Internet of Things (IoT) security experts from Tripwire and Rubicon Labs reacted this afternoon to news of today’s US Senate introduction of the IoT Cybersecurity ImprKovement Act of 2017.
Craig Young, Security Researcher with Portland, Oregon-based Tripwire, who has done extensive research of smart homes and a variety of consumer IoT devices, commented below.
Craig Young, Security Researcher with Portland at Tripwire:
“This is a great step in the right direction from my point of view. We do however need to proceed with caution and ensure that all legislation is written with an understanding of the technology and the potential for long term consequences. I have long since espoused that I think governments should step in and disallow sale of internet connected devices with hardcoded or default passwords. I think legislators should actually consider going a few steps further by mandating participation in an impartial and transparent bug bounty program.
It is also critical to protect researchers. I have personally had a wide range of experiences when disclosing vulnerabilities. Sometimes vendors respond with bounty payment and gratitude while other times they have responded with threatening legal language. Some bug bounty programs also provide too much lee-way for vendors to ignore valid security research while simultaneously using terms of service to prevent researchers from disclosing issues when vendors will not fix the issues. (This can be the case even when bounties are not paid.)”
Rod Schultz, Chief Product Officer at Rubicon Labs:
“The spirit of this proposed legislation is an indicator that congress has their sights set on the correct targets. On the other hand, the enforcement of this type of legislation will create many new challenges. The frequency of IoT security breaches is rapidly increasing, and IoT security accountability will become more and more critical to the U.S. economy and infrastructure.
Reduced functionality does not equate to reduced capability for digital destruction. It’s far too easy to release digital products that have security vulnerabilities, because there is no time to test and fix; the incentive to release products quickly is driven by time to market and profit requirements.
The security failures of many of these compromised IoT devices can rapidly escalate in scale and reach, having a major impact on critical infrastructure. If IoT security is not addressed appropriately by vendors it should not come as a surprise that legislation is proposed to fill that void.”