The State of California is making a bit of a habit of this. Earlier this year it led the nation by adopting the nation’s first serious attempt at a GDPR style online privacy protection measure. The State also snubbed its nose at attempts to neuter net neutrality by restoring state-level net neutrality protections that are tougher on ISPs than the FCC regulations. Now, the Golden State’s Legislature has sent a bill to Governor Jerry Brown's desk that makes California the first state to attempt IoT security governance. The question is - was it worth it?
SB-327 Information privacy: connected devices introduces security requirements for connected devices sold in the US. It defines them as any device that connects directly or indirectly to the internet and has an IP or Bluetooth address.
The legislation says
This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.
The California bill doesn’t define exactly what a ‘reasonable security feature’ would be but it mandates that connected devices come with unique passwords that users can change, which isn’t the case for many IoT products. If someone can log into the device outside a LAN, then it must have either preprogrammed passwords that are unique to each device (no more default login credentials) or a way to generate new authentication credentials before accessing it for the first time.
As we wrote here a couple of weeks ago, the Internet of Things is a network comprised of billions of devices that connect to the internet through sensors or Wi-Fi. Mostly invisible and often unsecured, they are a potential goldmine for hackers and evildoers.
In 2016, hackers created a nasty piece of IoT malware called Murai that scans for insecure routers, cameras, DVRs, and other IoT devices which are still using their default passwords and then adds them into a botnet network, which is then used to launch DDoS attacks on websites and Internet infrastructure. That attack briefly shut down Netflix and the New York Times among other high profile web properties.
There is a bill before Congress now that goes further than the California legislation but it hasn’t gained a lot of traction despite bipartisan support. The Internet of Things Cybersecurity Improvement Act, introduced by Sens. Mark R. Warner (D-Va.) and Cory Gardner (R-Colo.), would require any companies that do business with the federal government to ensure that their connected devices are patchable, come with passwords that can be changed, and are otherwise free of known security vulnerabilities. Another bill, the Securing IoT Act, would require the Federal Communications Commission to create cybersecurity standards for certifying wireless equipment.
Does the California bill go far enough?
Not all experts are enamored of the California bill. Security researcher Robert Graham writes on his Security Errata blog that
It’s a typically bad bill based on a superficial understanding of cybersecurity/hacking that will do little improve security, while doing a lot to impose costs and harm innovation.
It’s based on the misconception of adding security features. It’s like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips. The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add “security features” but to remove “insecure features”. For IoT devices, that means removing listening ports and cross-site/injection issues in web management. Adding features is typical “magic pill” or “silver bullet” thinking that we spend much of our time in infosec fighting against.
I’m no security expert but Graham’s argument that adding another feature to correct a bug is not progress makes a lot of sense to me. I recommend that those of you who are better versed in security to read the whole thing and leave a comment. However, I am mindful of the fact that over the last 10 or more years, the Silicon Valley love affair with consumer-oriented apps has left some of us in enterprise land wondering if developers for consumer grade services have much clue about security.
Ruth Artzi, Senior Product Marketing Manager at VDOO, wrote to the Threatpost blog:
The law requirement for a unique password is a good progress but unfortunately, it is not enough. As written, the law only provides protections against the most basic automated threats. The law should be defined in a more specific manner, as the requirement for an ‘appropriate’ security procedure, depending on the device nature and function, is too ambiguous with no real mechanism to verify that the vendor took the appropriate steps. There should be clear standards per the device’s components that a manufacturer will be able to follow and a way to validate that the manufacturer designed to those standards.
On the other hand, other knowledgeable technologists argue that it’s at least a step in the right direction. Bruce Schneier, a security technologist at the Harvard Kennedy School, said:
A California law that manufacturers have to adhere to in California is going to help everybody. Of course, it probably doesn’t go far enough--but that’s no reason not to pass it. It’s a reason to keep going after you pass it.
Pundits are sharply critical, reckoning that SB-327 will do little of substance to solve the problem of insecure IoT devices. Some, like Graham, believe it is too vague to be effective and will impose additional costs (no surprise there) and harm innovation (duh?)
IoT security of any demonstrable kind has been an afterthought. Half a billion - and growing - unmanaged and exploitable enterprise devices are a nightmare waiting to happen.
Unfortunately, the California bill is cursory and incomplete. It doesn’t address low hanging fruit like device attestation, code signing, or a security audit for firmware in the low-level components vendors buy-in from overseas suppliers. That, of course, could easily change as trade tariffs kick in.
Even so, let's give some credit. The State of California has beaten federal lawmakers to the punch and who knows, it might serve as the example for other states to follow - if not by the letter of the law, at least the intent.