Washington Has Had Enough Of Your Terrible IoT Devices
A new bill introduced in the Senate this week has the potential to make some actual progress on IoT security by using the rather large checkbook of the federal government as the motivating force.
The IoT Cybersecurity Improvement Act of 2017 is the first serious attempt by Congress to address the myriad security issues that plague embedded devices. There have been various bills introduced in the past that have tried to come at the problem from an oblique angle or with a narrow solution, but this measure would be the first one with a broad scope and some real muscle behind it.
The bill lays out a series of clauses that would be required language in any contract between a federal agency and an IoT vendor, addressing a number of specific security issues. The clauses cover products being sold with known vulnerabilities, firmware updating practices, and several other problems, all in surprisingly clear, concise language. The clause that addresses perhaps the biggest IoT security weakness — patching — does not leave vendors much in the way of wiggle room.
“A clause that requires the contractor providing the Internet-connected device to provide written certification that the device—(i) except as provided under clause (ii), does not contain, at the time of submitting the proposal, any hardware, software, or firmware component with any known security vulnerabilities or defects listed in—(aa) the National Vulnerability Database of NIST; and (bb) any additional database selected by the Director that tracks security vulnerabilities and defects, is credible, and is similar to the National Vulnerability Database,” the bill says.
In other words, if you sell the federal government an IoT device with a known vulnerability in it, said government’s lawyers will be paying you a visit. Of course, every piece of software and every device on earth ships with vulnerabilities in them, and that’s where that word “known” comes into play. The government is essentially requiring vendors to certify that the products they’re providing don’t have any publicly disclosed bugs in them at the time of sale. Not an unreasonable request, but it’s a rare one and it’s also only part of the picture.
Security researchers around the world are spending a lot of time poking and prodding IoT devices, looking for security vulnerabilities and attack surfaces. And they’re not exactly meeting with much resistance. So there’s a good chance that a given IoT device — especially a high-profile or widely deployed one — will be the subject of a vulnerability report at some point in its useful life. For that reason, the new bill also includes language that requires any device sold to the government to have a secure mechanism for receiving updates.
Every federal contract would have to contain a “clause that requires such Internet-connected device software or firmware component to be updated or replaced, consistent with other provisions in the contract governing the term of support, in a manner that allows for any future security vulnerability or defect in any part of the software or firmware to be patched in order to fix or remove a vulnerability or defect in the software or firmware component in a properly authenticated and secure manner.”
IoT devices are not easy to update in most cases and many manufacturers are slow to publish fixes, if they do it all. This has helped lead to the emergence of IoT malware and botnets and generally made the phrase IoT security the oxymoron that it is today. But money — or the lack thereof — has a way of motivating companies to shift their priorities. Few, if any, customers have more money than the federal government, and if this bill makes it onto the books as law, changes may be on the way.