New US Govt IoT Device Standards

[LabSpokane]

http://www.electronicdesign.com/embedded-revolution/new-bill-targets-common-sense-security-internet-things?NL=ED-001&Issue=ED-001_20170807_ED-001_993&sfvc4enews=42&cl=article_1_b&utm_rid=CPG05000003817148&utm_campaign=12347&utm_medium=email&elq2=7913ea34450f45a290d45c1b7a43ece8

Looks like anyone who is selling an internet-connected device to the US Goverment will have additional certifications to address. I don't see anything terribly objectionable, but for small businesses, there are going to be some additional costs for validation and certification that may affect your margin/sale price.

Full text of bill is here: https://www.scribd.com/document/355269230/Internet-of-Things-Cybersecurity-Improvement-Act-of-2017

[ngjohnson]

Hello LabSpokane,

I have been working with IOT hardware and software for a few years now, I interned at Particle.io as they where just getting VC funding and growing into version 2 and the electron. From that experience alone I can tell you that you really don't want to make internet connected devices that don't have a high level of security; especially if you are small business. I have just finished a 6 month grant project for IOT road side units founded by the NSF only to realize that security took a majority of our time. We created our own communication protical and added security into the hardware and software at every point.  Someone getting access to our data at any point would compromise the companies IP.

I'm personally really happy that companies will be expected to hold to a high level of standard for security, as many of these devices are already controlling safety critical applications.

Best,
Nicholas

[DaJMasta]

That matters a lot more to companies that also provide the same kind of server infrastructure and service that particle does, a startup with just a wifi enabled microcontroller module and a little software doesn't necessarily have their hands on any of the data being used, so maybe a hack of their products wouldn't have such an impact on their bottom line.

That said, this only applies to government purchasing - so a startup can still sell any shoddily coded security they want, but US government agencies can't buy or use their products.  I wouldn't really mind some blanket mandate for basic security measures on anything that connects to the net, just for preventing IoT devices from being easy botnet targets or widespread information gathering or whatnot by a third party hacker,  but I doubt US lawmakers would push for something like that.... if they are even tech savvy enough to realize that it's a potential serious problem.

[LabSpokane]

Hello LabSpokane,

I have been working with IOT hardware and software for a few years now, I interned at Particle.io as they where just getting VC funding and growing into version 2 and the electron. From that experience alone I can tell you that you really don't want to make internet connected devices that don't have a high level of security; especially if you are small business. I have just finished a 6 month grant project for IOT road side units founded by the NSF only to realize that security took a majority of our time. We created our own communication protical and added security into the hardware and software at every point.  Someone getting access to our data at any point would compromise the companies IP.

I'm personally really happy that companies will be expected to hold to a high level of standard for security, as many of these devices are already controlling safety critical applications.

Best,
Nicholas

Hi Nicholas,

I completely agree. And that's one major reason I "outsource" my security and firmware updates with devices such as the Electron. 

[LabSpokane]

That matters a lot more to companies that also provide the same kind of server infrastructure and service that particle does, a startup with just a wifi enabled microcontroller module and a little software doesn't necessarily have their hands on any of the data being used, so maybe a hack of their products wouldn't have such an impact on their bottom line.

That said, this only applies to government purchasing - so a startup can still sell any shoddily coded security they want, but US government agencies can't buy or use their products.  I wouldn't really mind some blanket mandate for basic security measures on anything that connects to the net, just for preventing IoT devices from being easy botnet targets or widespread information gathering or whatnot by a third party hacker,  but I doubt US lawmakers would push for something like that.... if they are even tech savvy enough to realize that it's a potential serious problem.

This will actually trickle down to virtually all electronics. Nobody will want their devices to be removed from the GSA schedule.

Honestly, given what I know about certain government suppliers' absolutely shoddy security practices, or rather, complete lack thereof, this is pretty welcome legislation in the form of creating a minimum standard. It will definitely make some engineers lives easier in not having to fight management over doing the basics. It will now be law.

[floobydust]

I thought this is driven by chinese telecom IC's (routers, wi-fi, ethernet, cell phones) which have backdoors for the chinese government and hackers to exploit.

US is pissed off at Huawei for this, they got on the blacklist and banned from selling to the US, UK, Australian government.
I'm not sure what the NSA found.

[ChristopherN]

I think this is a step in the right direction. I design and manage IoT / Smart Energy systems and consult on that topic.

It's horrible to see whats out there and how many vendors act. Security updates take a long time, if they arrive the updates are often bug infested. Some vendors don't provide updates at all. Many vendors lack basic networking and (embedded / IT) security knowledge, the solutions are insecure by design and there is no possibility to fix that in the field.

This is especially true for IoT / Industrial / Energy Gateways that aggregate data and control stuff like valves in the field. Real harm can be inflicted using those device and they are hard to secure if you have a 100k+ devices installed on remote equipment.

Legislation is slowly pushing in the right direction by raising the minimal acceptable security level on those products and services.

[b_force]

I thought this is driven by chinese telecom IC's (routers, wi-fi, ethernet, cell phones) which have backdoors for the chinese government and hackers to exploit.

Isn't that EXTREMELY ironic?

New US standards of IoT: backdoors for NSA 

[Jeroen3]

I bought a Mikrotik router due to lack of firmware updates from, well, all consumer grade router vendors.
If you get 3 updates over 5 years you should call yourself lucky.

There should be a norm or regulation quickly to prevent the companies from selling cheap bad IoT.

[David Hess]

I bought a Mikrotik router due to lack of firmware updates from, well, all consumer grade router vendors.
If you get 3 updates over 5 years you should call yourself lucky.

My ancient Celeron 300A workstation operating as a BSD router has outlasted 4 modems and at least 4 routers.

There should be a norm or regulation quickly to prevent the companies from selling cheap bad IoT.

See if you can describe it.  No matter what they pass it will be poorly thought out, make things worse, and include plenty of rent seeking.

[Jeroen3]

At least Apple is at the right track by mandating encryption for HomeKit.

[floobydust]

"Under the terms of the bill, vendors who supply the U.S. government with IoT devices would have to ensure that their devices are patchable, do not include hard-coded passwords that can't be changed, and are free of known security vulnerabilities, among other basic requirements," explained a statement from Senator Warner's office announcing the act."

This doesn't help the IoT standards war at all

[jbb]

This doesn't help the IoT standards war at all

I guess it's not meant to.  My personal guess is that a lot of IoT providers actually want to be ongoing service providers and charge you rent.  If open, interoperable, protocols are deployed you could then buy the good hardware from company A and the good service from company B.  Or you could buy the cheap and nasty hardware from company C and annoy the hell out of company B with service requests.

New US standards of IoT: backdoors for NSA 

Given that a whole heap of IoT has sweet f*** all security (FYI, Linux is only 'more secure than Windows' if people configure it right), I think it will actually make it a little harder for three letter agencies to break in.  However, I haven't read the draft and US laws are infamous for containing weird and wonderful extra stuff beyond what the title might suggest.

Maybe I'm being charitable, but I think the reason for a lot of products out there lacking security isn't malice or stupidity but time pressure.  If you're boss is getting hell from upper management, they will say "just make it work, we need to ship it."  As long as no-one checks for security issues - which the upper management possibly thinks is a waste of time - the 'working' product will go out the door.  Hard-coded admin passwords and all.

[cdev]

Multinational companies are required to give any and all WTO member countries equal backdoors by the WTO Telecommunications Agreement!

Source: Edward Snowden mentioned it in a talk and I am pretty sure he is right.

If North Korea was to join the WTO they would get equal rights to the backdoors in their equipment. (If they learned about them.)

So some of all this may be a "really big shoo". 

Made for TV.

[System Error Message]

how would the government enforce it? There are already many vulnerable IoT devices out there.

There are many IP cams that are part of a botnet. Many IoT devices compromised already but with few knowing. It gets even worse because this applies to cars too. There just isnt a standard out there yet on designing IoT. Its a free for all and companies are sucking at it as far as standards go but do well at making money from it.

[System Error Message]

While they can't request all equipment to be replaced immediately, they can request all new gears to be certified in order to be qualified for government purchasing. Meanwhile, they can slowly phase out non compliant gears.

So this doesnt apply to IoT devices sold for non government use like the public?

[LabSpokane]

There is *nothing* in this standard with respect to government-mandated "back doors."  This legislation only applies to a few practices that fall under necessary and proper, although some could be nebulous and initially costly for small-business to implement. 

[LabSpokane]

While they can't request all equipment to be replaced immediately, they can request all new gears to be certified in order to be qualified for government purchasing. Meanwhile, they can slowly phase out non compliant gears.

So this doesnt apply to IoT devices sold for non government use like the public?

Correct, but expect the requirement to trickle down due the nature of how companies list their items for sale to the US Government.