New IoT Bill Proposes Security Standards for Smart Devices
3.8.2017 thehackernews IoT
By this time, almost every one of you owns at least one internet-connected device—better known as the "Internet of things"—at your home, but how secure is your device?
We have recently seen Car hacking that could risk anyone's life, Hoverboard hacking, even hacking of a so-called smart Gun and also the widespread hacks of insecure CCTV cameras, routers and other internet-connected home appliances.
But this did not stop vendors from selling unsecured Internet-connected smart devices, and customers are buying them without giving a sh*t about the security of their smart devices.
However, the massive cyber attack on a popular DNS service provider that shut down a large portion of the Internet last year made us all fear about the innocent-looking IoT devices, which surround us every day, but actually, poses a threat to global cyber security.
A bipartisan group of senators have now introduced a new bill aimed at securing internet-connected devices by setting industry-wide security standards for the government's purchase and use of IoT devices, including computers, routers and security cameras.
The new bill—called the Internet of Things Cybersecurity Improvement Act of 2017—was introduced on Tuesday by Senator Mark Warner (D-VA), a Democrat in Virginia and Senator Cory Gardner (R-CO), a Republican from Colorado.
The bill would require suppliers that provide wearables, sensors and other web-connected smart devices to the United States government to adhere to some new industry-wide security practices.
The security standards prohibit the suppliers from including hard-coded (unchangeable) usernames and passwords in their devices, which is a primary vector for hackers and malware to break into the devices and hijack them.
Last year's cyber attack on Dyn DNS provider also involved the use of default credentials to break into hundreds of thousands of internet-connected smart devices and then used them to launch distributed denial of service (DDoS) attacks on Dyn, causing a significant outage to a ton of websites such as Twitter, GitHub, PayPal, Amazon, and Netflix for several hours.
The legislation would also require vendors to ensure that their devices are patchable and are free from already known vulnerabilities when sold.
The bill was drafted with input from technology experts at the Atlantic Council and Harvard University.
The lawmakers are trying to "take the lightest touch possible" to address an "obvious market failure" that has left device manufacturers with little incentive to build with security in mind, Sen. Warner told Reuters.
The legislation would direct the White House Office of Management and Budget (OMB) for permission to buy devices if their network-level security requirements are in place.