California Becomes First State With an IoT Cybersecurity Law

An anonymous reader quotes a report from The Verge: California Governor Jerry Brown has signed a cybersecurity law covering "smart" devices, making California the first state with such a law. The bill, SB-327, was introduced last year and passed the state senate in late August. Starting on January 1st, 2020, any manufacturer of a device that connects "directly or indirectly" to the internet must equip it with "reasonable" security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default credentials for a hacker to guess.

Force IoT makers to use private IP

[mea2214]

There is no reason an IoT device needs to have a public IP address. Force IoT makers to only allow IPs set in the private space. This forces the user to have a router/firewall between them, script kiddies, and search engines.