Internet of Things graphic
A bipartisan bill would require new security practices of Internet of Things vendors who sell to the government. geralt/Pixabay

A bipartisan group of U.S. senators introduced legislation Tuesday that would introduce more security measures for internet-connected devices that make up the Internet of Things. The bill would aim to deal with a number of major security vulnerabilities presented by the massive amount of internet-connected devices now present in homes and businesses throughout the U.S. and the rest of the world. But a security expert, Travis Smith, told International Business Times that the legislation needs to go further in mandating user behavior.

The bill, dubbed the "Internet of Things Cybersecurity Improvement Act of 2017," was sponsored by Sens. Mark Warner, D-Va.; Steve Daines, R-Mont.; Cory Gardner, R-Colo.; and Ron Wyden, D-Ore.

Read: IoT Security: Government Accountability Office Highlights Risks Posed By Internet Of Things

Under the proposed legislation, purchases of Internet of Things devices made by the federal government would be limited by a number of requirements, including the need for devices to meet a minimum security standard. Agencies would also be required to catalogue each internet-connected device they operate.

The bill would also call on the Office of Management and Budget to create security standards for such devices and for the NSA to create protocols for security researchers to contact government contractors to disclose security flaws discovered in their products.

Structure Security
Newsweek is hosting a Structure Security event Sept. 26-27 in San Francisco. Newsweek Media Group

In part, the bill would prohibit vendors from selling devices to the government that have unchangeable administrative passwords or do not offer the ability to install security patches to fix known flaws.

Read: Smart TVs, Smart Speakers, Other IoT Devices Remain Vulnerable Post Mirai Botnet

Such a proposal may require adjusting copyright laws to allow researchers to perform security checks and disclose their findings. Currently, the Digital Millennium Copyright Act (DMCA) prevents anyone, including security researchers, from circumventing copyright protections—even if done for a reason that would not violate copyright.

Such protections prevent a security researcher from searching for flaws in internet-connected devices that have filed for copyright to protect the coding of their device—though some devices, including voting machines, have been exempted from the stringent protections.

“While I’m tremendously excited about the innovation and productivity that Internet-of-Things devices will unleash, I have long been concerned that too many Internet-connected devices are being sold without appropriate safeguards and protections in place,” Sen. Warner said in a statement.

“This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices," Sen. Warner added.

The bill received a number of endorsements from security researchers and privacy advocates, including Harvard’s Jonathan Zittrain and Bruce Schneier and industry executives from the likes of security firm Symantec and advocacy group the Center for Democracy and Technology.

However, some have suggested the bill doesn’t go far enough to ensure Internet of things devices meet proper security standards. Smith, the principal security researcher at Tripwire, told IBT the bill will resolve some known issues with internet-connected devices but won’t go far enough to solve problems that still require user action.

He said IoT devices that automatically detect and install security patches should be “strived for” by all IoT vendors, but said the bill will likely only mandate optional patches. “Two issues with optional patches are first getting the user to know about the patch, then getting them to actually install the patch. Both of these tasks are notoriously difficult for your average user,” he said.

Smith also noted that while the bill may require passwords be changeable by the user, many users will not take that step. He suggested users should be required to change the default password and said the default password for each device should be unique.

In 2016, a botnet known as Mirai was able to use huge numbers of hacked IoT devices to launch a denial of service attack against a number of major websites and services. That attack was successful because many devices use the same default passwords and users do not change them.

“For this bill to be successful, there needs to be incentives for vendors to get their devices to a secure state,” Smith said. “Releasing a device which is free from security bugs is time consuming and costly. With many of these devices being a commodity, delaying the time to market or charging a higher cost may not fit their current business model.”