Senators introduce bill to secure Internet of Things devices

The bill would also expand legal protections for security researchers who hunt for vulnerabilities.
Written by Zack Whittaker, Contributor

Some internet-connected devices are more secure than others, but no device is hack-proof. (Image: file photo)

A bipartisan group of senators have introduced legislation aimed at securing internet-connected smart devices, which were at the center of a massive cyberattack that brought down large swathes of the internet last year.

The distributed denial-of-service in October lasted for less than a day, but it further fueled concerns about threats posed by insecure and easily hijacked so-called Internet of Things (IoT) devices, thanks to an industry-wide apathy toward supplying devices with even the most basic security.

The new bill, introduced by Sens. Mark Warner (D-VA) and Cory Gardner (R-CO), will require suppliers of devices to the federal government to adhere to a level of industry-wide security practices, such as ensuring that devices, like wearables and smart sensors, can be patched with security fixes. The bill will prohibit devices from including hard-coded and unchangeable usernames and passwords, long seen as one of the primary ways malware can break in and hijack devices.

Last year's cyberattack exploited the use of default passwords, often hidden from view, in order to break in and redirect internet bandwidth to overload systems and servers, knocking them offline.

With input from the Atlantic Council and Harvard University, the lawmakers reportedly wanted "the lightest touch possible" to address "obvious market failures," said Warner in an interview with Reuters on Tuesday.

The lawmakers said the Internet of Things Cybersecurity Improvement Act will ensure the government "leads by example" to prevent further intrusions into federal systems "without halting the life-changing innovations that continue to develop in the IoT space," said Gardner.

With as many as 30 billion devices expected to be connected to the internet by the end of the decade, the legislation aims to future-proof the industry from mistakes it's largely brought on by itself.

Security researchers and hackers alike have long warned that IoT devices pose problems because most device makers have failed to put the security of their devices -- and any other device connected to the same network -- as a priority.

Cryptographer and security expert Bruce Schneier, who consulted on the bill, said that the market is "not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests."

The senators also added a caveat to the bill that would expand legal protections for security researchers working in the Internet of Things space to exempt "good faith" vulnerability hunting activities from federal hacking laws.

The hope is that the exemption would draw more security experts to the field, encouraging researchers to report vulnerabilities to ensure security flaws are fixed sooner.

It would also expand legal protections for cyber researchers working in "good faith" to hack equipment to find vulnerabilities so manufacturers can patch previously unknown flaws.

Editorial standards