A bill is set to be introduced in the U.S. Congress to stop sales of IoT devices whose firmware vulnerabilities cannot be patched or their passwords changed.
The bill will seek to empower government agencies to check new IoT devices and to verify if they are patchable and if their passwords can be changed.
A number of cyber security firms have recently highlighted various vulnerabilities that exist in modern IoT devices that can be exploited by hackers to spy on users, to cause damage and to commit identity theft.
Taking note of such revelations, a bipartisan group of U.S. senators is planning on introducing a new bill in the Senate that would plug sales of unsecured IoT devices as well as of those whose security flaws cannot be patched.
Earlier this year, the destructive WannaCry ransomware was used by hackers to infiltrate a large number of pacemakers used by the healthcare industry. This was despite a warning from the US Food and Drug Administration that asked medical device manufacturers to monitor, identify and address cyber security vulnerabilities in medical devices and understand the importance of information sharing via participation in an Information Sharing Analysis Organization (ISAO).
Drafted by technology experts at the Atlantic Council and Harvard University, the new bill aims to incentivise IoT device manufacturers who build their devices with security in mind. While unsecured devices would be kept away from the general public, government agencies will be able to purchase non-compliant devices ‘if other controls, such as network segmentation, are in place,’ reported Reuters.
‘It would also expand legal protections for cyber researchers working in “good faith” to hack equipment to find vulnerabilities so manufacturers can patch previously unknown flaws,’ the report added.
Travis Smith, principal security engineer at Tripwire, believes that despite the good intentions behind the new bill, the ultimate control of a device’ security will continue to remain in the hands of the user.
‘When left up to the user, changing passwords and installing patches is not a priority. The priority instead is getting the device to work so you can stream Netflix from your fridge or see your front porch from a beach,’ he says.
He adds that at the same time, building devices free of security bugs is a time-consuming and expensive process and that manufacturers need to be offered incentives to get their devices to a secure state. ‘With many of these devices being a commodity, delaying the time to market or charging a higher cost may not fit their current business model.’
The proposed introduction of the bill comes not long after the UK government announced a new regulation that mandates all drone owners to get their drones registered with the state and clear all relevant safety tests.
The government is also planning on geo-fencing critical areas so that people cannot use drones to survey or monitor critical zones like prisons and airports. No-fly zones can be programmed in all drones using GPS coordinates to ensure that the latter cannot be misused by criminals or enemy states.