A Senate bill introduced today would prioritize security in connected devices, requiring providers who sell to the U.S. government to implement measures that would have been an impediment to the IoT botnet-fueled attacks against DNS provider Dyn and webhost OVH.
The Internet of Things Cybersecurity Improvement Act provides stringent guidance for the security of connected devices starting with mandates that they not contain known hardware, software or firmware vulnerabilities and also that the device have a mechanism for accepting trusted security updates from the vendor.
The act, introduced by Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (D-WA) and Steve Daines (R-MT), would also require the use of industry standard protocols for communication, encryption and peripheral connections. Vendors would also no longer be able to include hardcoded credentials, which are generally embedded in devices enabling remote administration.
The DDoS attacks against OVH and Dyn were a gut-punch for the industry as giant botnets of connected IP cameras and DVRs were responsible for outages that took down major internet consumer and business services such as Twitter and Netflix.
The Mirai malware was at the core of those attacks. Following the public release of the malware’s source code, numerous Mirai-related attacks were detected. The malware scanned the public internet for connected devices and from a list of dozens of known default and weak credentials, tries to gain access to the router, camera or DVR. The connected device is then joined to a number of IoT botnets used in DDoS attacks.
With the IoT Cybersecurity Improvement Act addressing such shortcomings as insecure credentials and update mechanisms, many of these issues could have been avoided.
“My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products,” Warner said.
Security expert Bruce Schneier was among the first to suggest that the IoT security problem was already too far down the road, and that legislation would be inevitable. During testimony before a House committee last November, Schneier said market pressure was not enough to address the risks posed by insecure IoT devices, and he even suggested that innovation may have to suffer for it.