Proposed IoT Security Bill Could Be Boon to LGPLv3 Software

US senators proposed bipartisan (yes, it’s still possible!) legislation to improve cyber security of IoT devices, the Internet of Things Cyber Security Improvement Act of 2017. Vendors selling Internet-connected devices to the federal goverment must ensure that their devices are patchable, rely on standard network protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities.

Paragraph (C) on page 8 spells out that every contract between federal agencies and vendors must contain a

[…] clause that requires such Internet-connected device software or firmware component to be updated or replaced […] in a manner that allows for any future security vulnerability or defect in any part of the software to be patched in order to fix or remove a vulnerability or defect in the software or firmware component in a properly authenticated and secure manner.

Every software under LGPLv3 license would satisfy this patchability requirement by default. LGPLv3 requires that software under LGPLv3 can be replaced by a modified version of the software on this device.

The proposed bill falls short of requiring patchability for all Internet-connected devices, not just the ones sold to federal agencies. This would include smart home devices, toys, set-top boxes, TVs, cars and all other consumer devices.