California bill regulates IoT for first time in US | Cyber Security

California looks set to regulate IoT devices, becoming the first US state to do so and beating the Federal Government to the post.

The State legislature approved ‘SB-327 Information privacy: connected devices’ last Thursday and handed it over to the Governor to sign. The legislation introduces security requirements for connected devices sold in the US. It defines them as any device that connects directly or indirectly to the internet and has an IP or Bluetooth address. That covers an awful lot of devices.

The legislation says:

This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.

What does ‘reasonable security feature’ mean? The legislation goes on to define it explicitly: If someone can log into the device outside a LAN, then it must have either preprogrammed passwords that are unique to each device (so, no more default login credentials), or a way to generate new authentication credentials before accessing it for the first time.

Early legislation, but weak

It’s a step forward, but it’s still a cursory and incomplete definition of security. The bill stops short of recommending other security measures that should be table stakes for IoT security, such as device attestation, code signing, and a security audit for firmware in low-level components that IoT device vendors buy in from overseas suppliers.

SB-327 also fails to promote the hardening of IoT devices by removing unnecessary features. It isn’t even clear that the bill as it stands would catch the electronic door controller that a Google engineer recently discovered using hardcoded encryption keys.

Still, it is a step in the right direction and has beat federal lawmakers to the punch. In 2017, then-acting FTC head Maureen Ohlhausen said that she didn’t want to regulate IoT devices until there was something that “harms consumers right now or is likely to cause harm to consumers”.

Congress has at least proposed a bill – the SMART IoT Act – which would make the Department of Commerce conduct a study of the IoT industry. Another piece of legislation, the DIGIT Act, would also convene a working group to write a report, but while that passed in the Senate, it has stalled in the House.

These are exploratory Acts, though, that even if passed would just produce more reports. Another piece of legislation, the Cybersecurity Improvement Act of 2017, mandates contractual provisions for government agencies buying IoT devices. Those provisions are far stronger and more detailed than the Californian bill’s, but they apply only to Federal Government buyers.