A positive consumer security move by the US Government

This seems like a decent step forward:

The goal of the new US Cyber Trust Mark, coming voluntarily to Internet of Things (IoT) devices by the end of 2024, is to keep people from having to do deep research before buying a thermostat, sprinkler controller, or baby monitor.

If you see a shield with a microchip in it that's a certain color, you'll know something by comparing it to other shields. What exactly that shield will mean is not yet decided. The related National Institute of Standards and Technology report suggests it will involve encrypted transmission and storage, software updates, and how much control a buyer has over passwords and data retention. But the only thing really new since the initiative's October 2022 announcement is the look of the label, a slightly more firm timeline, and more input and discussion meetings to follow.

We'll have to see how this plays out, but better consumer information on security is A Good Thing.

 

Are things looking brighter for Internet Of Things security?

Standards MATTER?

Matter is the first attempt to bring together the biggest names in smart home to develop a standard for secure, reliable interoperability for connected devices. However, Matter matters because it could go much further than just smart homes — it could be applied to all connected devices.

Up until now, device-to-device communication across brands has been lacking. But when Matter is widely available for smart home consumers, it means more compatibility with more devices, making it easier to purchase a secure and seamless connected smart home, no matter the brand. But the benefits of seamless connected devices could expand far beyond smart home. It could enable smart cities and connected buildings to interoperate reliably and securely, connected health devices of various brands to work together natively and even reliably connect devices in space.

The EU is imposing tougher rules on IoT devices:

Makers of “internet of things” products, such as smart kettles and fridges, and software developers will face heavy fines if they do not meet tough rules aimed at averting cyber attacks, according to draft EU legislation to be unveiled next week. Companies will have to obtain mandatory certificates that show they are meeting the basic requirements of cyber safety that minimise the risk of attacks, according to a confidential document seen by the Financial Times. Those that fail to comply will be fined up to €15mn or 2.5 per cent of the previous year’s global turnover, whichever is higher.

New sheriff in town, it seems.  And the MATTER effort is encouraging.  Maybe I'll have to stop saying that security wasn't an afterthought, it wasn't thought of at all.  Good. 

Security Smörgåsbord, vol. 13 no. 5

Report: Direct patient safety risk posed by infusion pump vulnerability exploit

A group of five vulnerabilities in the B. Braun Infusomat Space Large Volume Pump could allow an attacker to modify system configurations in standby mode and deliver an unexpected dose of medication to patients without any need for authentication, according to a new report from McAfee Enterprise Advanced Threat Research.

I've been posting about the security problems in medical devices for going on a decade now.  It's interesting to see major security research players start to issue advisories about these.  Hopefully the FDA expedites these sort of security updates.

DEFCON: Internet of Things random number generators stink

In a DEF CON talk officially released on Saturday (many of this year's talks were pre-recorded and available to stream before their scheduled time) Dan Petro and Allan Cecil, both of Bishop Fox, outline systemic problems with hardware random number generators. That creates systemic problems for the devices that obtain random numbers directly from hardware random number generators.

"One of our top-line takeaways is that this process of talking to hardware RNG [random number generators] directly is just untenable. It's far too complicated on so many levels, to the point where it should really be considered like writing cryptographic code, where it is just too unsafe to do on your own," Petro told SC Media.

You might wonder what the heck a random number generator is and why you need a good one.  Basically, all of the encryption in use today depends on cypher computations starting with as close to truly random numbers as possible.  If the "random number" used are not really random - or worse, if they are predictable - than a Bad Guy could decrypt your communications, masquerade as you (well, as your TV), and do all the bad things to you that encryption is supposed to prevent.  Home computers (and cell phones) don't have this problem because they invest in good random number generation circuitry.  IoT devices are so inexpensive that this isn't done.  Probably having unpatched high risk security vulnerabilities in these devices is worse, but this is just another reason why there isn't much security at all in these pieces of junk.

Firefox 91 has new privacy features

Firefox is still around?  Who knew?  They blew any credibility on user privacy when they ditched Brendan Eich to include RIAA tracking features.

The most secure browser is ... Microsoft?

Microsoft has announced that the Edge Vulnerability Research team is experimenting with a new feature dubbed "Super Duper Secure Mode" and designed to bring security improvements without significant performance losses.

When enabled, the new Microsoft Edge Super Duper Secure Mode will remove Just-In-Time Compilation (JIT) from the V8 processing pipeline, reducing the attack surface threat actors can use to hack into Edge users' systems.

...

Based on CVE (Common Vulnerabilities and Exposures) data collected since 2019, around 45% of vulnerabilities found in the V8 JavaScript and WebAssembly engine were related to the JIT engine, more than half of all 'in the wild' Chrome exploits abusing JIT bugs.

"This reduction of attack surface has potential to significantly improve user security; it would remove roughly half of the V8 bugs that must be fixed," explained Johnathan Norman, Microsoft Edge Vulnerability Research Lead.

That's a neat piece of security work.  And I love "Super Duper Secure Mode".  It reminds me of Tesla's "Ludicrous Mode" which is shamelessly stolen from Spaceballs.

 Google to block old Android phones starting September 27

Google has started emailing users of very old Android devices to tell them it's time to say goodbye.

Starting September 27, devices running Android 2.3.7 and lower will no longer be able to log in to Google services, effectively killing a big portion of the on-rails Android experience. As Google puts it in an official community post, "If you sign in to your device after September 27, you may get username or password errors when you try to use Google products and services like Gmail, YouTube, and Maps."

Android is one of the most cloud-based operating systems ever. Especially in older versions, many included apps and services were tied to your Google login, and if that stops working, a large chunk of your phone is bricked. While Android can update many core components without shipping a full system update today, Android 2.3.7 Gingerbread, released around 10 years ago, was not so modular.

This is actually a Good Thing.  Android has a lot of security holes and there are no updates coming for these 10 year old systems.  If you got 10 years out of your phone, it's really in your best (security) interest to update.

US Government Agencies score low on cyber security

In the "Federal Cybersecurity: America's Data Still At Risk" report, the US Senate Committee on Homeland Security and Governmental Affairs graded the departments of State, Transportation, Education, and the Social Security Administration a "D" for cybersecurity. The departments of Housing and Urban Development, Agriculture, and Health and Human Services each received a "C." The highest grade for cybersecurity, a "B," went to the Department of Homeland Security (DHS). Among the major issues, several agencies, including the State Department, did not deactivate former employees' accounts, allowing access for extended periods of time after the workers left government service.

Maybe the Cloud will help.  These Agencies can't buy cloud services that are not security approved (FedRAMP).  Most of these issues are covered under that certification. 

Ees Internet. Ees not safe

ASM826 pointed out that a town's water purification system was connected to the Internet, to make it easier to manage.  Hilarity ensued.

It is very easy to do that in this day and age, and so we can expect that for most things remote access will not be set up by IT professionals but rather by people who spell "security" with a k.  People seem to think that it's a big Internet, and what are the chances that someone will find their little device on it?  Well, the chances are pretty damn good:

Use Shodan to discover which of your devices are connected to the Internet, where they are located and who is using them.

Websites are just one part of the Internet. There are power plants, Smart TVs, refrigerators and much more that can be found with Shodan!

I've posted before about Shodan.  If something is connected to the 'net, Shodan finds it and you can browse their database. This is child's play - you can sign up for a free Shodan account and see for yourself.  The problem is that most people can't set things up to protect themselves.  As I wrote:

So what do you do?  One thing is simply not to get any of this sort of thing.  No Internet-connected webcams, security systems, light bulbs, refrigerators, TVs, etc.  Some of these products are frivolous, like Philips' Internet controllable light bulbs that change color via command from your iPhone app.

But others are not.  The Queen Of The World likes her Netflix and Amazon Fire TV, and we have a new TV that will give her than.  What's the risk?  I guess I need to figure that out.  What I'm thinking is to block outbound traffic at the Internet router.  Probably to do this I will need to build a box to put in front of that, with appropriate tools and logging.

That takes a pretty high skill set, and a lot of time.

It's a pain in the butt but I could set up a home firewall and put all the stupid Internet Of Things nonsense (like Netflix TVs and the like) on a separate WiFi that is essentially a DMZ.  At least that will keep Bad Guys from getting into the rest of the house network.  And I can have the firewall block any device I haven't explicitly enabled.

But what a pain in the tail end.  And not a lot of folks have a skill set like this.  While I am not a lawyer, it sure seems like IoT security is creating an "attractive nuisance".

Good news for power grid security?

While it doesn't look to be a panacea, this seems like a good step:

Can emerging technologies improve the way the American electrical grid operates? 

The Department of Energy is seeking ideas for such technologies through a $1 million challenge posted to Challenge.gov. The agency wants concepts for new technologies that could be used by the energy sector to improve the efficiency, safety and cybersecurity of the country’s electricity system.

This does seem like progress is a traditionally neglected area.

Hacker takes over Google Nest security cam

Talks to family's baby:

An Illinois couple said a hacker spoke to their baby through one of their Nest security cameras and then later hurled obscenities at them, CBS station WBBM-TV reports. Arjun Sud told the station he was outside his 7-month-old son's room Sunday outside Chicago and he heard someone talking. "I was shocked to hear a deep, manly voice talking," Sud said. "My blood ran cold." Sud told WBBM-TV he thought the voice was coming over the baby monitor by accident. But it returned when he and his wife were downstairs. The voice was coming from another of the many Nest cameras throughout the couple's Lake Barrington house. "Asking me, you know, why I'm looking at him -- because he saw obviously that I was looking back -- and continuing to taunt me," Sud said. Later that night, Arjun Sud noticed the Nest thermostat they have upstairs had been raised to 90 degrees. He suspected the hacker was behind that too. Nest's parent company, Google, said in a statement that Nest's system was not breached. Google said the recent incidents stem from customers "using compromised passwords exposed through breaches on other websites."

Let me, err, Google Translate that last bit: Google said that if you use one of these damned things you'd better be a security expert or J. Random Hacker will set your house temperature to whatever he wants and teach your baby interesting vocabulary.

Your mileage may vary, but I will never have one of these things in my house.  And I am a bit of a security expert, thank you very much.

Hate your neighbor? Does he have Google Home?

Of course, you'd never mess with him like this:

A security researcher says an undocumented API in the Google Home Hub assistant can be exploited to kick the gizmo off its own wireless network. 

Flaw finder Jerry Gamblin says the API allows the device to receive commands from systems and handhelds sharing its local wireless network that can, among other things, reboot the unit, or even cause it to disconnect from the Wi-Fi, necessitating a manual reconfiguration.

In layman's terms, and API is a way for a computer to connect to another computer and configure stuff.  "Undocumented" APIs are considered double plus ungood in the security world, for obvious reasons.  You'd think that Google wouldn't want to give us another reason to be suspicious of them ...

Of course, you'd never do anything like this because you only use your Powers for good.

Lousy Security finally costs a company some sales

A year ago I wrote about the incredible lack of security in CloudPet toys, a set of holes so wide that someone could turn the "smart" toys into recording devices to spy on your kids.  A year later, no security fixes have been released, and retailers are pulling the toys from their catalogs:

Amazon on Tuesday stopped selling CloudPets, a network-connected family of toys, in response to security and privacy concerns sounded by browser maker and internet community advocate Mozilla. 

The move follows similar actions taken by Walmart and Target last week. And other sellers of the toy are said to be considering similar action. Amazon did not immediately respond to a request for comment but CloudPets have vanished from its website.

Let's see: Amazon, Wallmart, and Target - that reduces your addressable market a bit now, don't it?  And this is hilarious (if entirely expected):

Spiral Toys, the maker of CloudPets, did not immediately respond to inquiries.

Not sure how big a hit this is to their bottom line, but their combination of incompetence and lack of diligence in fixing this deserves a big hit.

Ski Lift shut down because of bad Internet security

I'm not making this up, you know:

Officials from the city of Innsbruck in Austria have shut down a local ski lift after two security researchers found its control panel open wide on the Internet, and allowing anyone to take control of the ski lift's operational settings. 

The two researchers are Tim Philipp Schäfers and Sebastian Neef, both with InternetWache.org, an IT security-focused organization. 

... 

On March 16, Schäfers and Neef discovered the Human Machine Interface (HMI) used for controlling Patscherkofelbahn, a ski lift that connects the village of Igls with the Patscherkofel mountain resort, to the south of Innsbruck. 

The two were surprised because there wasn't any login screen to prevent Internet user from accessing and interacting with the HMI panel. 

Settings for controlling the ski lift's speed, the distance between cable cars, and cable tension were all exposed in the open, along with logs and other data.

What's a worse password than "password"?  Not requiring a password at all.  Herren Schäfers and Neef realized the danger to life and limb and went straight to Austria's Computer Emergency Response Team.  CERT contacted the ski resort, who shut down the lift.

As I like to say, security wasn't an after thought, it wasn't thought of at all.  It's distressingly common:

As for Schäfers and Neef, the two said they'll continue to scan the Internet for unprotected systems. "It's like finding a 'needle in the haystack' and makes a lot of fun," Schäfers told us, 

"In the past, we also found the building control panel of a clinic in Switzerland, the control panel of mobile traffic lights in Germany, control panels of wind farms across the world, and three waterworks in Germany." 

"We had direct control over the Industrial Control Systems (ICSs) and would have been able to turn off the water for thousands of people, in the case of the waterworks systems, or do other harm," Schäfers said.

I was promised that when the future came, I'd have a flying car.  Instead, everything is insecure because idiots set everything up.

Is there some hope for Internet Of Things security?

Maybe.  Microsoft just announced they are getting into the game:

Microsoft has designed a family of Arm-based system-on-chips for Internet-of-Things devices that runs its own flavor of Linux – and securely connects to an Azure-hosted backend. 

Dubbed Azure Sphere, the platform is Microsoft's foray into the trendy edge-computing space, while craftily locking gadget makers into cloud subscriptions.

I know what you are thinking: Microsoft is solving a security problem?  Well, maybe.  Microsoft got a bad security reputation 20 years ago, but have been doing a credible job for quite some time now.  Besides, they address what are probably the top IoT security issues:

1. The people who write the IoT apps don't know the first thing about security, and so make mistakes that everyone else has known how to prevent for 20 years: insecure default passwords, poor network security hygene, bad coding that allows common attacks, etc.  Because Microsoft is providing  a development environment for creating these apps, they can provide a sane set of default settings that will make these sorts of attacks a lot harder.  I'm not sure if they will do this, but they could.

2. The people who write the IoT apps mostly don't have an auto-update mechanism to roll out new security fixes.  Most of these will not be in the app itself, but will rather be in the underlying Operating System code.  Microsoft has an update mechanism built into the system, so this will be automagic.  The IoT app developer doesn't have to know anything about security to get this.

These two changes will potentially move the needle a lot to make the systems more secure.  We'll have to see how things play out, but this is a positive move.

Everything is hackable

Peter posts about the lousy security of most electronic devices:

I've spoken out before against the so-called "Internet of things" in our homes.  They hold hidden dangers.

• Frankly, I don't see any need for a "smart thermostat" that can be adjusted from my smartphone, when that means someone else can hack into it and potentially invade my privacy.
• I think "smart security cameras" that I can operate from my smartphone, anywhere in the country, are an ideal tool for would-be burglars or home invaders, who can monitor them to select the best time to commit their crimes.
• "Smart door locks" are an invitation to hackers to open my doors for themselves - or just leave them open for their amusement.

He then points out the example of a casino that was hacked via a network-connected thermostat in a fish tank.  I know people in the security business ("Penetration Testers", sometimes called "White Hat Hackers" who are hired by companies to test their defenses) - I've heard stories about how they have done precisely this sort of thing.  One story from around 20 years ago was how they checked into a casino hotel and went to their room.  The mini fridge had an Ethernet connection; they plugged their laptop into the network and found that they were on the main casino IT network.  It seems that someone wanted to have electronic sensors reporting when someone took a beer from the fridge for automatic billing.

My point is that this has been going on a long, long time.  It's not getting better, either: the mad rush to "Internet Enable" every device on the planet reminds me of the mad rush to put up corporate web sites in the late 1990s.  Nobody really knew why they "had" to do this, but everyone was doing it, so they had to as well.  Of course, the security wasn't an afterthought - it wasn't thought of at all.  And so there was idiocy like shopping cart applications that let you download the order form, edit the hidden price field, upload it back to the server, and buy a TV for a penny.

Now there's the "Internet Of Things" that doesn't seem to have any security at all. Everything is hackable.

So what can you do?  The best defense (as is typically the case) is good situational awareness.  When you see one of these devices, remind yourself that it almost certainly has no security built into it.  Imagine what might happen if you installed it in your house (say, a "smart" door lock that will open for anyone who knows the "open sesame" command).  Then ask yourself if the benefits are worth it to you.

For me, the answer is a resounding "no", but you know how nasty and suspicious I am.

But remember that network security is hard, even for people who are highly motivated to have good security.  Casinos have had pretty darn good security, in my experience.  They know what's at stake.  This is why they hire penetration testers, after all.  And they still get hacked through some dumb Internet Of Things device.

If it happens to them, with their experience, motivation, and security budget, what do you think will happen to you?

When you find yourself in a store looking at one of these shiny new devices and the hair on the back of your neck starts to stand up, you will know that you understand the situation precisely.

Do you understand enough about the Internet Of Things to use it?

This is interesting:

Every time a major Internet-connected-product is released, we keep coming back to the debate over security vs. convenience. The progression of arguments goes something like this:

• One group expresses outrage/skepticism/ridicule of how this product doesn't need to be connected to the Internet;
• Another group argues how the benefits outweigh the risks and/or how the risks are overblown;
• There will be news stories on both sides of the issue, and the debate soon dies down as people move on to the next thing; and
• Most users are left wondering what to believe.

If you've been reading here, you aren't wondering.

As a security researcher, I often wonder whether the conveniences offered by these Internet-connected-devices are worth the potential security risks. To meaningfully understand the nuances of this ecosystem, I consciously made these devices a part of my daily life over the past year. One thing immediately stood out to me: there seems to be no proper mechanism to help users understand the ramifications of the risk/reward tradeoffs around these commonly used “personal” Internet-connected-devices, which makes it difficult for users to have any sort of effective understanding of their risks. I pointed out the same in a recent CNN Tech article about Amazon Key, where I also said:

A simple rule of thumb here could be to visualize the best case, average case, and worst case scenarios, see how each of those affect you, and take a call on whether you are equipped to deal with the fall out, and whether the tradeoffs are worth the convenience.

This is  a really good idea.  The article is long but very thought provoking.  The one thing that I would add is that there isn't a snowball's chance in the Mojave Desert that this will happen.  The reason is that security is the last thing on the IoT designer's minds.  IoT engineering funding comes from one of a very few places:

1. The existing appliance sales are flat, so quick add Internet connectivity to the refrigerator/stove/etc.  The goal is to raise the price point by adding cool and flash.
2. Adding Internet connectivity to the device is "Insanely Great" and will let you sell to people who want to "Think Different".  Hey, it worked for Apple, didn't it?
3. Someone wants to spy on you, and so makes your Barbie doll or whatever "Interactive".

In none of these cases do any of the marketing folks want you to actually be able to understand the risks you are introducing into your home.  Heck, I've been doing this for over 30 years and I can't understand the risks.

And so my approach is to say "not just 'no' but 'HELL no'" to any IoT devices.  Sorry, I don't want a cool refrigerator, I want one that keeps my food cold (at a low cost).  Sorry, I don't care if you think I should "think different".  And as to spying - yeah, that's typically my starting assumption for all of these devices.

That's probably unfair, to the devices and to the people who designed them.  But without the slightest possibility of figuring out just what is being done to me, that's actually my best option.  It very well may be your best option, too.  At least until Silicon Valley marketroids earn some of our trust back.

Children's "Smart" watches are unsafe for children

New security analysis about "Smart" watches being marketed to children.  It seems that they're totally secure, other than:

• Critical security vulnerabilities
• "A false sense of security"
• "Lack of respect for consumer rights"

Other than that, the security is awesome.

Since the holidays are coming up, you might want to rethink getting these for your kids or grandkids.

Hey Alexa, can you hear this dog whistle?

It seems that the major voice command products - Siri, Alexa, Google Now, and others - use hardware where the microphone can detect sound frequencies that your ears cannot.  Humans generally cannot hear sounds above 20 kHz, but microphones can.

As a result, someone who can play a recorded message in those frequencies can essentially send commands to your voice command system without you being the wiser, even if you're in the same room:

Speech recognition (SR) systems such as Siri or Google Now have be- come an increasingly popular human-computer interaction method, and have turned various systems into voice controllable systems (VCS). Prior work on attacking VCS shows that the hidden voice commands that are incomprehensible to people can control the systems. Hidden voice commands, though ‘hidden’, are nonethe- less audible. In this work, we design a completely inaudible attack, DolphinAttack, that modulates voice commands on ultrasonic carriers (e.g., f > 20 kHz) to achieve inaudibility. By leveraging the nonlinearity of the microphone circuits, the modulated low- frequency audio commands can be successfully demodulated, recov- ered, and more importantly interpreted by the speech recognition systems. We validate DolphinAttack on popular speech recogni- tion systems, including Siri, Google Now, Samsung S Voice, Huawei HiVoice, Cortana and Alexa. By injecting a sequence of inaudible voice commands, we show a few proof-of-concept attacks, which include activating Siri to initiate a FaceTime call on iPhone, activating Google Now to switch the phone to the airplane mode, and even manipulating the navigation system in an Audi automobile. 

Sigh.  If architects designed buildings the way engineers design software, the first woodpecker would destroy civilization.

What's that, Lassie?  Something told Siri that Timmy fell down the well?  That's funny - I didn't hear anything!

I love the nav attack on the car.  Given that voice commands are becoming the Interface Of The Future, given that there's lousy protection on automotive CAN networks, given the rapid movement towards self-driving cars, and given the continued spread of malware on mobile phones we're looking at the possibility of a Perfect Storm of self-driving mischief.  And survivors would swear under oath than nobody ordered the car to make an emergency stop.  After all, they wouldn't have heard a thing even though it was there.

Another reason not to buy a Samsung "Smart" TV

Software update turns brand new TVs into $1800 bricks:

Thousands of owners of high-end Samsung TVs have complained after a software update left their recently acquired £1,400 sets with blank, unusable screens.

The Guardian has been contacted by a number of owners complaining that the TVs they bought – in some cases just two weeks ago – have been rendered useless by an upgrade sent out by Samsung a week ago. 

Others have been posting furious messages on the company’s community boards complaining that their new TVs are no longer working. 

The company has told customers it is working to fix the problem but so far, seven days on, nothing has been forthcoming. The problem appears to affect the latest models as owners of older Samsung TVs are not reporting the issue.

On the plus side, at least the bricked TVs aren't remotely hackable for a change.

The future is stupid.

Medical CAT scanners hackable from the Internet

It seems that these have web servers (strike one) that are Internet-accessible (strike two) that have an unmatched vulnerability that lets the Bad Guy run any code they want on it (strike three):

Hackers can exploit trivial flaws in network-connected Siemens' medical scanners to run arbitrary malicious code on the equipment. 

These remotely accessible vulnerabilities lurk in all of Siemens' positron emission tomography and computed tomography (PET-CT) scanners running Microsoft Windows 7. These are the molecular imaging gizmos used to detect tumors, look for signs of brain disease, and so on, in people. They pick up gamma rays from radioactive tracers injected into patients, and perform X-ray scans of bodies. 

US Homeland Security warned on Thursday that exploits for bugs in the equipment's software are in the wild, and "an attacker with a low skill would be able to exploit these vulnerabilities." That's because the flaws lie within Microsoft and Persistent Systems' code, which runs on the Siemens hardware, and were patched years ago. 

The patches just didn't make their way to the scanners.

Of course not.  Patches?  We don' need no stencil' patches!

After all, making an Internet playground for shady Black Hats, all inside a huge X-Ray control system - what could possibly go wrong?

What do you get when you cross a fish tank with a computer?

You get a target for hackers:

Hackers are constantly looking for new ways to access people’s data.Most recently, the way was as simple as a fish tank.

The hackers attempted to acquire data from a North American casino by using an Internet-connected fish tank, according to a report released Thursday by cybersecurity firm Darktrace.

The fish tank had sensors connected to a PC that regulated the temperature, food and cleanliness of the tank.

“Somebody got into the fish tank and used it to move around into other areas (of the network) and sent out data,” said Justin Fier, Darktrace’s director of cyber intelligence. 

The Internet of Things and computer controlled everything is a bigger risk for corporations and governments, because they have more data that is worth stealing.  I know people who did "White Hat" penetration tests (hired by the Casino to check their security) who got into the main network via the Ethernet that was hooked up to the minibar in the room.  That was at least ten years ago

There otta be a law?

I'm a little conflicted about this:

Lawmakers in the U.S. Senate today introduced a bill that would set baseline security standards for the government’s purchase and use of a broad range of Internet-connected devices, including computers, routers and security cameras. The legislation, which also seeks to remedy some widely-perceived shortcomings in existing cybercrime law, was developed in direct response to a series of massive cyber attacks in 2016 that were fueled for the most part by poorly-secured “Internet of Things” (IoT) devices.

Mostly, I don't think that there should new new laws for almost anything.  But readers know that I've been ranting about the lousy security of the Internet of Things for a long time (I see you roll your eyes at me).

The IoT Cybersecurity Improvement Act of 2017 seeks to use the government’s buying power to signal the basic level of security that IoT devices sold to Uncle Sam will need to have. For example, the bill would require vendors of Internet-connected devices purchased by the federal government make sure the devices can be patched when security updates are available; that the devices do not use hard-coded (unchangeable) passwords; and that vendors ensure the devices are free from known vulnerabilities when sold.

This seems to me to be exactly the way to approach this.  The Fed.Gov buys a bunch of stuff, so much that they can (and often do - see FIPS 140) get companies to add security to their products.  After all, the Fed.Gov doesn't have to buy anyone's products if they don't think they're fit for purpose.  Since a lot of IoT products are based off of the same software stack, there's a good chance that a lot of consumer products would pick these up since it's cheaper for the companies to support a single stack for everything, rather than a government one and a consumer one.

And then IoT companies will start competing with pure consumer competitors based on security.

All in all, this seems like a reasonable approach.  It's a carrot, not a stick.  Hard to see how it would make things worse.

So who will get a map of the inside of your house?

And what will they do with the info?

The Roomba is generally regarded as a cute little robot friend that no one but dogs would consider to be a potential menace. But for the last couple of years, the robovacs have been quietly mapping homes to maximize efficiency. Now, the device’s makers plan to sell that data to smart home device manufacturers, turning the friendly robot into a creeping, creepy little spy. 

By now a lot of y'all have heard about this.  Let's break down the top issues.

iRobot (the Roomba's manufacturer) says that they won't willy-nilly sell your floorpan to just anyone - they claim that disclosure will only happen with your "informed consent".  Ignore for a moment the question of whether High Tech Marketing Departments and their Legal beagle running dogs are or are not all a bunch of rat bastards.  The iRobot privacy agreement itself says this:

[We may share your personal information with] other parties in connection with any company transaction, such as a merger, sale of all or a portion of company assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business by another company or third party or in the event of bankruptcy or related or similar proceeding.

So if they go bankrupt, and the most valuable asset they have is their customer's floorplans, what do you think will happen?

Moving on.  One discussion that I've seen is what happens if you don't have a Roomba but you buy a house from someone who does.  Can you prevent the information from getting sold?  It seems like this would be like trying to put toothpaste back into the tube.

There are interesting questions about who might want your house data.  Here are a few ideas:

Local governments who want to know if additions were made to a house without licensing.

Companies who want to know how old your kids are (a crib was replaced with a bed - the kid is no longer a baby).

Burglars looking for homes with valuable things to steal (the high end Roombas have cameras, and while we don't know what information they collect, we do know that it will be stored at iRobot and will pretty quickly become a hacker magnet).

There are probably lots of other people who would want this information, and you wouldn't want them to have it.  Leave your suggestions in the comments.

Postscript:  The Sorcerer's Apprentice thought it would be cool to automate a broom, too.

Explaining the security in the "Internet of Things"

But hey, there's a gate, amirite?