California Becomes First State With an IoT Cybersecurity Law

An anonymous reader quotes a report from The Verge: California Governor Jerry Brown has signed a cybersecurity law covering "smart" devices, making California the first state with such a law. The bill, SB-327, was introduced last year and passed the state senate in late August. Starting on January 1st, 2020, any manufacturer of a device that connects "directly or indirectly" to the internet must equip it with "reasonable" security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default credentials for a hacker to guess.

Achieves nothing

[DaMattster]

This won't solve the problem because you can take all of the steps mentioned and the device still won't be secure because the software to power the device is poorly written and full of exploitable holes like buffer overflows and null pointer de-references. In an effort to get devices out on the market, security is at best, an afterthought, or at worst, the manufacturer doesn't really care until it gets caught with its pants down. And even the ensuing fine and punishment will be substantially less than what they've earned on the product. Corporations just see it as a calculated profit/loss model.

Re:Achieves nothing

[sjames]

If by that you mean it won't end the problem 100% for all time then yes. There will still be exploits and so IOT issues.

If you're just griping that it also won't cure athlete's foot and morning breath, so it's useless, you're quite wrong.

The majority of cases today where the black hats get in to IOT devices is because of devices that have no password, or all share a single default factory password, easily looked up on Google.

So, the new law isn't perfect, but it does address one of the leading holes in IoT. The other holes are a bit harder to supply a bright line for.

Re:Achieves nothing

[dcw3]

Right, kinda like making drinking and driving illegal won't keep people from texting and driving, so we should just not ban drinking and driving.

harness test suite

[kiviQr]

The should have posted a required test suite (updated quarterly) that given IoT device has to go thru.

Expectation != Reality

[Voyager529]

Expectation: IoT devices end up with at least rudimentary security measures to prevent them from becoming part of botnets because of default admin passwords.

Reality: Companies will likely define "Unauthorized access and modification" as "anti-rooting/modding" requirement, and "reasonable measures" to consist of C&D letters to those who provide tools and procedures to mod their own purchased products.

Re:So no more root password of "alpine" for iPhone

[Aristos+Mazer]

Neither the law nor iPhones are my area of expertise, but you asked the question, and it intrigued me enough to go look a bit. From what I can tell, the iPhone root password cannot be remotely accessed unless an SSH server is installed, which requires jailbreaking. The iPhone does not ship with this ability nor does Apple provide the ability to enable it. Since the law requires non-default passwords only when they're accessible remotely, I think Apple is in the clear. Because they fulfill section 1798.91.04.b.2, they do not have to fulfill 1798.91.04.b.1. (Link to bill's text is in the original article summary above.)

What's reasonable?

[CrimsonAvenger]

I trust the law defines "reasonable" in this context.

Otherwise, we're going to see endless court cases quibbling over whether whatever is "reasonable" or not.

Or manufacturers being unwilling to risk being found "not reasonable", and therefore not selling in CA.

Got to admit I'm curious as to how buying something on eBay will work under this law. Or buying something in Oregon....

Force IoT makers to use private IP

[mea2214]

There is no reason an IoT device needs to have a public IP address. Force IoT makers to only allow IPs set in the private space. This forces the user to have a router/firewall between them, script kiddies, and search engines.

We need an oversight body

[MobyDisk]

This law is great, but without an oversight body how can someone determine if the manufacturer even bothered? That's the problem now: We assume Cisco routers are safe, then it turns out they have back doors. To make a law like this work, we need a body like the Consumer Product Safety Commission (CPSC) or Underwriters laboratory (UL) to look at the design of devices and certify them. Slap a label on them so people can tell "hey, someone actually look at this camera and said it was safe."

Earlier this year the CPSC asked for public comments on how to make IOT devices safe (Ex: Make sure gas pumps don't spew gasoline during firmware updates, stuff like that). Unfortunately they specifically excluded the discussion of security in those devices. I am glad California took this step. Now we need a body that can actually certify the devices.

P.S. The FDA does check security on medical device submissions now.

It passed

[MobyDisk]

Update from the future: The law passed.

Totally expect that

[DrYak]

I'm out of mod points today, but that was too the first thing I though when reading this.

It will mostly end up being used as a poor excuse against the right to repair, despite any good intention that the law had upon introduction.

Mostly harmless

[Chelloveck]

The first part of this bill will ensure full employment for lawyers quibbling over the definitions of "reasonable" and "appropriate" for any given device. There's nothing of substance there, just vague subjective guidelines.

The second part requires a device's factory-default password to be unique, or that it require a password change before use. This is actually not a bad idea. It's debatable whether or not it should be the subject of legislation, but the market has shown that there is insufficient incentive for manufacturers to do it on their own.

The rest of the bill is definitions and such that boil down to, "If it has an IP address, this law applies." It also applies to Bluetooth devices. They should have worded that a little more broadly. I predict a sudden market for "Greytooth" devices that are not Bluetooth per se but are interoperable with Bluetooth.