New Bill Seeks Basic IoT Security Standards

[LASER_oneXM]

Lawmakers in the U.S. Senate today introduced a bill that would set baseline security standards for the government’s purchase and use of a broad range of Internet-connected devices, including computers, routers and security cameras. The legislation, which also seeks to remedy some widely-perceived shortcomings in existing cybercrime law, was developed in direct response to a series of massive cyber attacks in 2016 that were fueled for the most part by poorly-secured “Internet of Things” (IoT) devices.

The IoT Cybersecurity Improvement Act of 2017 seeks to use the government’s buying power to signal the basic level of security that IoT devices sold to Uncle Sam will need to have. For example, the bill would require vendors of Internet-connected devices purchased by the federal government make sure the devices can be patched when security updates are available; that the devices do not use hard-coded (unchangeable) passwords; and that vendors ensure the devices are free from known vulnerabilities when sold.

The bill’s provisions would seem to apply to virtually any device that has an Internet connection and can transmit data. Under the proposal, an IoT device has a fairly broad definition, being described as “a physical object that is capable of connecting to and is in regular connection with the Internet;” and one that “has computer processing capabilities that can collect, send or receive data.”

At the time, the world had just witnessed two of the largest cyberattacks the Internet had ever seen (including one against this Web site). Those attacks were launched with the help of IoT devices — mostly cheap security cameras and Internet routers — that were hacked thanks largely to user accounts which could not be removed and which were configured to be remotely accessible over the Internet.

 

[LASER_oneXM]

today i found another article about the "risky" IoT:

Two U.S. lawmakers think the government has a new cybersecurity problem: The Internet of Things

When hackers took aim at the internet’s backbone last year, impeding access to websites like Twitter and Spotify, they did so by weaponizing the Internet of Things — a catch-all category of web-connected devices that includes fitness trackers and smart thermostats.

The passwords, generally kept hidden from users, exist to help manufacturers access the guts of those tools, but hackers have easily exploited them. Using malicious software called Mirai, attackers previously have managed to turn webcams and other devices into a formidable botnet — the likes of which caused the widespread October outage.

With cybersecurity, Warner told Recode, “You’ve got to constantly be upgrading your game. And what we’re saying with Internet of Things devices is, if you’ve got hard-coded passwords or they’re not able to be patched, because they’re cheaper or smaller devices, that can’t be standard protocol.”

“If we turn around and there are 20 billion [IoT] devices in a couple years, and the federal has ‘x’ million of these devices, and they all have these characteristics,” he continued, “then, you know, I think we’re going to make a big mistake.”

On the consumer side, at least, the Internet of Things is a fast-expanding, if nebulous, market category. An estimate by IDC issued in June found that IoT spending around the world could reach as high as $1.4 trillion by 2021.

Warner, previously, has warned about major security risks in internet-connected toys, another part of the IoT universe. Still others in government have raised cybersecurity fears about the Internet of Things: Terrell McSweeny, a Democratic commissioner at the Federal Trade Commission, for years has warned about threats to smart homes and other, similar tools.