The first Internet of Things (IoT) security bill in the United States was approved in California at the end of August and has been passed to the Governor’s desk to be signed into law. If signed, the new bill will take effect on January 1, 2020.
The bill, named SB-327, was introduced by Senator Hannah-Beth Jackson in February, 2017. It was the first legislation of its kind in the U.S. Its aim is to address security issues on the back of rising concerns of IoT devices’ ability to protect user privacy.
The bill does not detail the kind of security features IoT devices should have. It only states that “a manufacturer of a connected device shall equip the device with a reasonable security feature or features.” However, manufacturers can decide the security features on their own.
The bill does specify the device authentication procedure. If a connected device is equipped with a means for authentication outside a local area network, the authentication system must meet one of two criteria: if the device uses a default password, the password must be unique to each device; the device must ask users to set up their own passwords whenever the device is being set up for the first time.
The regulation therefore prevents manufacturers from shipping multiple devices with the same default password, which is an easy-to-spot vulnerability for hackers eyeing on IoT devices.
Security researcher Robert Graham said the new IoT law is not based on the misconception of adding security features. “The point is not to add ‘security features’ but to remove ‘insecure features,’” says Graham.
Although the new IoT law carries a good intention, it won’t fix any security problems on IoT devices. Graham said.
“We don’t want arbitrary features like firewall and anti-virus added to these products. It’ll just increase the attack surface making things worse…….Forward looking, by far the most important thing that will protect IoT in the future is ‘isolation’ mode on the WiFi access-point that prevents devices from talking to each other. This prevents ‘cross-site’ attacks in the home,” Graham explained.
The California Governor has until September 30 to sign or veto the bill.