What you need to know about California's IoT security legislation
- By Jessica Ortega
- Dec 14, 2018
In September, California became the first state to pass a law addressing the security of connected devices. The law will go into effect in 2020 and requires that manufacturers of any internet-connected devices equip them with “reasonable” security features. It is a good first step toward addressing the risks inherent in the world’s increasing connectivity.
The legislation predates federal legislation securing IoT devices, which is not the first time that California has led the way on data privacy and security policy; the new law may serve as a template for future legislation. The new legislation has faced both praise and criticism, but as with any policy addressing new technology, it brings up many new -- and sometimes difficult to answer – questions, such as the following:
What is IoT security and what are the potential consequences of insufficiently secured internet-of-things devices?
IoT security refers to steps that are taken to secure or enhance the safety of internet-connected devices – everything from Amazon Echo, Google Home and Ring doorbell to internet-connected devices like stoves, refrigerators and thermostats. It can mean anything from requiring a unique password on devices to ensuring that devices use only password-protected internet connections.
There are many consequences to insufficient or nonexistent IoT device security, chief among them being that the devices can be taken over by cybercriminals and used against their owners. For example, internet-connected devices that have cameras or microphones could be used to record or listen to their owners without permission. Additionally, internet-connected devices like webcams, digital video recorders and home routers can be strung together and used in botnets for distributed denial-of-serivce attacks launched by cybercriminals.
What is the government doing about this?
While several IoT security bills have been submitted in Congress, none has made it to a vote. However, some states like California are implementing bills that include security requirements for IoT devices.
The main provision of the California IoT security law is that “a manufacturer of a connected device shall equip the device with a reasonable security feature or features.” What does “reasonable” security features mean?
The California's IoT law leaves “reasonable security features” intentionally vague, as what “reasonable” looks like will vary by device. Generally speaking, “reasonable” security measures would include the ability to change the default username and set up a unique password for the devices. For some devices, it could mean the ability to set the device to only allow certain voices or faces to give commands.
Will this law make the IoT secure?
It is difficult to say whether this law, or any law, will make the internet of things secure, because each device has different security vulnerabilities. That said, this bill’s vagueness, especially the password requirements, does not address different authentication methods like PINs or facial recognition that are not considered passwords.
What are the benefits and consequences of California passing legislation ahead of the federal government?
Because California's IoT bill requires manufacturers include specific features when producing these devices, it will likely set off a trend that is followed nationwide. It will be less expensive for manufacturers to produce all of their devices to meet California’s requirements regardless of where they will be distributed than would be for them to produce products exclusively for California. Should this happen, it could negate the need for any type of federal legislation. However, other states or federal lawmakers may enact laws that go further than the California bill. Stronger requirements for passwords and security would require manufacturers to pivot again and would make the California laws obsolete.
What next steps should state and federal legislators take when it comes to data security and privacy?
Lawmakers should continue looking for gaps in security practices and data protections and create legislation that protects users from these built-in vulnerabilities. However, it is important for users and tech companies not to wait for legislation that mandates security measures, but rather begin implementing data protections and security measures proactively.
Jessica Ortega is a web security analyst at SiteLock.