A bipartisan group of U.S. senators on Tuesday is introducing legislation to address vulnerabilities in computing devices embedded in everyday objects — known in the tech industry as the “internet of things” — which experts have long warned poses a threat to global cybersecurity and which has made several recent hacking events all too easy.
Reports of thieves using laptops to steal cars have persisted for years, and white-hat research into hacking cars goes back at least to a 2010 study at the University of Washington. The biggest real-world example surfaced last year when a pair of hackers in Houston were accused of using FCA software on a laptop to steal vehicles, mostly Jeeps, that were spirited away across the Mexican border. Possibly 100 vehicles were stolen this way.
Nissan had to suspend its Leaf smartphone app for a time, as did GM with its OnStar app, which got some notoriety when the Defense Advanced Research Projects Agency (DARPA) used the app to hack a Chevy Impala for 60 MInutes.
In 2015, cybersecurity researchers Chris Valasek and Charlie Miller accessed critical vehicle controls on a 2014 Jeep Cherokee via the infotainment system. This allowed the pair, without physical access to the vehicle, to remotely disable the brakes, turn the radio volume up, engage the windshield wipers, and tamper with the transmission, measure its speed and track its location. The hack prompted Fiat Chrysler to recall 1.4 million vehicles.
Security researchers say the ballooning array of online devices including vehicles, household appliances, and medical equipment are not adequately protected from hackers. A 2016 cyberattack was facilitated when hackers conscripted the “internet of things” into a “zombie army” of devices that flooded servers with web traffic in what’s known as a “distributed denial of service.”
The new bill would require vendors who provide internet-connected equipment to the U.S. government to ensure their products are patchable and conform to industry security standards. It would also prohibit vendors from supplying devices that have unchangeable passwords or possess known security vulnerabilities.
Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which was drafted with input from technology experts at the Atlantic Council and Harvard University. A Senate aide who helped write the bill said that companion legislation in the House was expected soon.
“We’re trying to take the lightest touch possible,” Warner said. He added that the legislation was intended to remedy an “obvious market failure” that has left device manufacturers with little incentive to build with security in mind.
The legislation would allow federal agencies to ask the U.S. Office of Management and Budget for permission to buy some non-compliant devices if other controls, such as network segmentation, are in place.
It would also expand legal protections for cyber researchers working in “good faith” to hack equipment to find vulnerabilities so manufacturers can patch previously unknown flaws.
Between 20 billion and 30 billion devices are expected to be connected to the internet by 2020, researchers estimate, with a large percentage of them insecure.
Though security for the internet of things has been a known problem for years, some manufacturers say they are not well equipped to produce cyber secure devices.
Hundreds of thousands of insecure webcams, digital records and other everyday devices were hijacked last October to support a major attack on internet infrastructure that temporarily knocked some web services offline, including Twitter, PayPal and Spotify.
The new legislation includes “reasonable security recommendations” that would be important to improve protection of federal government networks, said Ray O’Farrell, chief technology officer at cloud computing firm VMware.
Reporting by Dustin Volz. Background information from Autoblog was included.