Proposed US IoT security legislation takes aim at hard-coded credentials

A group of US senators has unveiled proposed legislation that would mandate minimum security standards for Internet-connected devices purchased by the US government.

The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 is backed by the co-chairs of the Senate Cybersecurity Caucus — Democrat Mark R. Warner and Republican Cory Gardner, as well as Democrat Senator Ron Wyden and Republican Senator Steve Daine.

“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” Warner said.

“This legislation would establish thorough, yet flexible, guidelines for federal government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”

Among the requirements of the act, a contractor providing an Internet-connected device must certify that it does not contain “any hardware, software, or firmware component with any known security vulnerabilities or defects” listed in the US National Institute of Standards and Technology’s National Vulnerability Database.

Devices covered by the act have to be certified to be capable of “accepting properly authenticated and trusted updates from the vendor” and use “only non-depreciated industry-standard protocols and technologies” for functions such as network communications and encryption.

In addition, a supplier must certify that the device “does not include any fixed or hard-coded credentials used for remote administration, the delivery of updates or, communication”.

“This bipartisan, commonsense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space,” Gardner said.

Another section of the legislation will “exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines,” a statement released by the group of senators said.

The proposed legislation has drawn support from the tech industry, including Mozilla, Symantec, VMware and Cloudflare.

“The proliferation of insecure Internet-connected devices presents an enormous security challenge,” well-known security expert Bruce Schneier said.

“The risks are no longer solely about data; they affect flesh and steel. The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests. I applaud Senator Warner and his cosponsors for nudging the market in the right direction by establishing thorough, yet flexible, security requirements for connected devices purchased by the government.”

Schneier also endorsed the legislation’s “recognition of the critical role played by security researchers and the exemptions included in this legislation for good-faith security research.”