US plans IoT security legislation, but UK unlikely to follow

US Republican and Democrat senators have proposed legislation seeking to address security vulnerabilities in IoT devices

The US is considering legislation to regulate the security of devices making up the internet of things (IoT), which may prompt other governments into following suit.

The move was predicted earlier this year by security technologist Bruce Schneier. “Regulation is coming and is coming in a big way,” he told Infosecurity Europe 2017 in London, urging the security industry to embrace the fact and get involved to avoid the imposition of poor legislation.

“The choice is not between regulation and no regulation. The choice is between smart regulation and stupid regulation,” he said.

Security researchers have longed warned of the looming security risk posed by IoT devices, but the topic has received far greater attention in the wake of the Mirai botnet attack on DNS service provider Dyn in October 2016 that affected organisations including Amazon Web Services, GitHub, Netflix, PayPal, Reddit, Spotify and Twitter.

The proposed Internet of Things Cyber Security Improvement Act aims to aims to prohibit the production of IoT devices that do not allow for software security updates and changes to passwords.

The bill would also require IoT devices to conform to industry security standards and to be free of any known security vulnerabilities.

Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University, according to Reuters.

Read more about IoT security

Warner said the legislation attempts to take the “lightest touch possible”, but is intended to correct an “obvious market failure” that has provided device makers with little incentive to make products secure.

Rod Schultz, chief product officer at IoT security firm Rubicon Labs, said it is far too easy to release digital products that have security vulnerabilities because there is no time to test and fix. “The incentive to release products quickly is driven by time to market and profit requirements.

“The security failures of many of these compromised IoT devices can rapidly escalate in scale and reach, having a major impact on critical infrastructure. If IoT security is not addressed appropriately by suppliers, it should not come as a surprise that legislation is proposed to fill that void,” he said.

Expanded legal protections for security researchers

The proposed legislation would expand legal protections for security researchers working in “good faith” to probe IoT devices for vulnerabilities to help device makers improve security.

However, the legislation would allow federal agencies to ask the US Office of Management and Budget for permission to buy non-compliant devices if other controls, such as network segmentation, are in place.

While security researchers have welcomed the move as a positive step in the right direction, some have urged lawmakers to ensure legislation is written with an understanding of the technology.

Craig Young, security researcher at Tripwire, said he has long advocated governments should stepping in and disallowing the sale of internet connected devices with hardcoded or default passwords. “I think legislators should actually consider going a few steps further by mandating participation in an impartial and transparent bug bounty program.”

Young, who has done extensive research of smart homes and a variety of consumer IoT devices, also welcomed the proposed protection for researchers. “Sometimes suppliers respond with bounty payment and gratitude while other times they have responded with threatening legal language,” he said.

Too much leeway for suppliers

Young said some bug bounty programs also provide too much leeway for suppliers to ignore valid security research while simultaneously using terms of service to prevent researchers from disclosing issues when suppliers suppliers will not fix the issues, even when bounties are not paid.

Travis Smith, principal security engineer, also at Tripwire, said the proposed legislation will help to resolve some of the known issues plaguing so many IoT devices being hacked on a daily basis.

However, he said the bill will not help the overall security of IoT devices when it comes to patching and passwords because when left up to the user, changing passwords and installing patches is not a priority. 

“When it comes to patching, I put IoT devices into three buckets. The best bucket to be in has devices which automatically detect new updates and install them without any user involvement. This is the strategy which should be strived for amongst all IoT suppliers.

“Second, is optional patches, which is what this bill will most likely mandate. But the first issue is getting the user to know about the patch, then getting them to actually install it. Both of these tasks are notoriously difficult for your average user.

“Finally, there are the devices which do not receive any patches; intentionally or not,” he said. 

The success behind Mirai

Regarding passwords, Smith said the reason Mirai was so successful was not because users could not change their password, but because they chose not to when installing the device.

“I would urge this bill to add that should devices force the user to change the default password, the default password should be unique to each device as well. “Even something as simple as using a MAC address, while not secure in itself, is one step better than using the default admin/admin credentials we have become accustom to,” he said.   

Smith said that for the bill to be successful, he belives there needs to be incentives for suppliers to get their devices to a secure state.

“Releasing a device which is free from security bugs is time consuming and costly. With many of these devices being a commodity, delaying the time to market or charging a higher cost may not fit their current business model,” he said.

Mark Noctor, vice-president Arxan Technologies for Europe, said that byrequiring suppliers to explain the vulnerabilities in their systems and explain why their device is still considered secure, the prosed legislation would force developers to take security seriously.

“Meeting this demand would help guarantee devices are secure by design, rather than having security provisions included as an afterthought – something that is all too common in today’s fast-paced market,” he said.

Building towards more advanced security

While the focus on basic measures such as password management is a good starting point, Noctor said future legislation should build on this to require more advanced security measures, such as using code hardening to protect a connected device’s software from being broken into and reverse engineered for malicious purposes.

“Hopefully the bill will serve as an example to other governments around the world to secure their own markets,” he said. “While there has been useful work in the area from bodies such as Enisa, it appears that an act of law is the best way to get suppliers to ensure security.”

But legislation is not likely in the UK very soon because the government tends to view legislation as a last resort, especially when it comes to new and emerging technology.

While IoT security is a key area of focus for the National Cyber Security Centre (NCSC), the current approach is for lead government departments in each sector to raise awareness on IoT-related security issues and encourage best practice in areas such as risk management and software security updates.

Because IoT covers a wide range of embedded devices in a variety of things in factories, offices, homes and cars, the view is that the level of risk is different for each environment and will require different approaches to mitigate that risk.

Ensuring the security of industrial control systems

A top priority of the NCSC is ensuring the security of industrial control systems that control things that have high impacts to the UK, but the NCSC is also working with device makers and users at an industrial and consumer level to undertand the importance of IoT devices having a software updating mechanism.

The NCSC is also seeking to highlight the security and commercial advantages of ensuring that IoT devices and systems are secure by default and secure by design.

Rather than legislation, the UK government is more likely to support voluntary schemes where manufacturers can sign up to a code for adhering to good practice standards.

This would require device makers to commit to basic security measures such as requiring users to set their own passwords before the devices become operational and committing to fix any security vulnerabilities that emerge – as well as to supporting products and including security updates for a set number of years.

Key challenges and recommendations

In May 2017, Enisa published a position paper that identifies key challenges and recommendations identified for the European Commission to:

  • Define a policy framework for ensuring minimal security requirements for connected devices.
  • Ensure that reliable security processes and services are being developed to support industry in implementing security features in their products.
  • Encourage the development of mandatory staged requirements for security and privacy in the IoT, including some minimal requirements.
  • Create a level playing field for cybersecurity and look into incentives similar to the Digital Security Bonus in order to reward the use of good security practices.

Enisa’s executive director Udo Helmbrecht said trusted solutions and a common defined level for the security and privacy of connected and smart devices is both recommended and needed to allow Europe to reap the benefits of these technologies.

“Standardisation and certification have been identified as a priority, to accelerate the level playing field for the entire industry and reflect the trust of citizens, consumers and businesses in the connected environment,” he said. 

Read more on Hackers and cybercrime prevention