Can California legislation save the world from IoT security risks?
I am known for railing against IoT devices because I consider them the eventual destroyers of the internet as we know it. They are not secure, most people that use them do not realize they are not secure, and most vendors that make them have done little knowing they are not secure.
Having said that, I am heartened that NBC News and The Today Show recently ran segments about (different) devices attached to the internet which had potential security issues. Those were the few times I have seen IoT security reported to the mainstream public on television. Mr. Robot and other shows have used IoT insecurity as plot points, but they really glossed over the reasons why it’s insecure so quickly that watchers may have missed that fact.
What initially prompted me to write this was a story in The Mercury News from San Jose, Calif., about a family frightened by news reporting an imminent nuclear missile strike from North Korea transmitted through their Google Nest security camera. While their TV was showing the NFC Championship Game, their Nest was blaring warnings for several minutes that people in the area had three hours to evacuate. The family was reasonably terrified.
It isn’t surprising that this was a hoax and the Nest was hacked.
Yet, Google does not see it as a “hack”; it was “simply due to bad password management.” In other words, since the family’s password may have been compromised in a previous unrelated data breach, this may have been due to a successful “credential stuffing attack” of the family’s Nest account, and wasn’t Google’s fault.
What is surprising is that Google knew about the cause of the issue but did not publicize it to customers. Remember what I said earlier about the NBC News story that talked about IoT devices? Yup, it was about similar incidents involving the Google Nest.
As bad as these attacks on Nest are, they are minor compared to attacks on other IoT devices. Variants of the Mirai virus are still very active around the world, taking control not only of webcams, but home routers and media set-top boxes. Other kinds of malware infiltrate IoT devices including toys and home appliances.
Why are these IoT malware attacks so successful? Sadly, it is simply due to bad password management. Most IoT devices have default passwords set. Some passwords are difficult to change. Some cannot be changed. Hackers have known this for years and malware takes advantage of this. Yet, most IoT manufacturers have done little to combat this. User documentation doesn’t even stress that the default passwords should be changed.
California, birthplace of the tech industry, has been hard hit by IoT attacks for a long time before the incidents I mentioned. In September of last year, California became the first government entity in the world to pass legislation directed at IoT security. Companion bills SB-327 and AB-1906 mandate that, starting in 2020, “a manufacturer of a connected device, as those terms are defined, equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure, as specified.” Thus, all IoT devices sold in California will implement “reasonable” security features, such as forcing users to change default passwords during installation or provide a unique password on each device at manufacture.
This is a very bold step. There has been lots of attention to privacy issues around the world, but the U.S. outside of California has been slow to respond to those as well as IoT security. So, on the heels of passing the toughest privacy protection law in the U.S., for California to pass this legislation as quickly as it has is earthshaking. The California legislature has a very high number of tech-savvy politicians, and this law passed in seven months with little debate.
And as groundbreaking as the new law is, its implications are just as earthshattering. Estimates for the current number of IoT devices connected to the internet are upwards of 20 billion. Statista estimates that in 2020 there will be over 3 billion IoT connections in North America alone. Since all IoT devices sold in California must be compliant, manufacturers have little choice but to implement these changes worldwide. Webcam, router and toy-makers in Taiwan and China do not have multiple assembly lines for different countries; to sell in California, every device will have to be compliant since there is no way to know which ones will be sold there.
Meanwhile, the U.S. federal government is still trying to catch up. The House of Representatives passed H.R.6032, State of Modern Application, Research and Trends of IoT Act, or SMART IoT Act, at the end of November 2018. This bill was forwarded to the Senate for review where it sits. What does H.R.6032 actually do? It “directs the Department of Commerce to conduct a study on the state of the internet-connected devices industry (commonly known as the Internet of Things) in the United States” and to report to Congress “not later than one year after the date of the enactment of this Act.”
NIST is developing a standard, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, that will help define what “reasonable” security features might include. This standard is the basis of the newly introduced bipartisan bills Senate S.734 and House H.R 1668, the IoT Cybersecurity Improvement Act of 2019 — which is an update of the little supported IoT Cybersecurity Improvement Act of 2017 — a bill “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for internet of things devices, and for other purposes.” But this bill only applies to IoT devices sold to the U.S. government. Now, compare the types and number of IoT used by the U.S. government verses the people in California.
But is the California law, in fact, enough? Is anything more needed to improve IoT security? The language in CA SB-327 is intentionally vague about what “reasonable” security is other that the mentioned above. This is to allow manufacturers the ability to implement controls appropriate to the device — vulnerabilities and how to mitigate them are different for a Google Nest versus a Linksys router versus a Fitbit. And there is no mention of penalties for noncompliance. How do you enforce the requirements on less-than-reputable international manufacturers and suppliers trying to sneak substandard products into California? The new law has its critics, but it is moving in the right direction and more quickly and definitively than the federal government.
And proves why we are doomed if California falls into the ocean after the Big Earthquake hits…
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.