The Key Thing in the IoT Cybersecurity Improvement Act
Internet of Things security is rooted in mobile devices.
In reaction to the large-scale distributed denial of service (DDoS) attacks that made headlines last year, a bipartisan group of senators has introduced legislation establishing minimum security requirements for government-purchased Internet of Things (IoT) devices.
The Internet of Things Cybersecurity Improvement Act of 2017 establishes four requirements for Internet-connected devices purchased by federal agencies: they must contain no known vulnerabilities; must require no hard-coded passwords; must be patchable; and must rely on standard protocols. The bill also includes an important exemption protecting security researchers from prosecution under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act.
While the majority of the news coverage of the bill has focused on IoT devices such as Internet-connected light switches, cars and refrigerators, most have forgotten about the key “thing” the bill most considers: the mobile phone. The bill applies to every “physical object[s] that— (A) is capable of connecting to and is in regular connection with the Internet; and (B) has computer processing capabilities that can collect, send, or receive data.” It seems clear that this applies first and foremost to every smartphone or mobile device, the new frontier for cyberwar.
This is important to consider, as mobile devices are a burgeoning attack surface, and a particularly valuable one for both espionage and criminal threat actors. Mobile devices access confidential, classified and other protected data. Over the last year, nation-state level attacks on mobile devices have grown in both sophistication and prevalence. Pegasus, ViperRAT, and Lipizzan all demonstrate the urgent risk facing government, corporate, and personal devices. Pegasus specifically was capable of accessing messages, calls, emails, logs and more from mobile apps. Both the Center for Strategic and International Studies and the President's Commission on Enhancing National Cybersecurity acknowledge that mobile is no longer a fringe technology but a central instrument that allows employees to get their jobs done. That makes a bill requiring secure mobile endpoints for both government-furnished equipment and federal employee-owned devices with access to government data the priority.
Additionally, the majority of other “things” in the world attach to a mobile interface or app in some way. The bill also has standards that require secure “interconnection with other devices or peripherals.” This clearly applies to the interface of the mobile device.
IoT devices are like shiny new objects attracting lots of attention in part because of the high profile attacks last year, such as the Mirai DDoS attack, and the huge device numbers that always get thrown around anytime IoT is mentioned. However, the reality is that most IoT devices are controlled by smartphones, and smartphones face a spectrum of mobile risks. These risks include targeted surveillanceware, a range of malware families, rogue Wi-Fi networks, non-compliant apps that leak data and vulnerabilities across device operating systems and apps. This is why the mobile device must be secured before addressing IoT. Comprehensive security for mobile devices, beyond containers and microsegmentation, is required to address the full spectrum of mobile risk and protect critical data. IoT security is rooted in the mobile device.
The Study on Mobile Device Security published in May by the Department of Homeland Security (DHS) is the best place for government security and technology leaders to start their mobile security initiatives. It contains detailed information on mobile threats, vulnerabilities, and risks across mobile devices, apps, and networks.
Prioritizing cybersecurity legislation that finds and patches vulnerabilities in government-owned IoT, including mobile devices, is the exact right strategy. I am heartened to see the Senate create legislation that prioritizes security for mobile devices among all of the rest of the IoT to protect the entire universe of government data and access.
Mike Murray is vice president of security intelligence at Lookout.