements in some civil rights is laudable, But let's not pretend that law enforcement and other governments or businesses have not engaged in warrant-free direct monitoring, of businesses and citizens, through electronic hacking, cracking, and forced access to private electronics. That was the Clipper chip was designed to allow, and the project was only discarded after it was found to violate numerous patents _and_ it was proven possible to replace the escrow stored keys accessible to the gove

Re:

[Actually, I do RTFA]

Again, you're focusing on the surveillance, and I'm focusing on the activities deemed illegal that they are trying to uncover. Because those are independent. And I'm still responding to a series of posters (or sock puppets) who made a claim that we're shifting towards the government mandating what temperature you can set in your home. And we seem to be moving the opposite direction.

Re:

[cusco]

Power companies are required by law to alert authorities of suspicious power usage, and that notification can be used to get the required warrant. Just FYI.

Re:

[ZuckFucker]

Power companies are required by law to alert authorities of suspicious power usage, and that notification can be used to get the required warrant. Just FYI.

They can get a search warrant for my hydroponic vegetable farm I have in the winter in my garage. (Yes, it's vegetables not marijuana.) Maybe they'd even do a "no-knock" warrant so they bust in at 5AM and I, not knowing what is going on, burst out of the bedroom with my gun and they shoot me 12 times. Oh wait, they've already done that one. In another "no-knock" raid they threw a flash-bang into a baby's crib resulting in its death.

Re:

[ZuckFucker]

Our water system here charges like everything else by usage. So you pay by the gallon used. But then they do two things:

1. They tier it, so the first x number of gallons is at price y, then the next x number of gallons are higher, and so on and so forth.

2. They actually add a surcharge on my bill because of the size of my lot, irrespective of what I use.

Re:

[PPH]

imagine being billed even higher for setting your heating system at "temperatures above government approved levels".

How will they ever know if I shovel a little extra coal into my furnace?

Yes. I actually know some people with backup coal heat. Just in case the Soviet of Seattle outlaws natural gas.

Re:

[PPH]

Biden has already said he will outlaw coal usage completely.

Metallurgical coal [wikipedia.org].

Biden is an idiot.

Re:

[l0n3s0m3phr34k]

And yet there are alternatives [theconversation.com]. And having an agenda of getting rid of fossil fuels is a HUGE difference than "outlaw coal usage completely". Thermal coal is already on it's way out.

Re:

[PPH]

I wish the alternatives luck. Because aside from its thermal contributions to the steel making process, carbon is an integral component of steel. That's why it is called metallurgical coal.

Yes there are alternative alloys. But good luck paying for them. Or keeping a sufficient strength to weight ratio to produce usable products. In many cases, better structural alternatives are plastics. Which are made from ... oil.

My privately run power company already does that

[rsilvergun]

It's "optional" but you get a substantial discount for allowing them to monitor your temperatures. So far I've resisted it, but it's only a matter of time before the payment plan that doesn't include it is prohibitively expensive. My car insurance company is doing the same thing.

It's like boiling a frog only the frog is smart enough to jump out of the pot...

I never understood why people get so freaked at gov't doing bad things and then shrug their shoulders when mega corps doing the same thing and sa

Re:

[cusco]

And then they totally forget that any time it wants the gov't can buy that data from the megacorps, and they don't need a warrant.

Re:

[Actually, I do RTFA]

I never understood why people get so freaked at gov't doing bad things and then shrug their shoulders when mega corps doing the same thing and say "that's capitalism, you can just move somewhere else, right?".

Not only just shrug their shoulders, but actively oppose regulations that would keep megacorps from doing that.

Re:

[LoudPipesSaveLives]

I recently had to do an interpretive reading and chose a portion of the first chapter of "1984" by Orwell. After the reading I drew parallels with the new "convenience" gadgets in homes. A number of people in the audience were shocked by where things are at today. Sadly, there were also some who couldn't have cared less. The second group is the most concerning.

what went wrong?

[v1]

Something shady must be going on here, this shouldn't have been allowed to happen! We must dig deeper!

Re:what went wrong?

[crow]

Many of these devices are made in China. Of course they're nervous. My bathroom scales send data to Hong Kong if WiFi is enabled.

Re:

[kackle]

...or disabled. :)

Re: what went wrong?

[gakenfay]

This may be scarier of the two...

Re:

[93 Escort Wagon]

My bathroom scales send data to Hong Kong if WiFi is enabled.

What did you expect, given you ordered the Carrie Lam Signature Edition?

Re:

[gtall]

It's worse, TikTok is sending examples of American teenage angst and acne to the CCP. Just imagine the national security implications.

Re:

[Retired ICS]

My bathroom scales send data to Hong Kong if WiFi is enabled.

I do not think WiFi can reach China. I don't think any RF signal could reach from your bathroom to China. Unless, of course, it is extremely long wave.

Re:

[antdude]

Which brand is that scale so that we can avoid it? You should had bought a non-network scale. :P

Re:

[Krishnoid]

Oh wait, my watch says it's 8:23, exactly the time the legislation passed. Of course, the watch hasn't worked in years.

This seems good!

[Frank Burly]

Requiring Federal agencies to buy IOT devices meeting a minimum security standard creates a market for secure IOT that didn't previously exist.

And now when the Chinese know that the guys in Cheyenne Mountain prefer the temperature to stay between 74 and 78F, they at least won't know which guy keeps setting it to 84.

Re:

[PPH]

won't know which guy keeps setting it to 84.

The old geezer [wp.com], obviously.

Re:

[Freischutz]

won't know which guy keeps setting it to 84.

The old geezer [wp.com], obviously.

If the choice is between the old geezer and the stupid geezer [wordpress.com] I'l pick the old one ever time.

Re:

[Krishnoid]

And requiring that companies' production/perimeter environments employ devices that must meet that standard before cybersecurity insurance providers will cover them, helps cover the private sector side of that coin [theonion.com].

Re:

[Darinbob]

The market for secure IoT devices DOES exist. It's just not the dumb consumer market. Industrial IoT needs security.

This will prevent a "Right to Repair"

[EMB Numbers]

For the Slashdot folks who think a right to repair is very important: You won't like this law!

"secure code, identity management" means cryptographically signed executables and inability to run unsigned executables or executables signed by the wrong identity. If the original equipment manufacturer goes out of business or just doesn't want to provide updates, you are out of luck. Even if the source code is open-source (with a license more permissive than GPL3), you can compile the code, but you still cannot sign it. You are still out of luck.

Right to repair and security are opposing goals. Pick one.

Re:This will prevent a "Right to Repair"

[Arnonyrnous Covvard]

Right to repair and security are opposing goals. Pick one.

False dichotomy. "Secure code" is not synonymous with "signed code" and "identity management" does not automatically exclude the user.

It is very nice to have defect free software and t

[EMB Numbers]

It is very nice to have defect free software and therefore vulnerability free software, but that software does not exist.

Secure code implies you know what code is executing and you trust its source. That is what cryptographic signatures give you. They confirm you are executing unmodified code, and the code comes from an authorized source. If you could self sign executables, then bad guys will self sign malware.

There are lots of situations where not executing improperly signed code makes sense. It is a prima

Re:

[Arnonyrnous Covvard]

If you mean unmodified code or signed code, say unmodified code or signed code. Secure code is not synonymous with either. You can design devices to let the owner sign code and make the device reject code that is not signed by the manufacturer or the owner.

Re:

[Dr. Tom]

It is technically possible to allow end users to compile, encrypt, and even self-sign, etc., but if a user did that it'd void the warranty. Not allowing unsigned executables is a good thing on a network where my toaster can talk to my neighbor's phone. I should have the option to self-sign everything, of course.

I'd never allow closed-source IoT devices in my house. (Just because it's open-source doesn't mean it won't be spying on you, but you really want that to be out in the open to start with.)

Re:

[guruevi]

Many cheap Chinese devices are open source, since they run some variant of Linux and then the rest is literally a combination of Bash scripting and Python. Alternatively, for the really low-end devices, you get either ESP (if it needs WiFi) or Atmel chips which likewise is really easy to dump the ROM and get it back in readable format.

Re:

[cusco]

And you're not only competent to read and analyze every bit of code on every device, but have the free time to do that? That's quite amazing, I've never met anyone IRL who did.

Open Source is a religion with some people, it will cure every evil and provide perfect security. How many gigantic security holes have been found just in Linux only after a decade or more had passed?

Re:

[Darinbob]

Actually in the industrial world, a lot of customers want this as it is extra security.

Re:

[EMB Numbers]

Yes. The iOS and Android worlds also require or allow signed apps. Mac OS complains if apps aren't signed.

Re:

[Retired ICS]

So what? Computer code running on hardware is subject only to breakage of the hardware. That means that unless fucked with (and hardware failure), as it works today so shall it work tomorrow, for all values of today. That means that if properly deployed there is no need to *ever* fart with it after commissioning other than to replace it lock stock and barrel.

If the deployment requires continuous farting about for any reason other than hardware failure, then the deployment is defective in design.

It is very nice to have defect free software

[EMB Numbers]

So, are you saying that if an IoT device is running Linux, and a major security vulnerability if found in Linux, you don't want to patch the vulnerability? If some process contains a bug, you don't want a software update?

You can't have it both ways

[kid_wonder]

If this was an Oil & Gas industry bill being written by the industry you would be going nuts right now.

Re:

[gurps_npc]

If this was an Oil & gas industry bill being written by the industry, they would make it illegal to use solar.

Where it will sit until Biden takes over

[quonset]

and it will now move to the President's desk

As we've seen, the con artist is too busy leeching off the taxpayers by playing his cheating game of golf at his failing golf club rather than doing his job. Just the other day he was supposed to be in a meeting with leaders from around the world but instead chose to ignore the meeting and waste more taxpayer money.

In his four years, the con artist has golfed for nearly a year of time. Remember when he whined about Obama taking a day off now and then [independent.co.uk] to play gol

MQTT

[schweini]

I wish they'd include a requirement that all IoT devices must offer their core base functionality over a standard protocol (i.e. MQTT), Independent of the provider's servers.

Re:

[Retired ICS]

It does not matter if the protocol is "standard" so long as it is "documented". All "standard" protocols got that way because they were someone's "documented" protocol that became widely adopted because it was (a) simple and (b) worked.

And yes, if it will not work on a completely private and isolated network (or without a network) then it is defective from the get go.

By the way, MQTT is a badly designed protocol in the same way that OPC is a badly designed protocol. It is inherently insecure and unsecurab

logo

[Dr. Tom]

Of course all will hinge on the trademark. They need a logo like UL or Dolby or WiFi, something somebody would never consider buying a product without.

Re:

[guruevi]

You can get certificate providers to print a logo like that in China, FCC, CE, UL certs costs like $300.

What is an "Internet of Things" device?

[will_die]

The bill does not include a definition.
Would a smart white-board meet the definition?
If a kindle show device meets the definition then why doesn't your average apple ipad? Is it because you have functionality when the device is not connected to the Internet? If that is the case is a Chromebook an IoT device(original devices were all on-line only)?

Re:

[marcle]

The bill does include a definition, in Section 2. I don't want to wade thru the legalese to figure out if your objection is justified.

Re:

[Retired ICS]

According to Section 2 EVERYTHING which can act from/on the physical world is an IoT device. If a device receives input from or provides output to the physical world, it is an IoT device, whether or not the "Internet" is involved.

The whole thing (Act) is useless drivel that will accomplish nothing.

And...

[An0nYm0u5c0wArD]

President Trump will get zero credit for this when he signs it into law.

Will it make a measurable difference?

[Anonymous Coward]

Jimmy Bob Consumer will be looking for the cheapest thing to fill his immediate need. He wouldn't know whether it uses DNS or DOH, because he doesn't know what those things are, so he won't care whether or not it supports this new-fangled IoT Cybersecurity Act requirements.

NIST and Patching

[TechyImmigrant]

NIST's security specs and the associated certifications have worked to make patching as difficult as possible. You want to put out a security patch? That'll be $100,000 for a fresh 140-3 certification for the updated software, thank you very much.

They might not be the right body to solve this problem, because they have failed to solve it for their existing spec for the 20 years it has been obvious that is needs solving.

Oneprimary criterion for me....

[Wizardess]

For me a primary criterion is that the local internet of things and the data it uses and produces should be an internet of MY things with no forced "storage for convenience" on any other site on the Internet. Nor should they require data be transferred back and forth with any other site on the internet except in fully encryption transfers between sites I own.

I want an IoMT not an IoGT or IoAT (for either big A) or even an Internet of Somebody Else's Things they are letting me use.

{^_^}