The state’s legislature approved a new bill, SB-327, and sent it over to Governor Jerry Brown for his final signature. This bill introduces several security requirements for internet-enabled devices that are sold in the U.S. The bill defines these as any device that has Bluetooth, an IP address, or that connects to the internet in any way (think Alexa, Nest, your video doorbell, your kid’s WiFi-enabled toy that responds to commands, your smart fridge, and so on).
The bill, which goes into effect on January 1, 2020, requires that manufacturers of these devices must include security features that not only protect the device from hacks but also protect user information.
The exact language in the bill is “reasonable security features,” but what does this really mean? Effectively, if a person can log into an IoT device from outside of a local area network (or LAN), then it must have a unique password that is preprogrammed for each device OR force users to generate new credentials before they can connect. Either way, it puts an end to generic passwords that hackers can easily guess.
New legislation, but not strong
It’s true that this legislation is new, and according to some, even groundbreaking. However, to many experts, it is not strong enough. The bill only requires one type of security measure, and it doesn’t even address other IoT security measures such as code signing, device attestation, and security audits. This bill also doesn’t require manufacturers to remove unnecessary features that could compromise security.
That being said, it is a step in the right direction. As Harvard University fellow Bruce Schneier told the Washington Post, “It probably doesn’t go far enough—but that’s no reason not to pass it.”
The bill has also pushed the federal government to start looking into this. Congress has proposed a new bill, the SMART IoT Act, which would force the Department of Commerce to evaluate the IoT industry as a whole. There is also another piece of legislation called the DIGIT Act, which has passed through the Senate, that would further look into IoT security.
Both of these Acts are exploratory, which means that even if they are passed, they would not make any impact on the industry at this point. Instead, they would allow for more research and reports to be conducted.
There are a couple of other bills on the table, too, which could have more of an impact. These include the Security IoT Act of 2017, which is focused on wireless equipment, and the Cyber Shield Act of 2017, which forces the Department of Commerce to create a grading system for IoT security. California’s new law may inject some new life into these bills and help get them passed.
With IoT devices already gracing many homes (8 billion were on the market in 2017), there is a staggering jump expected; by 2020, IoT devices are set to surpass 20.4 billion. This sharp increase highlights the importance of these new bills. After all, smart devices are generally created with convenience in mind—not security. California’s law at least goes some way to addressing that.