California Becomes First State With an IoT Cybersecurity Law

An anonymous reader quotes a report from The Verge: California Governor Jerry Brown has signed a cybersecurity law covering "smart" devices, making California the first state with such a law. The bill, SB-327, was introduced last year and passed the state senate in late August. Starting on January 1st, 2020, any manufacturer of a device that connects "directly or indirectly" to the internet must equip it with "reasonable" security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default credentials for a hacker to guess.

Re:Achieves nothing

[sjames]

If by that you mean it won't end the problem 100% for all time then yes. There will still be exploits and so IOT issues.

If you're just griping that it also won't cure athlete's foot and morning breath, so it's useless, you're quite wrong.

The majority of cases today where the black hats get in to IOT devices is because of devices that have no password, or all share a single default factory password, easily looked up on Google.

So, the new law isn't perfect, but it does address one of the leading holes in IoT. The other holes are a bit harder to supply a bright line for.