California passes nation’s first IoT security bill – too little too late?

It’s back to the future time again for California. Having adopted the nation’s toughest online privacy protection measure and restored state-level net neutrality protections that are tougher on ISPs than the FCC regulations, the Golden State’s Legislature has just sent a bill to the governor’s desk for signature that would make California the first state to attempt IoT security governance.

SB-327 Information privacy: connected devices introduces security requirements for connected devices sold in the US. It defines them as any device that connects directly or indirectly to the internet and has an IP or Bluetooth address.

The legislation says

This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.

The California bill doesn’t define exactly what a ‘reasonable security feature’ would be but it mandates that connected devices come with unique passwords that users can change, which isn’t the case for many IoT products. If someone can log into the device outside a LAN, then it must have either preprogrammed passwords that are unique to each device (no more default login credentials) or a way to generate new authentication credentials before accessing it for the first time.

As we wrote here a couple of weeks ago, the Internet of Things is a network comprised of billions of devices that connect to the internet through sensors or Wi-Fi. Mostly invisible and often unsecured, they are a potential goldmine for hackers and evildoers.

In 2016, hackers created a nasty piece of IoT malware called Murai that scans for insecure routers, cameras, DVRs, and other IoT devices which are still using their default passwords and then adds them into a botnet network, which is then used to launch DDoS attacks on websites and Internet infrastructure. That attack briefly shut down Netflix and the New York Times among other high profile web properties.

There is a bill before Congress now that goes further than the California legislation but it hasn’t gained a lot of traction despite bipartisan support. The Internet of Things Cybersecurity Improvement Act, introduced by Sens. Mark R. Warner (D-Va.) and Cory Gardner (R-Colo.), would require any companies that do business with the federal government to ensure that their connected devices are patchable, come with passwords that can be changed, and are otherwise free of known security vulnerabilities. Another bill, the Securing IoT Act, would require the Federal Communications Commission to create cybersecurity standards for certifying wireless equipment.

Does the California bill go far enough?
Not all experts are enamored of the California bill. Security researcher Robert Graham writes on his Security Errata blog that

It’s a typically bad bill based on a superficial understanding of cybersecurity/hacking that will do little improve security, while doing a lot to impose costs and harm innovation.

Graham added:

It’s based on the misconception of adding security features. It’s like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips. The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add “security features” but to remove “insecure features”. For IoT devices, that means removing listening ports and cross-site/injection issues in web management. Adding features is typical “magic pill” or “silver bullet” thinking that we spend much of our time in infosec fighting against.

I’m no security expert but Graham’s argument that adding another feature to correct a bug is not progress makes a lot of sense to me. I recommend that those of you who are better versed in security to read the whole thing and leave a comment. However, I am mindful of the fact that over the last 10 or more years, the Silicon Valley love affair with consumer-oriented apps has left some of us in enterprise land wondering if developers for consumer grade services have much clue about security.

Ruth Artzi, Senior Product Marketing Manager at VDOO, wrote to the Threatpost blog:

The law requirement for a unique password is a good progress but unfortunately, it is not enough. As written, the law only provides protections against the most basic automated threats. The law should be defined in a more specific manner, as the requirement for an ‘appropriate’ security procedure, depending on the device nature and function, is too ambiguous with no real mechanism to verify that the vendor took the appropriate steps. There should be clear standards per the device’s components that a manufacturer will be able to follow and a way to validate that the manufacturer designed to those standards.

On the other hand, other knowledgeable technologists argue that it’s at least a step in the right direction. Bruce Schneier, a security technologist at the Harvard Kennedy School, said:

A California law that manufacturers have to adhere to in California is going to help everybody. Of course, it probably doesn’t go far enough–but that’s no reason not to pass it. It’s a reason to keep going after you pass it.

My take
No one seems to believe that SB-327 will completely – or even mostly – solve the problem of insecure IoT devices. Some, like Graham, believe it is too vague to be effective and will impose additional costs and harm innovation.

Most connected devices have no inherent security or way to patch or update them and network security or firewalls won’t protect them. Half a billion – and growing – unmanaged and exploitable enterprise devices are a nightmare waiting to happen.

In short, the California bill is cursory and incomplete. It doesn’t even address such low hanging fruit as device attestation, code signing, or a security audit for firmware in low-level components vendors buy-in from overseas suppliers.

Still, as Neil Raden has pointed out elsewhere in the context of ethical frameworks, such moves by legislative bodies are a step in the right direction. In this case, the State of California has beaten federal lawmakers to the punch. Unfortunately, that is not that much of an achievement.