A new bill has been introduced in Congress which aims to prohibit the production of IoT devices if they can’t be patched or have their password changed. The bill also calls for federal agencies to have the freedom to purchase non-compliant IoT devices should this legislation pass, if they get approval from the US Office of Management and Budget. Travis Smith, Principal Security Engineer at Tripwire commented below.
Travis Smith, Principal Security Engineer at Tripwire:
“As it stands now, the S in IoT stands for security. This bill will help to resolve some of the known issues plaguing so many IoT devices being hacked on a daily basis. There are two issues I see with this bill which won’t help the overall security of these types of devices. When left up to the user, changing passwords and installing patches is not a priority. The priority instead is getting the device to work so you can stream Netflix from your fridge or see your front porch from a beach.
“I put IoT devices into three buckets when it comes to patching. The best bucket to be in are devices which automatically detect new updates and install them without any user involvement. This is the strategy which should be strived for amongst all IoT vendors. The next is optional patches, which is what this bill will most likely mandate. Two issues with optional patches are first getting the user to know about the patch, then getting them to actually install the patch. Both of these tasks are notoriously difficult for your average user. Finally, there are the devices which do not receive any patches; intentionally or not.
“Along the same lines as having users install patches is getting them to change their passwords. The reason Mirai was so successful was not because users could not change their password, but because they chose not to when installing the device. I would urge this bill to add that should devices force the user to change the default password, but that the default password should be unique to each device as well. Even something as simple as using a MAC address, while not secure in, is one step better than using the default admin/admin credentials we have become accustom to.
“For this bill to be successful, there needs to be incentives for vendors to get their devices to a secure state. Releasing a device which is free from security bugs is time consuming and costly. With many of these devices being a commodity, delaying the time to market or charging a higher cost may not fit their current business model.”