X

Lawmakers want to stop a future filled with smart devices and bad security

“Unsecured IoT devices will be like the new asbestos.”

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
internet-of-things-iot-devices-1708.jpg

"Internet of things" devices are set to spike in popularity. Lawmakers are worried that they'll bring security issues, too.

James Martin/CNET

Before smart devices fill up millions of homes, a Senate hearing on Tuesday looked to figure out how to keep them safe from hackers.

"Sound security practices must keep pace with the expansion of the internet of things in order to mitigate these threats," Sen. Dan Sullivan said in his opening statement. Sullivan, a Republican from Alaska, is chairman of the commerce committee's subcommittee on security. 

Lawmakers have attempted to tackle security problems with connected devices through several hearings and proposed laws that would set basic standards for these gadgets. By 2020, analysts expect connected devices to jump up to 20.4 billion units, and security experts warn that without a baseline level of security, this rapid growth will mean a larger risk of cyberattacks.

Cyberattacks on smart devices can show results in real time, as hacked Nest Cams are used to blare hoax nuclear attack warnings, and smart TVs are hijacked to promote PewDiePie videos. In other cases, these hacked connected devices are used quietly, as part of massive botnets or cryptomining gadgets.   

Connected devices don't have any regulations requiring basic security measures, but that could be changing. In September, lawmakers in California passed the country's first internet of things security law, which requires "reasonable" features like ending default passwords on devices.

The hearing featured witnesses from the US Chamber of Commerce, the National Institute of Standards and Technology, cybersecurity company Rapid7, the Broadband Association and the Consumer Technology Association.

"While IoT holds a promise of revolutionizing the way we live and we work, we should also be wary, because IoT also stands for the internet of threats," said Sen. Ed Markey, a Democrat from Massachusetts. 

Harley Geiger, a director of public policy for Rapid7, called on lawmakers to pass a federal law on security standards for smart devices.

Legislation should require basic security standards, like the California internet of things law does, and Geiger also recommended consumer awareness programs, in the same way that energy efficient products have an "Energy Star" sticker on them.

"The idea of me telling my mother to go into her router to check for a default password and check and see if it encrypts your personal information, these things are not realistic," Geiger said. "What I can tell her is, 'look for a seal, look for a label.'"

Michael Bergman, the CTA's vice president of technology and standards, disagreed with the label approach, telling lawmakers that many people have "label fatigue" when they're buying technology.

The CTA is a trade organization that represents more than 2,000 tech companies, and hosts CES . Bergman said the group has been working on addressing internet of things security concerns, and said that private companies are moving as fast as possible to fix these issues.

It's not fast enough, said Sen. Richard Blumenthal, a Democrat from Connecticut.

"There is a tidal wave of anger and alarm building out there, with very good reason," the senator said to Bergman. "The pace is simply too slow."

Under the current opt-in model, there are no legal penalties for weak security standards, lawmakers pointed out. Blumenthal said that this approach is "failing," and that lawmakers need to establish standards for companies to follow.

While a federal law on internet of things security has been proposed, it hasn't made much progress. Without a law, security experts warned that the world would be filled with vulnerable devices without fixes.

"Unsecured IoT devices will be like the new asbestos," Geiger said. "We will build them into our environments, only to have to rip them back out years later, and wonder why our predecessors did not have the forethought to ensure basic security from the start."

Watch this: Landlords are making apartments into smart homes, whether tenants want it or not