Slashdot Mirror

← Back to Stories (view on slashdot.org)

California Becomes First State With an IoT Cybersecurity Law (theverge.com)

Posted by BeauHD on from the security-taken-seriously dept.

An anonymous reader quotes a report from The Verge: California Governor Jerry Brown has signed a cybersecurity law covering "smart" devices, making California the first state with such a law. The bill, SB-327, was introduced last year and passed the state senate in late August. Starting on January 1st, 2020, any manufacturer of a device that connects "directly or indirectly" to the internet must equip it with "reasonable" security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default credentials for a hacker to guess.

3 of 55 comments (clear)

  1. Achieves nothing by DaMattster · · Score: 2

    This won't solve the problem because you can take all of the steps mentioned and the device still won't be secure because the software to power the device is poorly written and full of exploitable holes like buffer overflows and null pointer de-references. In an effort to get devices out on the market, security is at best, an afterthought, or at worst, the manufacturer doesn't really care until it gets caught with its pants down. And even the ensuing fine and punishment will be substantially less than what they've earned on the product. Corporations just see it as a calculated profit/loss model.

    1. Re:Achieves nothing by sjames · · Score: 4, Insightful

      If by that you mean it won't end the problem 100% for all time then yes. There will still be exploits and so IOT issues.

      If you're just griping that it also won't cure athlete's foot and morning breath, so it's useless, you're quite wrong.

      The majority of cases today where the black hats get in to IOT devices is because of devices that have no password, or all share a single default factory password, easily looked up on Google.

      So, the new law isn't perfect, but it does address one of the leading holes in IoT. The other holes are a bit harder to supply a bright line for.

  2. Force IoT makers to use private IP by mea2214 · · Score: 3, Interesting

    There is no reason an IoT device needs to have a public IP address. Force IoT makers to only allow IPs set in the private space. This forces the user to have a router/firewall between them, script kiddies, and search engines.