State

California readies new security requirements for ‘internet of things’ devices

A bill raising security standards for all internet-connected devices sold in the state is awaiting Gov. Jerry Brown's signature, but some experts say it still has flimsy language.

By Ryan Johnston

September 20, 2018

(Luke Wroblewski / Flickr)

California could soon be the first state in the country to regulate the security of internet-connected devices, collectively called the “internet of things,” with the state’s SB 327 waiting on Gov. Jerry Brown’s signature.

The bill would require IoT manufacturers to raise the security standards of internet-connected gadgets sold in California to a level of “reasonable security.” Reasonable, per the bill authored by Democratic State Sen. Hannah-Beth Jackson, means that if users can log in to a device without the use of a local area network, or LAN, then it must be equipped with unique pre-programmed passwords or newly generated passwords before it can be accessed for the first time.

Breaking into devices using default passwords is an old and still-common trick used to access everything from network routers to electronic road signs .

IoT devices are defined as any physical object capable of connecting to the internet with a Bluetooth connection or internet protocol. The bill includes provisions that attempt to unintended consequences of enhanced security. It states, for instance, that devices can’t limit law enforcement agencies from obtaining information they’re legally allowed to access, and that users still have a right to “full control” over a connected device.

Despite these provisions, however, some security experts have expressed concern with how the law could affect device-makers.

“The new bill certainly is a step in the right direction, but what isn’t clear is how businesses are going to implement this,” said Francis Dinha, CEO and co-founder of the software company OpenVPN.

Dinha said that many businesses will still lack the knowledge to enforce these cybersecurity standards. More specific requirements — two-factor authentication or use of a virtual private network — would also help, but wouldn’t solve the root problem of education, he said.

“How are these companies keeping up with the shifting world of cybersecurity? How are they educating themselves? You can’t protect yourself or your customers from risks if you don’t understand the risks, and that’s what needs to be addressed on all levels,” Dinha said.

The bill was delivered to Brown’s desk earlier this month. With his signature, the state would be the first in the country to regulate IoT, even before the federal government.

The law would go into effect on Jan. 1, 2020, and it’s not perfect — it doesn’t recommend new security features, or provide guidance on which features manufacturers could do without. The federal government hasn’t done much more with the Smart IoT Act and DIGIT Act — bills that would mandate a study and report of IoT devices, but that include no direct regulations. Other potential bills, like the Cyber Shield Act of 2017 and the Security IoT Act of 2017 would also improve the grading and standards applied to IoT devices, respectively.