The internet of things is a massive security nightmare. US lawmakers are finally starting to try and fix that.
A bipartisan group of U.S. senators is introducing legislation that seeks to address vulnerabilities in computing devices embedded in everyday objects — known in the tech industry as the “internet of things” — which experts have long warned poses a significant threat to global cyber security.
The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable, and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities.
Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon.
“We’re trying to take the lightest touch possible,” Warner told Reuters in an interview. He added that the legislation was intended to remedy an “obvious market failure” that has left device manufacturers with little incentive to build with security in mind.
The legislation would allow federal agencies to ask the U.S. Office of Management and Budget for permission to buy some non-compliant devices if other controls, such as network segmentation, are in place. It would also expand legal protections for cyber researchers working in “good faith” to hack equipment to find vulnerabilities so manufacturers can patch previously unknown flaws.
As such, it’s limited: It only applies to vendors supplying the US federal government. But it’s a start.
The internet of things revolution is coming — and we need to be ready
Security researchers have long said that the ballooning array of online devices including cars, household appliances, speakers and medical equipment are not adequately protected from hackers who might attempt to steal personal information or launch sophisticated cyber attacks.
Between 20 billion and 30 billion devices are expected to be connected to the internet by 2020, researchers estimate, with a large percentage of them insecure.
As F-Secure’s Mikko Hypponen previously told Business Insider, in the future it will be near-impossible to avoid the internet of things. He said:
“In five years time you go and buy a toaster, it — regardless of the toaster you buy, even if there’s no IoT features — it’s still gonna be an IoT toaster. It’s still gonna call home to the manufacturer. And the reason this is gonna happen is it’s gonna be so goddamn cheap to put in one chip to have it call home, that they’re all going to do it, even if the benefits are very small.
“And the benefits will be analytics like ‘ok, how many toasters do we have in use, how quickly do people take them into use when they buy them, how much do they toast, what kind of bread do they toast, how often do our toasters catch fire, where in London do we have our customers, do we have more on the East or West or South side? We have less customers on the South side, lets advertise more on the South side.’ Things like that.”
In other words, you won’t even know that you’re buying internet-connected products — so you won’t be able to avoid it. And this is what makes the security debate so important.
But even though security for the internet of things has been a known problem for years, some manufacturers say they are not well equipped to produce cyber secure devices.
Hundreds of thousands of insecure webcams, digital records and other everyday devices were hijacked by hackers last October to support a major attack on internet infrastructure that temporarily knocked some web services offline, including Twitter, PayPal and Spotify.
The new legislation includes “reasonable security recommendations” that would be important to improve protection of federal government networks, said Ray O’Farrell, chief technology officer at cloud computing firm VMware.