California introduces the nation's first Internet of Things security law
Why it matters: Internet of Things devices often have bad security, usually in order to make them cheaper or easier to use. But when hackers can hear what you’re doing through your smart speaker or see what you’re doing through your security camera there’s a big problem – and California aims to pre-emptively strike against hackers by requiring manufacturers to implement better security.
Recently it was discovered that Roku and Samsung TVs could be hacked and wirelessly controlled in a jiffy, and there was also that brief phase where Amazon’s Alexa was letting off a creepy laugh. Not to mention the incident in the Netherlands when a woman was being stalked through an internet-connected camera in her living room.
California Governor Jerry Brown has just signed off on the bill that is designed to end this, and hopefully it will make a big impact when it comes into effect on January 1st, 2020. Called SB 327, it requires all manufacturers of any form of device that can be connected to the internet – anything from cars to smart thermostats – to implement “reasonable security features.” It aims to protect devices and their data from unauthorized access, destruction, modification or disclosure.
Unfortunately, however, other than specifying that devices come with unique passwords or force the user to create their own, that’s as specific as the bill gets.
Most experts have agreed with Harvard security analyst Bruce Schneier, who says that “it probably doesn’t go far enough — but that’s no reason not to pass it.” He further elaborated to The Washington Post, saying that the bill will have many positive effects nationwide because companies will simply institute the security features into all their products.
Cybersecurity professional Robert Graham disagreed, saying that the bill missed the point so badly that it does more harm than good, and will result in companies making poor security choices. One example he provides is automated security patches, which satisfy this new law but are also how NotPetya spread. The bill allows many issues to slip under the radar: the easy way viruses can jump between IoT devices on the same network, the inability of consumers to apply patches and a lack of authentication systems.
Graham says that only a small portion of IoT devices affected by the Mirai botnet that took out swathes of the internet didn’t already comply with this legislation.
It seems that ultimately the security level of the device remains up to the manufacturer. Fortunately, Microsoft is working towards making all IoT devices more secure with a new platform, and large tech companies like Google and Amazon continue to improve security on their own products.
With a little luck, this bill will bring about some good changes and kick off a greater focus on cybersecurity from the government. Meanwhile, buying from reputable brands and following good cybersecurity practice is still the best way to keep your devices secure.