Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
9/19/2019
04:15 PM
50%
50%

California's IoT Security Law Causing Confusion

The law, which goes into effect January 1, requires manufacturers to equip devices with 'reasonable security feature(s).' What that entails is still an open question.

Companies that make connected devices — from Internet routers to connected thermostats to home-monitoring cameras — need to start preparing for the enforcement of California's Internet of Things (IoT) security law, which goes into effect on January 1, 2020, attorneys said this week.

The question is whether a simple authentication fix is enough for most devices or whether companies need to adhere to a more rigorous standard.

The California law, Senate Bill 327, was approved by the governor a year ago and requires that all connected devices sold in the state— no matter where they are made — incorporate "a reasonable security feature or features" that appropriately protect the user of the product and the user's data from unauthorized access, modification, or disclosure. The law specifies that single hard-coded passwords are not allowed, and each device must either have a unique passcode or require the user to generate a new passcode before using the device for the first time.

The way the law is written, ensuring devices follow that guidance may be enough, says Christine Lyon, partner in the privacy practice of Morrison & Foerster. "The law is only specific to authentication," she says. "That seems sufficient, but what I suspect will happen over time is that we will see more specificity around the required security features."

Yet another attorney argues that establishing a strong authentication mechanism is only one of the required features. Guidance of what constitutes "reasonable security" is hinted at by a 2016 California breach report, which labeled the Center for Internet Security's Critical Security Controls for Effective Cyber Defense as the "floor" for adequate security, says Dan Pepper, a privacy and data protection partner at the law firm BakerHostetler.

"The law is offering companies flexibility," he says. "But if all you are doing is taking the authentication step and you are not doing anything with updates or patches, encryption, or third-party components, then you are falling short. That authentication piece is just one concrete example."

The confusion has caused many companies to measure whether there is any risk to them under the statute and to wait for further guidance, the attorneys say. The law does not give consumers the right of private action. Only the government can investigate or penalize companies under the law, which is another consideration for companies in assessing their risk.

While the security required by the law may seem like baby steps, the number of devices impacted by the legislation is quite large, according to the attorneys. The text of the legislation does not specify types of devices, but the law likely applies to a long list of hardware covered by the term "connected device," including products such as printers and security cameras, smart lightbulbs, and Apple watches, Pepper says.

"Quite a few different types of devices are impacted," he says.

The California law is not the only legislation to target the security of connected devices. With 25 billion devices expected to be part of the global IoT landscape, legislators are subjecting IoT manufacturers to increasing scrutiny. 

In March, US lawmakers introduced a bipartisan bill into Congress that would require IoT makers selling devices to the government to follow guidelines produced by the National Institute of Standards and Technology. Known as the Internet of Things Cybersecurity Improvement Act of 2019, the bill is the third time that federal legislation has been introduced to require security measures by connected device makers. A bill to govern IoT security has been introduced into Congress annually since 2017.

Because the California law applies to any device sold to consumers in the state — and the manufacture of too many product variants is cost-prohibitive — the impact of the law will likely be national, says Morrison & Foerster's Lyon.

"Because the law's requirements are not onerous, and because it is time consuming to create a special version of products just for the Californian market, companies will probably implement these changes across all their products," she says.

In conjunction with the California Consumer Privacy Act (CCPA), the law will put new responsibilities and restrictions on companies for privacy and data security.

"The enactment of the CCPA will be a watershed moment for data privacy not just in California, but also throughout the United States," said Attila Tomaschek, data privacy advocate at ProPrivacy.com, in a statement. "Since any applicable business across the country and indeed across the globe that serves consumers in California will be required to abide by the law, companies across the board will likely be gearing up for compliance."

The California law explicitly does not require that retailers and sellers of devices ensure compliance with the law. The law also seems to prevent using the rule as a reason for anti-tinkering measures, stating that the laws does not require features that "prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the user's discretion."

In addition, law enforcement retains the right to gather information about devices from the manufacturer. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Poll Results: Maybe Not Burned Out, But Definitely 'Well Done'

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3697
PUBLISHED: 2020-01-24
UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of gnump3d in openSUSE Leap 15.1 allows local attackers to escalate from user gnump3d to root. This issue affects: openSUSE Leap 15.1 gnump3d version 3.0-lp151.2.1 and prior versions.
CVE-2019-3694
PUBLISHED: 2020-01-24
A Symbolic Link (Symlink) Following vulnerability in the packaging of munin in openSUSE Factory, Leap 15.1 allows local attackers to escalate from user munin to root. This issue affects: openSUSE Factory munin version 2.0.49-4.2 and prior versions. openSUSE Leap 15.1 munin version 2.0.40-lp151.1.1 a...
CVE-2019-3693
PUBLISHED: 2020-01-24
A symlink following vulnerability in the packaging of mailman in SUSE SUSE Linux Enterprise Server 11, SUSE Linux Enterprise Server 12; openSUSE Leap 15.1 allowed local attackers to escalate their privileges from user wwwrun to root. Additionally arbitrary files could be changed to group mailman. Th...
CVE-2019-3687
PUBLISHED: 2020-01-24
The permission package in SUSE SUSE Linux Enterprise Server allowed all local users to run dumpcap in the "easy" permission profile and sniff network traffic. This issue affects: SUSE SUSE Linux Enterprise Server permissions versions starting from 85c83fef7e017f8ab7f8602d3163786d57344439 t...
CVE-2019-3692
PUBLISHED: 2020-01-24
The packaging of inn on SUSE SUSE Linux Enterprise Server 11; openSUSE Factory, Leap 15.1 allows local attackers to escalate from user inn to root via symlink attacks. This issue affects: SUSE SUSE Linux Enterprise Server 11 inn version 2.4.2-170.21.3.1 and prior versions. openSUSE Factory inn versi...