US senators have introduced a new bill to better secure IoT devices and protect to find vulnerabilities in these devices.
The new bill would require vendors that provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities.
The bill will prohibit devices from hard-coded and unchangeable usernames and passwords. Also, one of the primary ways malware can break in and hijack devices.
Last year’s cyber-attack exploited the use of default passwords, often hidden from view. To break in and redirect internet bandwidth to overload systems and servers, knocking them offline.
With input from the Atlantic Council and Harvard University, the lawmakers reportedly wanted the lightest touch possible to address obvious market failures, said, Sens. Mark Warner (D-VA).
The legislation would allow federal agencies to ask the U.S. Office of Management and Budget for permission to buy some non-compliant devices if other controls.
30 billion IoT devices
More than 30 billion IoT devices expected to connect to the internet by the end of the decade. The legislation aims to future-proof the industry from mistakes it’s largely brought on by itself.
Security researchers and hackers alike have long warned that IoT devices pose problems because most device makers have failed to put the security of their devices and any other device connected to the same network as a priority.
Security expert Bruce Schneier, said that the market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests.
The senators also added a warning to expand legal protections for security researchers working in the IoT space to exempt good faith vulnerability hunting activities from federal hacking laws.
The hope is that the exemption would draw more security experts in the field, encouraging researchers to report vulnerabilities to ensure security flaws fixed sooner.