It should be assumed that everything connected to the Internet can be hacked and exposed, now more than ever before. It is commonplace and concerning. Internet of Things (IoT) devices are often developed and sold without a focus on security, because getting the product into the market is the top priority. We have previously commented that IoT and cloud based products and services may not be as secure as the user believes. When it comes to security cameras or other security services for home or business, the cameras and information contained in the databases of these cloud based companies that offer the services may be at risk of exposure.

This week, a group of hackers announced that they were able to access security camera data of Verkada Inc., which provides security camera services to multiple industries, including hospitals, prisons, police departments, schools, gyms, an electric car company, a cloud technology services provider, other private companies and individuals.

According to the hackers and reports of the exposure, the hackers were able to see live feeds of 150,000 surveillance cameras operated by Verkada, including high resolution video and audio of a women’s clinic, prisons in different states, gyms, homes, and psychiatric hospitals. Some of the video included facial recognition technology, possibly giving the hackers the ability to identify individuals who were captured through the audio and video feed. The hackers allege that they have access to all of the video archived by Verkada of their customers.

The attack is reported to have been initiated by an international hacking group to show how widespread video surveillance is and how easy it is to break into the companies that manufacture and host them. Verkada stated that it has “disabled all internal administrator accounts to prevent any unauthorized access,” but the hackers have stated that they were able to gain “root” access to the cameras so they could execute their own code, and they were able to infiltrate by gaining access to a super admin account, because the user name and password was available on a public facing site on the Internet.

The incident shows how vulnerable home and business security systems are, how easy they are to hack and how personal the information is that may be contained in the video and audio footage that many people do not consider when installing security cameras into their home or office.

There is a new federal IoT law, H.R. 1668, the IoT Cybersecurity Improvement Act of 2020, that recently passed the House and Senate and was signed by the President on December 4. The bill had 26 co-sponsors, representing Democrats and Republicans almost equally, and enjoyed bipartisan support in an era that has not seen much of that lately.

What does the new IoT law do? The law establishes minimum security requirements for IoT devices owned or controlled by the federal government. Specifically, this new law:

  • Requires the National Institute of Standards and Technology (NIST) to issue standards and guidelines for the use of IoT devices owned or controlled by federal agencies;
  • Directs NIST to consider relevant standards, guidelines and best practices developed by the private sector, agencies, and public-private partnerships;
  • Directs the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, including updating the Federal Acquisition Regulation;
  • Directs NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidelines on security vulnerability relating to information systems owned or controlled by an agency (including IoT devices owned or controlled by an agency) and the resolution of such security vulnerability;
  • Requires any IoT devices purchased by the federal government to comply with the NIST standards and guidelines; and
  • Requires contractor compliance with the NIST standards and regulations and agencies to make a determination of such compliance before awarding a contract to procure or obtain an IoT device from a contractor.

The text of the new law can be found here. This importance of this new law cannot be overstated from a cybersecurity standpoint. IoT vulnerabilities are a well-known cyber threat that often open the door to data breaches or denial-of-service attacks. The question is whether this new federal law will have a broader impact on consumer IoT devices. Right now, the answer is no, since the law is designed to apply only to devices owned or controlled by the federal government. But the hope is that by increasing cybersecurity for IoT devices owned or controlled by the federal government, manufacturers of such devices will use this same secure technology and standards in the development of consumer IoT devices.