1. 2

  2. 5

    Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities.

    Um, this does not seem like a good idea.

    Off the top of my head, the requirement for being patchable is probably going to result in problems (who trusts the firmware updates?) and the requirement for “any known security vulnerabilities” seems rather odd.

    One bit was nice though:

    Exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines.

    1. 3

      If your IoT device is Linux based, it must be patched regularly. There is no other way to keep it secure. And it’s not just about the kernel. On a typical embedded Linux system, most network-facing processes run as root, so the exploit path from remote attacker to local root is short.