Will New Legislation Revolutionize IoT Security?

This post is also available in: עברית (Hebrew)

In 2017, there were about 20 billion connected devices worldwide, according to Statista, which projects that the number will be more than 75 billion by 2025. At the same time, more internet of things device–based attacks are occurring. Now California is considering legislation that would institute stricter password security for the network IoT devices.

IoT has been taking over every inch of our homes, including microwaves, clocks, and car gadgets, as well as more substantial devices in the industry and military fields. With it comes the increased risk of hackers abusing that collected data. A surprisingly large number of people don’t change the default password when they buy a new device, like a router. Most of these default passwords are easily searchable on Google.

Addressing that flaw, the SB 327 bill requires manufacturers of a connected device to equip it with a “reasonable security feature or features,” beginning from Jan. 1, 2020. The bill also mandates that manufacturers must provide default passwords that are unique to each device or prompt the user to generate a new password before using the product. The bill was approved by the California Assembly and Senate in August and is awaiting final approval.

Milos Prvulovic, a professor at the Georgia Institute of Technology’s School of Computer Science, said the bill would improve security for most people. If manufacturers are mandated to create unique passcodes for each device, even if they are default ones, this will decrease the impact of large-scale, automated attacks by botnets. Prvulovic said that it would be even better if users were prompted to create their own passwords prior to using any smart device.

Some cybersecurity experts, like Robert Graham of Errata Security, have pointed out that much of the bill is vague. For instance, a “reasonable security feature” could mean a lot of things. In his analysis of the bill, Graham says it is “impossible for any company to know what these words mean” and “impossible to know if they are compliant with the law.”

However, having a vague legislation can be crucial because of how fast technology changes. What about other states in the US? “California is a large market—I’m pretty sure if this becomes the law [there], it’s gonna happen everywhere else anyway,” Prvulovic said. Home to several giant tech firms, California often leads the way in technology policy, particularly on protecting consumers, according to slate.com.

In Europe, the European Union believes that regulating IoT devices can solve the problem of IoT devices security. The EU plans to exert pressure on IoT device manufacturers through the EU Cybersecurity Act, which, as currently constructed, would create a single certification scheme for information communications technology (“ICT”) devices, according to itproportal.com.