First IoT security bill reaches governor's desk in California

California IoT security bill criticized by security researcher. Expert says bill "is based upon an obviously superficial understanding of the problem."
Written by Catalin Cimpanu, Contributor

The first Internet of Things (IoT) security bill in the US has been approved in California at the end of August and has now reached the Governor's desk to be signed into law.

The bill, SB-327, was introduced in February 2017 and was the first legislation of its kind in the US.

Also: 7 tips for SMBs to improve data security TechRepublic

It even predated by almost six months the Internet of Things Cybersecurity Improvement Act of 2017, a bill introduced in the US Senate by Sen. Mark Warner [D-VA].

But while dust gathered on Sen. Warner's proposal to secure IoT devices across the US, the California bill saw active discussions and was approved on the California Assembly and Senate floors on August 28, and 29, respectively.

Barring any strong opposition to the bill from the public or the private sector, if signed by Gov. Jerry Brown, the new bill would enter into effect starting January 1, 2020.

Also: New Hakai IoT botnet takes aim at D-Link, Huawei, and Realtek routers

The bill's main provision is that "a manufacturer of a connected device shall equip the device with a reasonable security feature or features."

Just like most legislative efforts, the bill is pretty vague in what "reasonable security" should be, but it does go into details when it comes to device authentication procedures.

According to the bill's approved text, "if a connected device is equipped with a means for authentication outside a local area network," the authentication system must meet one of two criteria.

  1. If the device uses a default password, the password must be unique to each device; or,
  2. The device must prompt users to set up their own password whenever the user sets up the device for the first time --criteria put in place to avoid manufacturers shipping devices with the same default credentials.

And that's all of the SB-327 bill. No other provisions. Just a very precise specification regarding the handling of default credentials for IoT devices, and the use of a generic term of "reasonable security" that every IoT device vendor could interpret the way they want.

Also: Best Home Security Devices for 2018 CNET

As security researcher and infosec pundit Robert Graham points out, this new IoT security law, despite its good intentions, isn't particularly useful in the current state of the IoT market, and will not fix any of the problems that plague IoT devices.

"It's based on the misconception of adding security features. It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips," Graham wrote yesterday in his analysis of the bill.

"The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add 'security features' but to remove 'insecure features'.

"For IoT devices, that means removing listening ports and cross-site/injection issues in web management," Graham said. "We don't want arbitrary features like firewall and anti-virus added to these products. It'll just increase the attack surface making things worse."

"In summary, this law is based upon an obviously superficial understanding of the problem," the researcher concluded. "It in no way addresses the real threats, but at the same time, introduces vast costs to consumers and innovation."

UPDATE, October 1: Gov. Jerry Brown signed SB-327 into law on September 28, 2018.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Editorial standards