A bill submitted this week to the U.S. Senate could be the first step toward fixing IoT security, requiring that device makers who want to do business with the federal government meet basic security standards.
The bill mandates that any Internet-connected device provided by government contractors be free from known security vulnerabilities, be able to receive regular software updates, and use up-to-date communications and encryption industry standards.
That even these modest proposals are being seen as a seismic change in the IoT market is a measure of just how insecure a lot of IoT devices are. Securing them is no easy task. These aren’t traditional endpoints that can run their own security suites, often lack computing power, and are produced in such vast numbers of types and models that the standard approach to security doesn’t really apply.
The idea behind the bill is to use the federal government’s muscle as a gigantic potential customer to spur a re-evaluation of the way makers of connected devices approach product design. One of the bill’s chief sponsors, Sen. Mark Warner, said that the fact that many manufacturers see security as an afterthought is a failure of the marketplace.
“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” he said in a statement.
It’s tough to avoid the conclusion that many device makers aren’t making a serious effort to secure their products, according to experts like David Dufour, senior director of cybersecurity and engineering at Webroot.
“The most frustrating part is that attackers often break into these devices by exploiting very basic security holes or poor configurations,” said Dufour. “These everyday IoT hacks are preventable – yet their potential for widespread devastation is great.”
Making large-scale changes in the IoT sector won’t happen overnight. The companies that make IoT devices are often inexperienced at making connected hardware – it’s not HPE or Microsoft making computerized refrigerators, it’s the same companies that have always made refrigerators but are now building connectivity into them.
Danielle Jackson, chief information security officer at SecureAuth, said that the law represents an important crossroads for IoT technology.
“The creators and innovators of IoT devices should be challenged to consider security as a first,” she said. “Too often security is an afterthought instead of a partner in decision-making and building of products we have grown to enjoy as consumers.
According to Hamid Karimi, a global vice president of business development for BeyondSecurity, companies like medical device makers won’t change their practices until they have to.
“Manufacturers look at the cost-benefit analysis, and so far there hasn’t been a major liability,” he said. “Unless this gets mandated or there’s a court case that could be used as a precedent, you’re not going to be able to do anything.”