U.S. Sens. Mark Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (D-WA) and Steve Daines (R-MT), introduced the IoT Cybersecurity Improvement Act of 2017. The bill would require that devices purchased by the U.S. government meet certain minimum security requirements.
Vendors would have to ensure that their devices do not include hard-coded passwords that can’t be changed. The factory-set, hardcoded passwords of IoT devices have been the source of some major security breaches over the past year.
In September 2016 some malware named Mirai hit the KrebsOnSecurity website with a record 620 Gb/s attack. Mirai enlisted unsecure IoT devices that were connected to networks and used them as “bots” to bombard the KrebsOnSecurity site with requests.
Mirai struck again in October 2016 with another distributed-denial-of-service (DDoS) attack. This one caused outages at sites such as Twitter and Netflix. The attack was directed at Dyn, a Domain Name Service (DNS) provider, which translates web URLs into IP addresses. Dyn is vital to the Internet.
Besides banning hard-coded passwords, the Senate legislation requires that vendors make their IoT devices patchable and that they make them free of any known security vulnerabilities. Additionally, vendors must make devices based on standard protocols.
In today’s announcement of proposed legislation, Jonathan Zittrain, co-founder of Harvard’s Berkman Klein Center for Internet & Society, said “Internet-aware devices raise deep and novel security issues, with problems that could arise months or years after purchase, or spill over to people who aren’t the purchasers. This bill deftly uses the power of the federal procurement market, rather than direct regulation, to encourage Internet-aware device makers to employ some basic security measures in their products.”