Lance Bellers - Fotolia

IoT device security bill mandates security standards

News roundup: U.S. Senators introduce a bipartisan bill to standardize IoT device security for government vendors. Plus, Anthem suffers another data breach, and more.

A piece of bipartisan legislation introduced this week would require vendors that sell to the U.S. government to meet certain IoT device security requirements.

The "Internet of Things (IoT) Cybersecurity Improvement Act of 2017" was introduced by U.S. Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) who co-chair the Senate Cybersecurity Caucus, as well as Sens. Ron Wyden (D-Ore.) and Steve Daines (R-Mont.). The bill aims to improve IoT device security for products used in the government.

"Under the terms of the bill, vendors who supply the U.S. government with IoT devices would have to ensure that their devices are patchable, do not include hard-coded passwords that can't be changed, and are free of known security vulnerabilities, among other basic requirements," explained a statement from Senator Warner's office announcing the act.

The senators collaborated with experts from the Atlantic Council and the Berklett Cybersecurity Project of the Berkman Klein Center for Internet & Society at Harvard University to craft the IoT device security bill. It also encourages security researchers to help find IoT device security vulnerabilities by adopting "coordinated vulnerability disclosure policies by federal contractors and providing legal protections to security researchers" who engage in "good-faith research" and exempt them "from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in (sic) engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines."

"I've long been making the case for reforms to the outdated and overly broad Computer Fraud and Abuse Act and the Digital Millennium Copyright Act," said Senator Wyden in the statement. "This bill is a bipartisan, common-sense step in the right direction. This bill is designed to let researchers look for critical vulnerabilities in devices purchased by the government without fear of prosecution or being dragged to court by an irritated company. Enacting this bill would also help stop botnets that take advantage of internet-connected devices that are currently ludicrously easy prey for criminals."

The IoT device security bill would require vendors to develop patchable devices that "rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities."

The bill also specifies that the Office of Management and Budget must develop other "network-level security requirements for devices with limited data processing and software functionality."

Vendors such as Mozilla, Cloudflare, Neustar, Symantec and VMware have already endorsed the bill, and some security experts have spoken out about it as well, including security expert Bruce Schneier. In the statement from Senator Warner's office, Schneier said, "The proliferation of insecure Internet-connected devices presents an enormous security challenge. The risks are no longer solely about data; they affect flesh and steel. The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests." He added that he applauds Senator Warren and the others for "nudging the market in the right direction" with the IoT device security bill, as well as recognizing the "critical role played by security researchers."

In other news

  • A threat actor known as 31337 allegedly breached the laptop of an analyst at security vendor Mandiant before leaking the information publicly and threatening to do the same to other security analysts. Multiple reports said a Pastebin page was set up to document information gathered from the analyst's personal laptop, Microsoft and LinkedIn accounts. The Pastebin page, which has since been taken down, reportedly also included some of the Mandiant analyst's work files. Though there's no evidence that those files were obtained through a breach of Mandiant's internal networks, the threat actor still claimed it breached the internal networks of FireEye, which owns Mandiant. FireEye has released several statements since the breach, but cannot confirm or deny the validity of the information posted on Pastebin or whether the company's internal network was breached, though it has acknowledged that the employee's laptop and social media accounts were breached, and that at least two customers were affected. The threat actor claims it is targeting security analysts as revenge for their work against hackers.
  • Anthem Health Insurance has reported another data breach that compromised the personal health information of 18,500 members. LaunchPoint Ventures, Anthem's insurance coordination service provider, discovered in April 2017 that an employee was involved in "identity theft related activities," according to a statement. In July, the company learned the employee had emailed Anthem member information to his personal account, violating LaunchPoint policies. The compromised data included Medicare ID numbers, Social Security numbers, Health Plan ID numbers, contract numbers, and dates of enrollment. The statement said there's no evidence to show that the data has been misused since the breach, but the investigation is ongoing. In 2015, another Anthem breach compromised 80 million customer records, for which the company recently agreed to a $115 million settlement.
  • Amazon has said that it will stop selling Blu Products Android phones following accusations that the phones use spyware. Ryan Johnson, research engineer and co-founder of mobile security company Kryptowire, based in Fairfax, Va., said in his Black Hat presentation that the Chinese company Shanghai Adups Technology was using spyware called Adups on at least two Android phones and collecting personal identifiable information without user consent. Blu has been criticized for using Adups despite the company's use of spyware. As a result, Amazon said it will stop selling the Blu phones, though they are still currently available to purchase on the site. Blu Products disputes the claims that there is any spyware or malware on their devices, saying "these are inaccurate and false reports."

Dig Deeper on Network security