IoT Security – The First Law

The rise in IoT (Internet of Things) continues to astonish us, with 75 billion IoT devices estimated to be connected to the internet by 2025. The primary objective of IoT is to help make our daily lives much more automated. For example, we can clap our hands to turn on our television set or start the coffee machine before we shower and get ready for work. It is conceivable that in the future robots could play a role in this. The goal is that we could tell them what needs to be done in our house, and it would be.

While all of this certainly sounds great, there are huge security risks associated with this, especially in the way all of these objects are interlinked with one another. One of the primary worries is that this increases the attack surface, leaving many unknown backdoors open for the attacker to penetrate.

One of the first acts of legislation to help mitigate these risks was recently passed in California and is the focal point of this article.

The California Law

This piece of legislation is officially known as “SB-327: Information Privacy: Connected Devices.” The content of the bill can be seen here. The bill was introduced in 2018 and was passed into law on January 1, 2020. Essentially, it requires that both vendors and manufacturers of IoT products must implement at least one layer of reasonable security in them, from one of these options:

• It contains a unique password assigned to the product or device when it was first manufactured;
• After the initial startup of the product or device, the end-user must be prompted to create a new password before they put it into use.

This law also spells out what the characteristics of an IoT manufacturer/vendor are, and what exactly constitutes a “connected device”:

• The producer of an IoT product/device:

This is defined as any business entity that directly produces the IoT device/product and markets it to the public. The law extends to other external, third parties that may be involved in this process, such as suppliers and other agencies that are hired to distribute them. So, if Company XYZ creates the actual IoT product/device, and contracts out to Supplier ABC and Marketing Agency PDQ, then all these entities are included in the group of “producer.” Therefore, all of them have some responsibility and accountability for the Cybersecurity of the IoT device/product.

• The connected device:

Under this particular law, connected means any physical or virtual-based object that is connected directly or indirectly to the Internet. It also must have a unique Internet Protocol (IP) or Bluetooth numerical address.

The Consequences of Non-Compliance

Unlike the harsh audits and financial penalties that both the GDPR and the CCPA can pose, there is not much anybody can do about non-compliance. For example, private entities, such as law firms, cannot directly sue the manufacturers and related parties associated with the production and sale of IoT products/devices.

Only the California governmental agencies, including the Attorney General, City Attorneys, District Attorneys, and Prosecutors that are assigned to the many local regions in the state, can engage in this. The end result is that it will be very difficult to prove in a court of law the wrongdoing of any manufacturer or external, third party when it comes to not implementing security controls in IoT devices/products.

The Disadvantages of the IoT Legislation

There are critics of the law who have expressed some noteworthy points to consider:

1) The creation of an authentication mechanism:

This has been deemed to be one of the weakest areas of the law. For example, there is no clarification as to what an authentication mechanism is, and the law does not define how robust it should be. All the law directly mentions is the creation of passwords. But it provides no further stipulation as to how the password should be created. It also provides no guidance as to what constitutes a “strong” password. In other words, just how long and complex should it be? Clearly, it is up to the IoT device/product owner to figure this one out. If they really wanted to, they could even use “password” as the actual login, thus defeating the entire purpose of the law in the first place.

2) The lack of accountability:

As mentioned, there is no clear-cut language on compliance. Thus, the producer and other related entities could manufacture and distribute IoT products/devices with no security features installed in them, making the customer even more exposed to the risk of being breached. It would be very difficult, if not impossible, for anyone to recoup any financial damages they may have suffered as a result.

3) The security of the network connections:

Another glaring weakness of this law is that it hardly mentions the many network connections that could exist between the IoT product/device and other related services. For example, what are the specific protocols that should be used? How much encryption should be put onto them? Should these connections self-terminate if they are not used for a certain period of time? Who should be primarily responsible for maintaining the overall level of security for these connections? These and many more questions still have to be addressed, as Cybersecurity experts point out.

4) The terminology used:

One of the harshest criticisms of this law is the vagueness of the terms used. Most specifically, “reasonable” and “appropriate” security measures. Nobody really understands what these terms mean for Cybersecurity, as there are no permutations or thresholds that have been assigned to them. Since the threat landscape is constantly changing, no one is even sure if this specific terminology can be deemed to be applicable.

5) Only one security mechanism is mentioned:

The language of this law states that only one layer of security is needed—the password. Of course, we all know about this pitfall. Critics have pointed out this part of the law needs to be revamped to include Multifactor Authentication (MFA) and support for the Zero Trust Framework.

While this California law certainly has its fair share of flaws and serious room for improvement, this has actually been deemed to be the first bill that has been passed in the United States to specifically address IoT security. The hope is that it will lay the groundwork for future pieces of legislation that will not only be much more specific in language but also hold much higher standards of accountability and compliance for the vendors that are involved.

Sources

• https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327
• https://www.natlawreview.com/article/iot-manufacturers-what-you-need-to-know-about-california-s-iot-law
• https://www.helpnetsecurity.com/2019/11/20/california-iot-security-law/
• https://blog.erratasec.com/2018/09/californias-bad-iot-law.html#.X4zQmNBKhPY