Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
9/19/2019
04:15 PM
50%
50%

California's IoT Security Law Causing Confusion

The law, which goes into effect January 1, requires manufacturers to equip devices with 'reasonable security feature(s).' What that entails is still an open question.

Companies that make connected devices — from Internet routers to connected thermostats to home-monitoring cameras — need to start preparing for the enforcement of California's Internet of Things (IoT) security law, which goes into effect on January 1, 2020, attorneys said this week.

The question is whether a simple authentication fix is enough for most devices or whether companies need to adhere to a more rigorous standard.

The California law, Senate Bill 327, was approved by the governor a year ago and requires that all connected devices sold in the state— no matter where they are made — incorporate "a reasonable security feature or features" that appropriately protect the user of the product and the user's data from unauthorized access, modification, or disclosure. The law specifies that single hard-coded passwords are not allowed, and each device must either have a unique passcode or require the user to generate a new passcode before using the device for the first time.

The way the law is written, ensuring devices follow that guidance may be enough, says Christine Lyon, partner in the privacy practice of Morrison & Foerster. "The law is only specific to authentication," she says. "That seems sufficient, but what I suspect will happen over time is that we will see more specificity around the required security features."

Yet another attorney argues that establishing a strong authentication mechanism is only one of the required features. Guidance of what constitutes "reasonable security" is hinted at by a 2016 California breach report, which labeled the Center for Internet Security's Critical Security Controls for Effective Cyber Defense as the "floor" for adequate security, says Dan Pepper, a privacy and data protection partner at the law firm BakerHostetler.

"The law is offering companies flexibility," he says. "But if all you are doing is taking the authentication step and you are not doing anything with updates or patches, encryption, or third-party components, then you are falling short. That authentication piece is just one concrete example."

The confusion has caused many companies to measure whether there is any risk to them under the statute and to wait for further guidance, the attorneys say. The law does not give consumers the right of private action. Only the government can investigate or penalize companies under the law, which is another consideration for companies in assessing their risk.

While the security required by the law may seem like baby steps, the number of devices impacted by the legislation is quite large, according to the attorneys. The text of the legislation does not specify types of devices, but the law likely applies to a long list of hardware covered by the term "connected device," including products such as printers and security cameras, smart lightbulbs, and Apple watches, Pepper says.

"Quite a few different types of devices are impacted," he says.

The California law is not the only legislation to target the security of connected devices. With 25 billion devices expected to be part of the global IoT landscape, legislators are subjecting IoT manufacturers to increasing scrutiny. 

In March, US lawmakers introduced a bipartisan bill into Congress that would require IoT makers selling devices to the government to follow guidelines produced by the National Institute of Standards and Technology. Known as the Internet of Things Cybersecurity Improvement Act of 2019, the bill is the third time that federal legislation has been introduced to require security measures by connected device makers. A bill to govern IoT security has been introduced into Congress annually since 2017.

Because the California law applies to any device sold to consumers in the state — and the manufacture of too many product variants is cost-prohibitive — the impact of the law will likely be national, says Morrison & Foerster's Lyon.

"Because the law's requirements are not onerous, and because it is time consuming to create a special version of products just for the Californian market, companies will probably implement these changes across all their products," she says.

In conjunction with the California Consumer Privacy Act (CCPA), the law will put new responsibilities and restrictions on companies for privacy and data security.

"The enactment of the CCPA will be a watershed moment for data privacy not just in California, but also throughout the United States," said Attila Tomaschek, data privacy advocate at ProPrivacy.com, in a statement. "Since any applicable business across the country and indeed across the globe that serves consumers in California will be required to abide by the law, companies across the board will likely be gearing up for compliance."

The California law explicitly does not require that retailers and sellers of devices ensure compliance with the law. The law also seems to prevent using the rule as a reason for anti-tinkering measures, stating that the laws does not require features that "prevent a user from having full control over a connected device, including the ability to modify the software or firmware running on the device at the user's discretion."

In addition, law enforcement retains the right to gather information about devices from the manufacturer. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Poll Results: Maybe Not Burned Out, But Definitely 'Well Done'

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18238
PUBLISHED: 2020-02-26
Moxa ioLogik 2542-HSPA Series Controllers and IOs, and IOxpress Configuration Utility ioLogik 2500 series firmware, Version 3.0 or lower IOxpress configuration utility, Version 2.3.0 or lower. Sensitive information is stored in configuration files without encryption, which may allow an attacker to a...
CVE-2019-17274
PUBLISHED: 2020-02-26
NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access.
CVE-2019-17275
PUBLISHED: 2020-02-26
OnCommand Cloud Manager versions prior to 3.8.0 are susceptible to arbitrary code execution by remote attackers.
CVE-2020-3169
PUBLISHED: 2020-02-26
A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root on an affected device. The vulnerability is due to insufficient validation of arguments passed to a spe...
CVE-2020-3170
PUBLISHED: 2020-02-26
A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an NX-API system process to unexpectedly restart. The vulnerability is due to incorrect validation of the HTTP header of a request that is sent to the NX-API. An attacker could expl...