The Race to IoT Security

This post is also available in: עברית (Hebrew)

Cybersecurity is an ongoing concern for many, especially with the proliferation of Internet of Things (IoT) technologies. The importance of securing IoT is increasingly evident, as seen during the Internet of Things Global Summit earlier this month, as well as the recent IoT cybersecurity law passed in the state of California, for the first time ever in the U.S.

The bill was introduced last year and passed the state senate in late August. The law covers “smart” devices.

Starting on January 1st, 2020, any manufacturer of a device that connects “directly or indirectly” to the internet must equip it with “reasonable” security features, designed to prevent unauthorized access, modification, or information disclosure.

If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default passwords for a hacker to easily guess.

While some praise the bill as a crucial first step, others criticize its vague nature.

According to critics, it gets security issues backwards by focusing on adding “good” features instead of removing bad ones that open devices up to attacks.

Additionally, it doesn’t cover the whole range of authentication systems that may or may not be called passwords, which could still let manufacturers leave the kind of security holes that allowed the Mirai botnet to spread in 2016, according to theverge.com.

Highlighting the importance of securing IoT, earlier this month top officials from the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS) met at the Internet of Things Global Summit and emphasized the urgency of enforcing and creating programs to support data security and privacy for IoT.

“How a company collects and uses consumer data, and what they tell a consumer, is not simply a privacy question, it is also a fundamental data security question,” said Rebecca Slaughter, FTC commissioner.

Slaughter called on consumers to have “meaningful, accurate information” about device security. She noted her concern about easily resolved problems like default passwords, called on companies to try and identify vulnerabilities in the testing phase, and clearly communicate about the lifespan of device updates.

“The Internet of Things presents tremendous promise in terms of innovation and benefits for society, but the reality is that our dependence on network connected devices has fast outpaced our ability to secure them,” said Thomas McDermott, deputy assistant secretary for cyber policy at the department.

Both acknowledged the great potential of IoT devices, and encouraged their use, but heeded caution to the audience, according to meritalk.com.