from the the-S-in-IoT-stands-for-security dept.
Lawmakers in the U.S. Senate today introduced a bill that would set baseline security standards for the government's purchase and use of a broad range of Internet-connected devices, including computers, routers and security cameras. The legislation, which also seeks to remedy some widely-perceived shortcomings in existing cybercrime law, was developed in direct response to a series of massive cyber attacks in 2016 that were fueled for the most part by poorly-secured "Internet of Things" (IoT) devices.
The IoT Cybersecurity Improvement Act of 2017 seeks to use the government's buying power to signal the basic level of security that IoT devices sold to Uncle Sam will need to have. For example, the bill would require vendors of Internet-connected devices purchased by the federal government make sure the devices can be patched when security updates are available; that the devices do not use hard-coded (unchangeable) passwords; and that vendors ensure the devices are free from known vulnerabilities when sold.
[...] The bill's provisions would seem to apply to virtually any device that has an Internet connection and can transmit data. Under the proposal, an IoT device has a fairly broad definition, being described as "a physical object that is capable of connecting to and is in regular connection with the Internet;" and one that "has computer processing capabilities that can collect, send or receive data."
[...] The measure also directs the Department of Homeland Security to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. government.
[...] A full text of the Senate proposal is available here.
Source:
https://krebsonsecurity.com/2017/08/new-bill-seeks-basic-iot-security-standards/
(Score: 0) by Anonymous Coward on Thursday August 03 2017, @08:12PM (10 children)
I bet that prices go up for anything that passes this government requirement. Any takers?
(Score: 2) by tibman on Thursday August 03 2017, @08:53PM (3 children)
Plenty of civilians buy "mil-spec" for its supposed higher quality. Companies get a new badge to stick on their products to entice users to buy their product over a competitor.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by DannyB on Thursday August 03 2017, @08:58PM (2 children)
The reason people buy "mil-spec" is to get older technology, that runs slower, and ensures that you won't get any technology upgrades for a long, long time, if ever. Those are the primary selling points.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 2) by The Mighty Buzzard on Thursday August 03 2017, @09:30PM (1 child)
Nah. People buy mil-spec because you can beat the fuck out of it and it'll still work.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Friday August 04 2017, @12:22AM
You are slightly confused, rock'n'roll-spec is the stuff you can beat the shit out of, it's considerably more durable because it has to survive roadies (instead of GIs). It's the difference between being actively aggressive about destroying equipment vs. young kid ignorance in the Army.
I worked for a sound contractor once, have first hand experience. Mil-spec does not hold up in that environment, we had to harden things considerably further.
(Score: 4, Insightful) by lentilla on Thursday August 03 2017, @09:22PM (3 children)
This sounds like a solution applied in the improper place.
First thing that will happen is that prices will skyrocket. Second thing is that government employees will be prevented from solving simple problems with simple off-the-shelf hardware. Printers, for instance. No longer can you grab a printer from the local store like everybody else, now it will need to be certified.
Out of all the people that need protection from IoT badness, government employees are the least in need. Government offices (at least in theory) have network specialists whose job it is to minimise this kind of threat.
It's everyone else who needs protection: unfortunately; the kind of protection current governments seem able to offer is unlikely to actually do any good. The kind of threats normal people need protection from is sociopathic management ("I don't care it's full of holes, start shipping the product!"), or lazy or inexperienced programming ("oh, didn't realise people can log in by manually editing the URL!").
Of course, the very worst kind of threat is the kind that people can be convinced to give away whilst being distracted by a shiny feature. Governments don't seem to be very good putting the brakes on companies pulling these kind of stunts. If we can't even arrange for ISPs to be common carriers and maintain network neutrality (things that should be no-brainers), what hope do we have of enacting meaningful legislation or guidelines?
I wish these guys all the luck in the world but I fear the only result will be overpriced versions of consumer goods. And; as likely as not; just as plagued with IoT-era security holes, despite the gold-plated certificates.
(Score: 2) by c0lo on Thursday August 03 2017, @10:28PM
Like they would be cheap now. I haven't seen anything under $150 price mark.
And the cost of making one on your own is somewhere around $20-$30 tops (RasPie zero - $12, temperature sensor $4, LCD module 3.5" $8-$12. Add some connectors and an enclosure) and host you own comm server somewhere (amazon lambda, free tier - up to 1 million req/month, gets you a request every 2.7 seconds in a 31 days month)
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2) by frojack on Friday August 04 2017, @11:43PM
Nope.
Look the money in pocket to buy printers is pretty well fixed. Nobody suddenly has more money just because Congress decides to make something a requirement, especially when that requirement is easily met with Free Software.
So with no additional funds appearing, the prices won't go up, because last year's printers will still work. The manufacturers will spend the extra hours to put in better software, and amortize it over a bazillion printers.
Same for most everything else. If you internet light bulb or your web cam needs new software, its going to have to be cheap, because nobody will buy it if its too expensive, especially when your competitor will sell it for less.
You don't even have to mandate testing for these devices. No need for UL or CSA to start testing them, no need for the government to start licensing them.
You just have to make manufacturers LIABLE. Have the government go after a few of them to set the tone.
Takata. Almost totally bankrupt. Who knew you could not fire shrapnel into the chest of people you were supposed to be protecting?? There was no anti-shrapnel laws!!
No, you are mistaken. I've always had this sig.
(Score: 2) by frojack on Friday August 04 2017, @11:50PM
The legislation pretty well makes that point, and forces government to START caring.
My home surveillance cam is firewalled behind a router. Your laptop web cam is too I'll bet.
The only people who can afford enough bandwidth to put unprotected cams on the public internet all over the city is government. Remember the big internet of things botnets? Those were all government traffic cams and surveillance cams on "security by obscurity" government networks . Meanwhile Joe Sixpack had his cam behind a router.
Forcing government to clean up its act is the proper thing to do.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Friday August 04 2017, @01:43AM
good jorb bro
(Score: 2) by davester666 on Friday August 04 2017, @04:25AM
I hope so. IoT will be WAY better if it starts out crazy expensive, so only the uber-rich buy it, because once the various devices get hacked and their house catches on fire, or records their conversations and posts them on youtube, they WILL make someone pay. And the people who sell stuff to them know this.
(Score: 2) by ikanreed on Thursday August 03 2017, @08:27PM (1 child)
plz install more backdoor, thx
(Score: 2) by DannyB on Thursday August 03 2017, @09:05PM
You don't need a back door because grand juries indict 99.99 % of the time.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 5, Interesting) by DannyB on Thursday August 03 2017, @08:56PM (1 child)
I have suggested this before.
Simply make IoT device manufacturers liable for any actual damages caused by their devices getting hacked. By "liable", I mean make it easy to recover those damages.
I am NOT proposing any kind of government certification. Or registration. Or mandatory design standards. Or government testing program. (Although the market could create voluntary testing and certification programs, sort of like UL, to assure consumers.)
That is the only legislation that is needed. Just fix the perverse incentives. Right now the incentive is for IoT manufacturers to ignore security and let others bear the costs of getting DDOS'ed or worse from the hacked IoT devices.
Manufacturers might even cooperate on the security of a Linux distribution that they could all build their IoT devices upon.
Manufacturers would have to consider whether they should (or should not) have an update mechanism.
This might increase the cost of IoT devices -- which is as it should be. Right now, the victims of the hacking bear the costs of their damages. And those are third parties who didn't even buy the cheap lousy insecure IoT devices. Manufacturers might consider whether certain things should even be IoT devices or connected to the clod. Do we really need any clod connected teddy bear toys?
As for "startups couldn't bear the risk this would impose", I would argue that I have the same expectation of a $1,200.00 cloud connected toaster as I have of a $12 toaster from Target -- that it won't burn my house down. I should have the same expectation that neither the $12 toaster nor the $1,200.00 iToaster are going to get hacked and cause actual damages, DDOS attacks, or ransomware attacks.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 3, Insightful) by c0lo on Thursday August 03 2017, @10:35PM
This will kill IoT even faster** than the simple request for patch-ability and no hardcoded passwd or other intentional backdoors.
** (from my side, good riddance anyway).
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 3, Interesting) by krishnoid on Thursday August 03 2017, @08:59PM (3 children)
Seems like this would be a good opportunity to start pushing IPv6, since (in my limited understanding) it provides packet traceability/authentication (?), and makes a clean break with the smaller IPv4 space as internet-connected devices start scaling up by an order of magnitude and beyond. I'm sure there are some drawbacks though.
(Score: 2, Disagree) by DannyB on Thursday August 03 2017, @09:02PM (1 child)
IPv4 will never go away. There is a limited amount of it. Supply and demand forces the price of static IPs to go up. There is money to be made. IPv4 will never go away.
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 2) by kaszz on Friday August 04 2017, @02:34AM
People that needs communication that works will find out that IPv4 addresses is a pain to get and route around it. Once that happen the support will be worse and those pricey IPv4 addresses will be rendered the Detroit of Internet.
(Score: 2) by Thexalon on Thursday August 03 2017, @10:10PM
Looking over the protocol headers, there's nothing in them that makes IPv6 packets inherently any more traceable or authenticated than IPv4 packets. Which is to say, not much at all.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Interesting) by leftover on Thursday August 03 2017, @09:59PM (1 child)
I believe Danny B's earlier comment is on the mark. No government regulation will be able to keep up if it tries to specify technical provisions. I also believe the proper approach is to disincentivise evil behavior. My approach is even simpler and directly to the point. The government rule should contain two points:
1. People have a protected right to control both collection and dissemination of information about their private lives. Period.
2. Any person, business, or agency violating that right is liable for civil damages paid directly to the individual people whose information is collected and/or disseminated.
Specifically, it must not be required of individual people to 'prove' damages, engage expensive legal firms, or otherwise jump through hoops. It should be as simple for a person to make a privacy claim as it is for xxAA to make a piracy claim. Individuals making a claim should be able to choose between a specified amount with no trial required or an open-ended amount with a trial. "Corporate goodwill" would abruptly become quite important, as it should be.
Bent, folded, spindled, and mutilated.
(Score: 2) by kaszz on Friday August 04 2017, @02:36AM
Require that any device involved in activity that causes damage. Provides full documentation. That way open source may bump the binary blobs.
(Score: 2) by MostCynical on Thursday August 03 2017, @11:37PM (1 child)
"vendors ensure the devices are free from known vulnerabilities when sold."
Code audit? Test version to DHS/NSA before approval?
And as for "known" vulnerabilities - known to whom? The public? NSA? Mossad?
"Here, open up your devices if you want to sell to the USGov"
Will any othe country then trust these devices?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by nobu_the_bard on Friday August 04 2017, @12:33PM
Lots of other countries would trust them - so long as they also get to see them opened the same way. Facebook's an example lately.
(Score: 3, Insightful) by fido_dogstoyevsky on Friday August 04 2017, @03:14AM
Don't connect. Don't provide the facility to connect. Don't provide any possibility to connect.
It's NOT a conspiracy... it's a plot.