back to article Don't be too shocked, but it looks as though these politicians have actually got their act together on IoT security

In an all-too-rare sign of Congress doing its job, on Wednesday US lawmakers introduced a new law bill aimed at improving the security of the internet-of-things. The legislation has been introduced into both the House and the Senate with politicians from both sides supporting it. What's more, the Internet of Things (IoT) …

  1. Yet Another Anonymous coward Silver badge

    Pork time

    the bill would require any federal agency to only buy products from companies that met those guidelines.

    why-a-one-room-west-virginia-library-runs-a-20000-cisco-router/

    From an earlier program: " Broadband Technology Opportunities Program (BTOP), which passed out several billion dollars to help upgrade broadband networks across America "

    The bidders for the project included Cisco ..... and only Cisco .......

  2. PhilipN Silver badge

    "Politicians" and "got their act together"

    Naah. Don't belong in the same sentence.

    But then I started noticing politics way back when politicians were soft and cuddly and weren't actually supposed to do anything,

    1. DJV Silver badge

      Re: "Politicians" and "got their act together"

      Politicians on the UK side of the pond always get their act together when it comes to awarding themselves pay rises!

  3. Anonymous Coward
    Anonymous Coward

    This won't stop the flow of cheap consumer Things

    Merely mandating Federal procurement standrds will have minimal influence on the buying power of hundreds of MILLIONs of US consumers who will be offered all kinds of imported Things costing no more than a few dollars apiece.

    Originating from beyond US jurisdiction, their manufacturers will not feel obligated to comply with US standards or to offer what might be thought of as appropriate lifetime support services - for example, security patching.

    What could possibly go wrong?

    1. Mark 85 Silver badge

      Re: This won't stop the flow of cheap consumer Things

      Basically Fleabay wins this one since Joe and Sally User will lock for the cheapest prices.

      One question escapes me ... how many federal agencies actually use IoT stuff? Much of the Feds stuff seems to be bespoke and specked to extremes.

      1. paulll Bronze badge

        Re: This won't stop the flow of cheap consumer Things

        Not just the eBay types. Once all the kickbacks have been negotiated and the industry figures out which one or two vendors have the government contracts sewn-up, all the other vendors-reputable or otherwise- will see that market sector as closed and will compete for the rest of the market on price the way they always have. They'll have no reason to seek certification and be no more motivated than they are now, to follow any security best practises. So the whole endeavour becomes a brief pitstop in the continuing race to the bottom.

        Sadly; it's quite an impressive piece of work, as far as it goes.

        1. doublelayer Silver badge

          Re: This won't stop the flow of cheap consumer Things

          All of that is true, but this still has some benefits, namely these:

          The government will require places to make secure devices, at least of any type that they intend to buy, and will make a certification process available. That means that consumers who value this have a thing to search for and a certification that indicates a good level. More secure options and more information about exactly how secure the things are can't hurt.

          Next, there is some chance that large companies, wanting to sell to the government, will secure and certify some things that weren't secure before. Anyone buying these things gets the benefits of that. Those companies might also focus more on security now that they are partially required to do so, meaning other products they make could become more secure. Again, it's a thing in the "not guaranteed but can't hurt" category.

          Finally, a law like this helps to set a precedent for a more restrictive law. If an IOT system is used to harm consumers, the fact that it didn't follow these certifications could be used when explaining why the manufacturers were negligent and should be held responsible. Since America isn't covered by GDPR, this could at least provide a legal basis for a few types of rights that GDPR makes more available.

    2. bombastic bob Silver badge
      Devil

      Re: This won't stop the flow of cheap consumer Things

      not every device has to have a UL listing in the USA, but you're unlikely to find one WITHOUT UL.

      Similarly, there will NOW be an IoT standard, and probably a similar labeling requirement.

      It will probably (like FCC testing) require you to have some 3rd party independent laboratory conduct the appropriate tests.

      And several existing 'on a chip' solutions for WiFi and Ethernet will not comply for systems that have too little memory for an SSL stack (as one example), such as things built with AVR microcontrollers (read: Arduino).

      In a way this opens the door for new solutions that provide basic security, like SSL and IPSec. WiFi solutions already have WPA/WPA2 support, but no SSL. So when you contact a cloud server, the traffic is still 'in the clear'. I would expect that preventing MitM attacks and packet sniffing are high on the list for IoT security.

      So yeah if an addon chip could encrypt/decrypt traffic and manage the DH key exchange, that'd be nice. something that supports I2C, serial, and SPI would be ideal.

  4. JassMan Silver badge

    Much more work can and should be done to figure out how best to prompt millions of consumers to keep their devices updated or it's just a matter of time before their IoT devices becomes a security issue.

    IoT devices already have big security issues, it is not a matter of time.

    Just as big a problem is privacy. Why should a temperature controller need to know everything including the name of your maiden aunt.

    1. bombastic bob Silver badge
      Meh

      "Why should a temperature controller need to know everything including the name of your maiden aunt."

      I bet that sort of thing is just the unnecessary privacy violation of the provider's cloud service. THAT is a problem, too, but is less related to IoT security and more a problem with privacy-invading cloud services (in general).

  5. eldakka Silver badge

    leaves things to NIST to figure out.

    That hasn't worked out to well in the telecommunications sector, just look at Pai's FCC...

    1. bombastic bob Silver badge
      Megaphone

      I happen to _LIKE_ what Pai is doing. So I want NIST to be just as _SANE_ with their proposals.

  6. Fazal Majid

    Mark Warner has a tech background, even if he is not an engineer. He is no idiot.

    I don't know how much consumer IoT the Federal Government purchases, though. I hope not too much, otherwise we are already 0wned by the Chinese and Russians...

  7. Nick Kew Silver badge
    Holmes

    The joys of box-ticking

    Give us a security standard, and you can be sure that becomes a box-ticking exercise for lowly practitioners. How often will the box-ticking come to dominate their jobs, at the expense of things like common sense?

  8. This post has been deleted by its author

  9. Will Godfrey Silver badge

    Optimistic

    I'll be impressed if it actually gets through unscathed, but I'm not holding my breath. Seen too many good ideas derailed by vested interests

    1. Version 1.0 Silver badge

      Re: Optimistic

      In general when you see statements like "bipartisan legislation in the US, with industry backing" you can assume that the consumers are getting screwed - No, I'm not complaining, it's just the way things are.

  10. Charles 9 Silver badge

    "But, as we noted at the time, it was also a wasted opportunity: unique passwords are a big problem but so is software that is not updated and left in the hands of consumers."

    Since we're talking the IoT, we have to assume there will be instances where the item CAN'T be upgraded due to poor communication: just enough to pass telemetry but far from sufficient to do a software patch. In which case, the best course would be to go back to the pre-Internet practice of getting it right the first time because there are no second chances. If something like this has a problem, you're better off getting the damn thing replaced whole.

  11. Mike 16 Silver badge

    Updates

    At the risk of becoming yet another broken record (in the vinyl sense of the word, not the Guinness sense), there are at least two issues around updates:

    1) Devices need to be _capable_ of updating their software (and of reverting to a "not great but not totally borked" state).

    2) Making updates mandatory, non-reversible, and silent? That's how a zero-day at the manufacturer becomes a worldwide shit-storm.

    (And that's not even addressing which criminal gang/government agency is using that zero-day.)

    1. Charles 9 Silver badge

      Re: Updates

      What happened to getting things right the first time because you won't have a chance to update it (because the device is being deployed to the boonies with poor communications)?

    2. bombastic bob Silver badge
      Pirate

      Re: Updates

      "That's how a zero-day at the manufacturer becomes a worldwide shit-storm."

      Or, an "update" triggered by an MitM attack, including one that uses a VERY loud WiFi drive-by radio (using a very high gain antenna to accomplish this, not difficult) to THEN cause your home network devices to "roam" to the rogue AP (or WiFi bridge), which then becomes an MitM and THEN does things _LIKE_ inject malware in the form of firmware onto IoT devices...

      Yes, it's VERY plausible. I could probably design something to do this without a whole lot of effort, by configuring a Linux laptop as a WiFi bridge, and then go from there...

      That being the case, updates should NOT be mandatory, nor even SCANNED for. Maybe you get an e-mail from the company saying "We have an update to your firmware" or it appears on your phone application (if you're using one), or the web page that displays the info, and you THEN manually install the update with the ability to REVERT in case of a problem. Like that.

      Yeah - mandatory updates - has worked SO well with Win-10-nic, why stop there?

  12. Jimmy2Cows

    Missed opportunity ... prompt millions of consumers to keep their devices updated...

    Shirely this requires manufactures to, oh I don't know, fucking provide updates!

    That's the weak link. Right now they ship insecure shit and never provide updates because they can't be arsed, and aren't in any way compelled to do so.

  13. DCFusor Silver badge

    When there is bipartisan agreement

    And wow, industry on top, the results are always....

    Let's look at history. Bank deregulation - shortly before the big financial disaster. Check.

    McCain-Feingold campaign finance "reform" Check.

    Quite a few others but I won't bore you. It always seems to mean delegating power to industry. Money is speech and all that.

    Sam Clemens had it right. We're safer when they're not in session.

    And yes, updates...the first zero day gets you all.

    We find an issue of security. So we send an update to the device that has a security issue. Surely there's no way that security issue would allow some miscreant to send that device an update that was...a security issue.

    These guys are smarter than that, or one would hope, I know at least a couple of them are. So we're back to my usual cynical "cui bono".

    I'll save you typing it into google: https://en.wikipedia.org/wiki/Cui_bono

    It's rarely been violated in recorded history.

    1. bombastic bob Silver badge
      Unhappy

      Re: When there is bipartisan agreement

      "We find an issue of security. So we send an update to the device that has a security issue"

      Who is this 'we' again, exactly? And that's why what you said won't work, regardless of it being snark (or not).

      Mark Twain _WAS_ right. NO legislation is better than BAD, particularly if it includes something like THAT.

      We (the end users) don't need THEM (the 'we' in your proposal) CONTROLLING, DICTATING, and potentially DESTROYING our devices... or our freedom.

      Also, any solution that involves the private sector ALSO involves CHOICE on the part of the consumer. Taking that freedom away through regulation is another small step towards TOTALITARIANISM.

  14. Mike Moyle Silver badge

    One part of any proposed rule or legislation should make it HARDER for manufacturers of insecure kit to claim damages from hackers, and EASIER for their customers to claim damages from THEM if they get pwned. Also, include a clause that, should the company go bankrupt, any entityy acquiring their trademarks, IP, assets, good will (if any), etc., are also, knowingly and explicitly, acquiring any liabilities for the insecure products, as well. It would be nice if directors could be held personally liable since, much like "(k)nowing that one is to be hanged in ten days..." knowing that one's own, personal wealth is at risk "... tends to concentrate the mind wonderfully", but that may be a bridge too far.

    1. Charles 9 Silver badge

      You'll never make it stick, though, since those kinds of people know how to keep their necks on, by hook, by crook, by taking off, or by hostile takeover if necessary.

    2. bombastic bob Silver badge
      Meh

      "EASIER for their customers to claim damages from THEM if they get pwned."

      yeah the lawsuit angle already exists, as far as I'm aware, but the burden of proof would be easier if they don't comply with the NIST standard. It's likely to be set as a precedent early on, by the first aggressive attorney that files the lawsuit.

  15. Version 1.0 Silver badge

    How does this work at the moment?

    All electronics sold in the US is supposed to have pass the FCC tests to meet standards for RF emissions and RF interference rejection - but how much imported kit actually gets tested? You can buy all sorts of things on the Internet that claim to be legal in the USA but have never been tested and have no FCC IDs. Does anyone thing that the new IoT standards will be any different?

  16. gnwiii

    US industry should support standards for IoT security

    In the auto industry, many vehicles available outside North America don't meet safety standards, so competion for US manufacturers is reduced. At present, consumers have few ways to judge the quality of IoT devices, but they know how much they are paying, so cheaper mostly wins. With credible standards many consumers will pay more for compliant devices. Local governments are heavy users of IoT building management and security cameras. With credible standards, it will be much easier to justify spending more on a better class of devices. For US industry, the standards will be a barrier to cheap imports from vendors who lack the expertise to build standards compliant gear. A big question will be how much influence US law enforcement can exert to have standards mandate back-doors.

  17. Uncle Ron

    Huh? Are you Kidding ?

    Politicians don't know shit about IoT or even what it stands for, or much of anything else, IMO. It is the staffs or lobbyists that pump all this stuff into their voting habits. If there is MONEY in getting something fixed, partisan bickering goes out the window. Sure, they'll come together and do something because the 'industry' is funneling money into their greedy little campaign chests, of both parties. And maybe into other places as well. The politicians themselves probably don't even know about it. Just my $0.02 worth. Huh?

  18. martinusher Silver badge

    IoT is already off the rails

    This idea that software is inherently full of vulnerabilities and so has to be patched all the time is really a side effect of a relative handful of consumer operating systems. We, the public, have become accustomed to the notion that fixing bugs is a game of 'Whack a Mole' where every fixed bug causes problems elsewhere, opens more vulnerabilities and so on. This might be good eating for product and software vendors but its not the way that we should be treating devices. We can't secure ordinary computers properly so why would we even contemplate spreading the same sorts of vulnerabilities to what are essentially peripherals?

    It is true that there are a lot of existing things that lack proper security but they were for the most part designed for an environment where threats were considered unlikely. Securing them should be straightforward provided we can get away from this concept that everything has to be globally accessible by everything else. Experience with 'things' will tell you that you need to trade information volume for information quality, if you don't then you'll get mired in irrelevant data (and there's no point in assuming that 5G will fix that problem for you -- it didn't when connections were wired so its unlikely to economically do the job wirelessly).

    Still, I figure that IoT is primarily a marketing exercise mostly implemented in Powerpoint so I'll just keep on doing what I do and wait for something viable looking to turn up....

    1. Anonymous Coward
      Anonymous Coward

      Re: IoT is already off the rails

      "Securing them should be straightforward provided we can get away from this concept that everything has to be globally accessible by everything else."

      In today's warp speed rat race, you can forget it. Time is money, knowledge is power, and data stales quickly. In a world where cable lengths can make or break a deal (if you don't hit it, someone else will), you snooze, you lose.

  19. Anonymous Coward
    Anonymous Coward

    Will they have to have back doors as well?

    You know, for law enforcement reasons.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019