California's new IoT security law: Inching toward a safer future
The internet of things is becoming increasingly ubiquitous in American society. Smart home devices control our lighting, heating and entertainment systems. Health monitoring devices alert caregivers the moment medical issues arise. IoT-connected vehicles are now commonplace. Even traffic patterns and manufacturing processes are routinely managed using the network.
Unfortunately, the added convenience of IoT brings with it a host of new security concerns, and many of the IoT devices in widespread use today remain dangerously unprotected.
The government has now turned its attention to this issue. In August, the FBI issued an alert titled “Cyber actors use internet of things devices as proxies for anonymity and pursuit of malicious cyber activities,” which warned both the developers and owners of IoT-connected devices of the security vulnerabilities present throughout the network. It urged them to enact safeguards to address these vulnerabilities and, not long after the alert was issued, California became the first state in the U.S. to pass a law regulating the security of IoT-enabled devices.
SB 327 indirectly sets the stage for the future
Government intervention in IoT security comes as no surprise, especially since the stakes are so high for privacy and safety. SB 327 (Information Privacy: Connected Devices), slated to go into effect January 1, 2020, dictates that any manufacturer of IoT or smart devices ensure that the appliance has “reasonable” security features that “protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.”
The vagueness of these terms ultimately leaves the law open to significant interpretation, but that open-endedness can be viewed as a positive. After all, in an industry that moves as quickly as IoT development, the government is hardly in a position to prescribe specific technologies that might be obsolete before the law even goes into effect. Instead, SB 327 institutes a framework within which security experts can operate, creating opportunities for companies to quickly bring to market next-generation security and authentication tools.
The need for IoT security
Despite not being in a position to recommend specific technologies, the government is keenly aware of the reasons IoT security is important. In fact, one of the “reasonable measures” called for in SB 327 is that default passwords must be unique to each IoT-connected device — an obvious reference to the Mirai botnet, a malware capable of infecting a wide range of IoT devices.
Mirai is an excellent example that serves to highlight one of the most widespread vulnerabilities of the IoT network: While data breaches can put consumers’ personal information at risk, poor IoT security can leave devices open to additional types of attacks. The Mirai botnet is able to take control of IoT devices using factory-default usernames and passwords, which can then be used as part of large-scale distributed denial-of-service attacks. Because these default settings can be common to entire product lines, this leaves a staggering number of IoT devices open to this type of breach.
Although Mirai is now well known to cybersecurity experts, the simplicity of the vulnerabilities that it exploits make it difficult to fully eradicate. The reference to Mirai highlights not just the danger of that specific botnet, but the idea that even the smallest lapses in IoT security can leave entire product lines vulnerable.
Of course, botnets like Mirai aren’t the only threat, and even companies on the cutting edge of technology can discover startling IoT vulnerabilities. Earlier this year, Tesla Motors discovered that the key fobs issued with the company’s Model S vehicles were susceptible to cloning, providing tech-savvy car thieves with an easy exploit. Although the oversight has since been addressed, the revelation served as a sobering reminder that no one using IoT technology is immune. For many companies, foundational security improvements must be made.
Concrete steps for a secure future
SB 327 calls for “security procedures and practices appropriate to the nature of the information.” This means that the prescribed safeguards will likely vary depending on the technology being used and the information at risk, putting security experts in an ideal position to advise companies on the most effective and appropriate safety measures to take. Although the law declines to recommend specific steps for developers of IoT-connected devices, there are a number of ways to begin improving your IoT security before the law goes into effect:
- Work with a proven security partner you trust. The IoT security landscape is complex, but there are credible experts standing by to help.
- Stop using static credentials for authentication. Usernames, passwords and weak symmetric tokens can leave secure data unnecessarily vulnerable.
- Use strong authentication based on digital identities that are renewed (not static) and difficult to steal. This should increase trust and confidence within the supply chain and across the entire ecosystem (including vendors and customers).
As consumers grow more knowledgeable and discerning, IoT developers will need to get serious about security. The California law won’t go into effect for just over a year, but it is almost certainly the first of many laws that will work to ensure that customers have a reasonable expectation of protection. Understanding both the vulnerabilities inherent to the internet of things and the steps that can be taken to mitigate them is a critical first step to a more secure future.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.