The State legislature approved ‘SB-327 Information privacy: connected devices’ last Thursday and handed it over to the Governor to sign. The legislation introduces security requirements for connected devices sold in the US. It defines them as any device that connects directly or indirectly to the internet and has an IP or Bluetooth address. That covers an awful lot of devices.
The legislation says:
This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.
What does ‘reasonable security feature’ mean? The legislation goes on to define it explicitly: If someone can log into the device outside a LAN, then it must have either preprogrammed passwords that are unique to each device (so, no more default login credentials), or a way to generate new authentication credentials before accessing it for the first time.
Early legislation, but weak
It’s a step forward, but it’s still a cursory and incomplete definition of security. The bill stops short of recommending other security measures that should be table stakes for IoT security, such as device attestation, code signing, and a security audit for firmware in low-level components that IoT device vendors buy in from overseas suppliers.
SB-327 also fails to promote the hardening of IoT devices by removing unnecessary features. It isn’t even clear that the bill as it stands would catch the electronic door controller that a Google engineer recently discovered using hardcoded encryption keys.
Still, it is a step in the right direction and has beat federal lawmakers to the punch. In 2017, then-acting FTC head Maureen Ohlhausen said that she didn’t want to regulate IoT devices until there was something that “harms consumers right now or is likely to cause harm to consumers”.
Congress has at least proposed a bill – the SMART IoT Act – which would make the Department of Commerce conduct a study of the IoT industry. Another piece of legislation, the DIGIT Act, would also convene a working group to write a report, but while that passed in the Senate, it has stalled in the House.
These are exploratory Acts, though, that even if passed would just produce more reports. Another piece of legislation, the Cybersecurity Improvement Act of 2017, mandates contractual provisions for government agencies buying IoT devices. Those provisions are far stronger and more detailed than the Californian bill’s, but they apply only to Federal Government buyers.
Other promising federal bills include the Security IoT Act of 2017, which would make the FCC add cybersecurity standards when authorising wireless equipment. Then there’s the Cyber Shield Act of 2017, which would force the Department of Commerce to create a voluntary grading system for IoT device security. If this was passed, you could expect to see an easily-understandable consumer labelling system that would show them how a device rated in cybersecurity terms.
This last bill would be highly complementary to the IoT Consumer TIPS Act of 2017, which would make the FTC create educational material for consumers buying IoT kit.
The problem is getting any of these passed. Bills enacted by this Congress have lagged historical averages in 2017 according to an analysis from public affairs software firm Quorum, and we are now approaching the midterms.
Conversely, California’s SB-327 now just needs Governor Jerry Brown’s signature to pass into law. If this happens, the bill will take effect on 1 January 2020. IoT vendors should start looking at the authentication mechanisms in their devices now, even if they’re forced to look at little else.