Hard to believe but Congress just approved an IoT security law and it doesn't totally suck Every now and again the US Congress manages to do its job and yesterday was one of those days: the Senate passed a new IoT cybersecurity piece of legislation that the House also approved, and it will now move to the President’s desk. As we noted back in March when the IoT Cybersecurity Improvement Act was introduced, the law …
Many of these things only get updates until the next model comes out; the rest do not get updates at all.
Then there are those that need a fixed server - when that is shut the kit becomes a brick.
These problems must be addressed - probably the best way is by allowing third party firmware -- but that will not happen as the vendors want to keep you locked in and then have you buy new kit.
This is kind of related to what the right to repair people (rightly) want.
Well according to the constitution, if he doesn't notice the bill it will become law before Biden takes over.
If any Bill shall not be returned by the President within ten Days (Sundays excepted) after it shall have been presented to him, the Same shall be a Law, in like Manner as if he had signed it, unless the Congress by their Adjournment prevent its Return, in which Case it shall not be a Law.
This post has been deleted by its author
This post has been deleted by its author
You are clearly not American.
No American on this website seems to know how their (multiple layers of) government operates, let alone their Constitution.
Let alone be able to nominate a relevant section!
It is extraordinarily refreshing. But are you a space alien?
> Companies will still be able to produce products that don’t meet the new standards [...] And the law hasn’t taken on the fundamental issue of how and when devices are updated to deal with emerging security holes.
In short it's just a big feel-good paper, describing some perfect yet unreachable world...
Step 0: Wish for a better world. Step 1: Make it mandatory. Step 2: Prove you mean it (by hitting hard). At this point the more timid and impressionable companies might consider starting to follow (to some extent) (the letter of) the law. So we're still at step 0, and while it is indeed a step forward, it's still a long way to make IoT safe(ish).
IIRC, the US government previously mandated OSI networking in its own procurement, and later, IPv6.
Neither appears to have had a huge impact on commercial networking.
"But without enforcement mechanisms it won't do much."
It's a start. Surely, it won't be stellar after this.
But surely next time some bozos will ship widgets with hard coded weak password or other non-sense, the "secure coding" aspect of it, whatever it really means, will be harder to defend.
And more will come for sure, they're only showing the direction.
Proof - if any were needed - that Congress has literally no clue about tech. They probably have no idea what they signed. The Democrats had no idea what IoT or any of the buzzwords are in their bill (which was probably written by a lobbyist), but because the Republicans don't have a clue either and none of their trigger words (immigrants, guns, abortion, global warming etc) were in the bill, it passed.
"... how and when devices are updated to deal with emerging security holes. "
I'm more concerned about the standards governing how and when devices are updated to _insert_ security holes.
Plus the charming belief that some of these agencies will disclose the security holes they use.
As for UL stickers, I can imagine that the folks currently producing counterfeit UL stickers are preparing to add counterfeit "Secure IoT" stickers to their offerings.
And as usual, when the federal government moves to cover some problem that states have already started on, it is very rare that the purpose is anything other than to preempt and nullify that state legislation. Thus are the issues mentioned above enabled.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
