California Becomes First State With an IoT Cybersecurity Law

An anonymous reader quotes a report from The Verge: California Governor Jerry Brown has signed a cybersecurity law covering "smart" devices, making California the first state with such a law. The bill, SB-327, was introduced last year and passed the state senate in late August. Starting on January 1st, 2020, any manufacturer of a device that connects "directly or indirectly" to the internet must equip it with "reasonable" security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default credentials for a hacker to guess.

So no more root password of "alpine" for iPhones?

The default root password for iPhones has been "alpine" for years. Is California going to go after Apple?

First with a law not a panacea

I'm reminded of that idiot regulator in noo yawk who wet his pants announcing he was the first to cook up rules for bitcoin exhange in the state. Turns out his wonderful all-new all-dancing rules did just about one thing: Kill bitcoin stone dead in noo yawk. Such innovation!

Achieves nothing

[DaMattster]

This won't solve the problem because you can take all of the steps mentioned and the device still won't be secure because the software to power the device is poorly written and full of exploitable holes like buffer overflows and null pointer de-references. In an effort to get devices out on the market, security is at best, an afterthought, or at worst, the manufacturer doesn't really care until it gets caught with its pants down. And even the ensuing fine and punishment will be substantially less than what they've earned on the product. Corporations just see it as a calculated profit/loss model.

Re:Achieves nothing

"This won't solve the problem...the device is poorly written and full of exploitable holes"

Indeed; and even without the exploits, it's still not a silver bullet:

"...unique password for each device, or force users to set their own...That means no more generic default credentials for a hacker to guess"

No, it doesn't mean that at all; unique doesn't mean hard to guess and users will just plug it in an turn it on and let the hacker connect and set the password.

Re: Achieves nothing

Well hopefully your company will shutdown as well as all these other IoT startup. 99.9% of IoT are solutions in search of problems. The remainder probably have good enough use cases to support reasonable security and frequent patching. The rest belong in the rubbish bin.

Re:Achieves nothing

It sounds like we need more laws!

Love,
The biggest bunch of bigoted, hypocritical, soy boy cucks on the planet

Re:Achieves nothing

Yeah, just make buffer overflows and null pointer exceptions illegal

Re:Achieves nothing

This won't solve the problem because ....

It solves part of the problem. And that's the easy part. Having software without bugs/exploits is a much harder thing to achieve and to certify for.

Re:Achieves nothing

[sjames]

If by that you mean it won't end the problem 100% for all time then yes. There will still be exploits and so IOT issues.

If you're just griping that it also won't cure athlete's foot and morning breath, so it's useless, you're quite wrong.

The majority of cases today where the black hats get in to IOT devices is because of devices that have no password, or all share a single default factory password, easily looked up on Google.

So, the new law isn't perfect, but it does address one of the leading holes in IoT. The other holes are a bit harder to supply a bright line for.

Re:Achieves nothing

... and if companies fail to comply with this law, what is the penalty?

Im guessing its a fine... a fine that will amount to less than 1% of the profits gained from the device.

Theyll have to pay a small "lawyer tax" before they can continue selling unsecured devices to the general public.

Re: Achieves nothing

I don't even understand what you're trying to say. Nor does your reply make sense to the OP.

Re: Achieves nothing

No it doesn't. The people who don't change defaults on their own are the same ones who will just pick 12345 when forced to pick one.

Re:Achieves nothing

Its a step in the wrong direction for sure! I believe that secretly, the manufacturers of these IoT devices see them as a way to collect data on the users of the devices. The collection and sale of personal data has become one of the biggest businesses in the world, and one that needs to be totally shut down! The first step is to totally eliminate IoT devices that have any capability to connect to the internet, or any type of network except a private home network. The next step is to make it illegal for phone operating systems, programs or apps to send any information out beyond what is absolutely necessary for the phone to be able to make and receive calls, and anonymously access the Internet. No personal data should be sent, and there should be no tracking of people or devices, and the information that must be sent for phone operation cannot be kept, but must be deleted as soon as possible.

Re: Achieves nothing

my dude

Re:Achieves nothing

This won't solve the problem because you can take all of the steps mentioned and the device still won't be secure because the software to power the device is poorly written and full of exploitable holes like buffer overflows and null pointer de-references. In an effort to get devices out on the market, security is at best, an afterthought, or at worst, the manufacturer doesn't really care until it gets caught with its pants down. And even the ensuing fine and punishment will be substantially less than what they've earned on the product. Corporations just see it as a calculated profit/loss model.

You have a point regarding other exploits, but it's the year 2018 and we're still hearing about devices being exploited because of fucking default passwords.

For that reason and that reason alone, this law is worth the effort.

And there's plenty of competition in this space that vendors can't afford to get caught with their proverbial pants down.

Re:Achieves nothing

[dcw3]

Right, kinda like making drinking and driving illegal won't keep people from texting and driving, so we should just not ban drinking and driving.

Re: Achieves nothing

Hey, that's the combination on my luggage.

4th coast new tropics tourist trap update..

ice on the scarecrow, flood on the plow. geese making dramatic exits post haste,, good for them...

Bullshit laws

What is a "local area network"? The neighborhood? Why is the device required to have a password at all if it can connect to the interwebz? Why cannot I choose now to show the world when I open the fridge? This is why Trump got elected. SJWs need a good kick in the ass.

Re: Bullshit laws

If the definition if Local Area Network is a serious question, Slashdot has fallen too far from the original level of experience and education.

Re: Bullshit laws

Well you seem to be able to read, but just not able to look up definitions. A Local Area Network> could be "residence, school, laboratory, university campus or office building". I sure as hell am not going to connect to a university's network without a firewall, but I could care less on my own residence's router.

but Alabama

will be last because they still believe electric luights are form the devil never mind the interwebs.

RIP Terry Davis, creator of TempleOS

C.I.A. N I G G E R S at HAARP using their megawatt HF neuro-transponder in a vile effort to effect the rise of the Antichrist and to erase the world's remaining 1.44MB floppy disks.

fuck krypto kurrency

good. fuck krypto kurrency.

harness test suite

[kiviQr]

The should have posted a required test suite (updated quarterly) that given IoT device has to go thru.

Expectation != Reality

[Voyager529]

Expectation: IoT devices end up with at least rudimentary security measures to prevent them from becoming part of botnets because of default admin passwords.

Reality: Companies will likely define "Unauthorized access and modification" as "anti-rooting/modding" requirement, and "reasonable measures" to consist of C&D letters to those who provide tools and procedures to mod their own purchased products.

Re:Expectation != Reality

Thing is with a law, companies don't get to define what "reasonable measures" are. Courts do. If IoT devices get hacked, this opens up an avenue for the manufacturer to be sued for damages. If they didn't take reasonable measures to prevent unauthorized access, they're liable.

Rot13 seems reasonable enough?!

Or maybe xor the password 'password' on all the devices?

Hardcoded Passwords

Does it forbid hardcoded passwords too?

Re:So no more root password of "alpine" for iPhone

[Aristos+Mazer]

Neither the law nor iPhones are my area of expertise, but you asked the question, and it intrigued me enough to go look a bit. From what I can tell, the iPhone root password cannot be remotely accessed unless an SSH server is installed, which requires jailbreaking. The iPhone does not ship with this ability nor does Apple provide the ability to enable it. Since the law requires non-default passwords only when they're accessible remotely, I think Apple is in the clear. Because they fulfill section 1798.91.04.b.2, they do not have to fulfill 1798.91.04.b.1. (Link to bill's text is in the original article summary above.)

What's reasonable?

[CrimsonAvenger]

I trust the law defines "reasonable" in this context.

Otherwise, we're going to see endless court cases quibbling over whether whatever is "reasonable" or not.

Or manufacturers being unwilling to risk being found "not reasonable", and therefore not selling in CA.

Got to admit I'm curious as to how buying something on eBay will work under this law. Or buying something in Oregon....

Re:What's reasonable?

More importantly, what's in "indirect connection to the internet"? I mean, I have a DVD player that can have it's firmware updated. I get the firmware from the internet, and use a USB stick to transfer it. Is that an indirect connection?

Unique passwords

We provide a unique password to each device: "password1", "password2", "password3", etc

Force IoT makers to use private IP

[mea2214]

There is no reason an IoT device needs to have a public IP address. Force IoT makers to only allow IPs set in the private space. This forces the user to have a router/firewall between them, script kiddies, and search engines.

Re:Force IoT makers to use private IP

one word: IPV6

Re:Force IoT makers to use private IP

If you didn't have to worry about end users that would work!

Can't legislate stupid.

In the Peoples Republic of Commifornia they want to regulate your entire lives. They want to control every aspect of your lives. Glad I don't live in that God forsaken shithole. The irony that most of California cities are named after religious themes and Catholic Saints. May God have Mercy on the lot of you.

This bill paid for by...

IoT companies wanting a get out of jail free card for when their devices are systematically hacked. âoeBut we did what the law required.â

Right to repair, unintended consequences

O I can't see this being used as an excuse to break any 'right to repair' the users has, no sireee.

"Prevent unauthorised modifications" will undoubtedly be interpreted in favour of the manufacturer as: "Nobody but the manufacturer can change things like firmware"

Fully expect many unrepairable blocks of 'potted compounded' electronics now.

Did they just outlaw Tor relays and exit nodes?

It blows my mind that people continue to be willing to vote for the use of violence in order to make others conduct themselves to there liking. If you want better security stop buying shitty IoT devices. Otherwise you'll end up finding the law of unintended consequences has bad things in store for you eventually. Do I really need to remind people what usually happens in these situations? People either break the law anyway and/or the law just utilizes it to persecute some minority it doesn't like or both. Enforcing copyright is another great example- sure it might benefit some elite- but it also gets used to stifle political dissent. Why do you think Russia is so gong ho about censorship filters in regard to copyright???? It just hides its other abusive political behavior.

We need an oversight body

[MobyDisk]

This law is great, but without an oversight body how can someone determine if the manufacturer even bothered? That's the problem now: We assume Cisco routers are safe, then it turns out they have back doors. To make a law like this work, we need a body like the Consumer Product Safety Commission (CPSC) or Underwriters laboratory (UL) to look at the design of devices and certify them. Slap a label on them so people can tell "hey, someone actually look at this camera and said it was safe."

Earlier this year the CPSC asked for public comments on how to make IOT devices safe (Ex: Make sure gas pumps don't spew gasoline during firmware updates, stuff like that). Unfortunately they specifically excluded the discussion of security in those devices. I am glad California took this step. Now we need a body that can actually certify the devices.

P.S. The FDA does check security on medical device submissions now.

It passed

[MobyDisk]

Update from the future: The law passed.

Totally expect that

[DrYak]

I'm out of mod points today, but that was too the first thing I though when reading this.

It will mostly end up being used as a poor excuse against the right to repair, despite any good intention that the law had upon introduction.

c6gunner IMPERSONATING me again?

See subject: his FAKEname on a post impersonating me https://linux.slashdot.org/com... & altering /.er's words.

c6gunner tried to mock me 1st https://linux.slashdot.org/com...

So I challenge c6gunner to show he did better work than mine & he CAN'T!

YOU DEMAND PROOF of others here? "I've yet to see you provide any evidence of that." by c6gunner on Monday March 15, 2010 @10:02PM (#31490942) ?

So now I DEMAND IT OF YOU & YOU FAIL!

c6gunner = "Run, Forrest: RUN!!!

* c6gunner's LYING saying I did a MacOS X one - I haven't yet & c6gunner's LYING impersonating me hosts work vs. Intel CPU issues (spectre/meltdown).

APK

P.S.=> You say hosts = shit here https://slashdot.org/comments.... ? /.ers & security pros SAY DIFFERENT: /.ers https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments....

SECURITY PROS https://slashdot.org/comments....

REAL RESULTS w/ hosts vs. threats https://slashdot.org/comments....

EAT YOUR WORDS!

c6gunner IMPERSONATING me again?

See subject: his FAKEname on a post impersonating me https://linux.slashdot.org/com... & altering /.er's words.

c6gunner tried to mock me 1st https://linux.slashdot.org/com...

So I challenge c6gunner to show he did better work than mine & he CAN'T!

YOU DEMAND PROOF of others here? "I've yet to see you provide any evidence of that." by c6gunner on Monday March 15, 2010 @10:02PM (#31490942) ?

So now I DEMAND IT OF YOU & YOU FAIL!

c6gunner = "Run, Forrest: RUN!!!

* c6gunner's LYING saying I did a MacOS X one - I haven't yet & c6gunner's LYING impersonating me hosts work vs. Intel CPU issues (spectre/meltdown).

APK

P.S.=> You say hosts = shit here https://slashdot.org/comments.... ? /.ers & security pros SAY DIFFERENT: /.ers https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments....

SECURITY PROS https://slashdot.org/comments....

REAL RESULTS w/ hosts vs. threats https://slashdot.org/comments....

EAT YOUR WORDS!

Mostly harmless

[Chelloveck]

The first part of this bill will ensure full employment for lawyers quibbling over the definitions of "reasonable" and "appropriate" for any given device. There's nothing of substance there, just vague subjective guidelines.

The second part requires a device's factory-default password to be unique, or that it require a password change before use. This is actually not a bad idea. It's debatable whether or not it should be the subject of legislation, but the market has shown that there is insufficient incentive for manufacturers to do it on their own.

The rest of the bill is definitions and such that boil down to, "If it has an IP address, this law applies." It also applies to Bluetooth devices. They should have worded that a little more broadly. I predict a sudden market for "Greytooth" devices that are not Bluetooth per se but are interoperable with Bluetooth.