Last October, millions of internet-connected devices infected by Mirai malware—including many closed-circuit cameras and DVRs—bombarded internet company Dyn with traffic, causing a denial-of-service attack so massive it led to widespread outages and congestion online.
On the bright side, the crippling attack has actually led to an important and promising legislative development. On Aug. 1, a group of senators introduced a bill, the Internet of Things Cybersecurity Improvement Act of 2017, that could make some strides toward securing the ever-growing number of online devices that, generally, comprise the so-called “Internet of Things.”
The bill would require that any such devices sold to the U.S. government must be patchable (i.e., allow for security updates), not have any known security vulnerabilities, and permit users to change their default passwords. The bill leans heavily on the considerable technical expertise of the National Institute of Standards and Technology, the nonregulatory government agency that develops standards for different technologies. NIST has already made major contributions towards helping to establish security recommendations for computers, and it maintains a database of more than 90,000 discovered computer vulnerabilities.
The scope of the bill is relatively narrow, given that it’s limited to U.S. government-purchased devices, and its requirements for those devices are fairly basic, common sense practices (i.e., don’t sell things with known security flaws). Even so, if passed, this bill would be a major step forward for IoT devices, which have otherwise been almost entirely unregulated and, in many cases, unsecured.
While there are, of course, lots of IoT devices that are not purchased by the U.S. government, the government reportedly spends billions of dollars on these products every year. Furthermore, requiring higher standards on those things would likely have a significant impact on devices sold to individuals and private organizations. Many companies want their products to at least be eligible for those acquisitions—and once they start modifying their product design, odds are those changes will apply to all of their devices, not just the ones they sell to the government.
Even companies that don’t intend to sell directly to the government will likely find the standards to be a useful set of guidelines. Security standards set for the federal government are often adopted and used even in commercial settings. For instance, the guidelines laid out in NIST Special Publication 800-53, the document that lists “Security and Privacy Controls for Federal Information Systems and Organizations,” is routinely referenced by companies as a set of best practices for how to secure computer systems, and its recommendations have been adopted by many organizations that aren’t required to follow them.
The recommendations themselves, though relatively basic, are important ones—and often ignored when it comes to IoT devices. It’s worth remembering that many of these devices are manufactured and sold by companies without experience in internet technologies or online security. And they’re often designed with an eye toward requiring minimal set-up for customers. So things that we might take for granted from major tech firms—like allowing people to change default passwords, or checking to make sure that it doesn’t have any bugs listed in NIST’s National Vulnerability Database, or enabling a way to push software updates—are not always a priority.
For instance, in the aftermath of the Mirai attack, it turned out that many of the infected devices allowed users to change the default password for accessing their devices online, through a webpage, but not the passwords used by manufacturers and other computers for communicating with those same devices through channels that non-technical users were much less likely to access, such as Telnet and SSH. This meant that even if a user had changed the password for their device’s web portal, there were other default credentials that could still be exploited to compromise the device.
Clearly, this bill wouldn’t solve all the security challenges posed by the emerging IoT market—just because people can change their passwords doesn’t mean they always will, and, similarly, just because companies can push software updates and security fixes doesn’t mean they always will. Still, it’s an important step in the right direction.
The bill—which was introduced by a bipartisan group of senators—is sensitive to the wide variety of IoT devices and functions, permitting for some flexibility and evolution in their design. It also allows for the possibility that this particular set of security controls may not necessarily be one-size-fits-all. It instructs NIST to develop alternative standards for devices that don’t meet these criteria but instead adopt other security controls, such as network segmentation or multi-factor authentication. And the internet-connected devices covered by the bill’s provisions are broadly defined as any physical objects “capable of connecting to and … in regular connection with the Internet” that have “computer processing capabilities that can collect, send, or receive data.” This, too, seems to acknowledge how diverse these devices are, and how difficult it will be to predict exactly what they’ll look like or how they’ll work moving forward.
The bill also includes sensible legal protections for researchers who find vulnerabilities in these devices and help manufacturers patch them. Such research has uncovered a number of serious problems and been hugely beneficial to IoT companies—many of which do not necessarily employ large numbers of people working on security issues—and it’s important for that research to continue without the people who conduct it worrying about being prosecuted for illegal hacking.
If passed, the bill shouldn’t impose onerous burdens on IoT manufacturers—in fact, Warner told Reuters that its authors were “trying to take the lightest touch possible”—but would offer some reasonable guidelines and baseline standards for securing a wide range of devices. It wouldn’t be the end of the road for protecting these devices, by any means, but it would be a good start, and not a moment too soon.