On Sept. 28, California became the first U.S. state to specifically regulate the security of connected devices, otherwise known as the Internet of Things or IoT devices.
The new laws aim at increasing the security of IoT devices, whose global use is growing rapidly. Statista has estimated that, in 2018, there are more than 23 billion IoT devices currently in use and this number is expected to grow to more than 26 billion in 2019 (Gartner has estimated 20 billion devices will be online by 2020).
In Canada, 28 million IoT units were in use in 2013 and this number has risen to 114 million in 2018. Unfortunately, many IoT devices remain dangerously unprotected from cybercriminals and vulnerable to malware as they enter the market with either no passwords, default passwords (including 123, admin or even worse, password) or otherwise contain hard-coded passwords that cannot be modified or updated.
These concerns are not merely speculative. Beginning in Sept. 2016, massive distributed denial of service (DDoS) attacks took down various U.S. internet infrastructure companies/DNS providers, leaving much of the internet inaccessible on the U.S. east coast and incapacitating popular websites (including Airbnb, Amazon, GitHub, HBO, Netflix, PayPal, Reddit, the New York Times and Twitter).
Originally created by three teenage hackers, the Mirai malware responsible for the attack was specifically designed to target and infect susceptible IoT devices such as security cameras, home routers, air-quality monitors, digital video recorders and routers using a table of more than 60 common factory default usernames and passwords. These devices were turned into a network of remotely controlled bots or zombies that were used to launch the DDoS attacks that later spread globally, impacting such diverse organizations as OVH (a large European internet provider), Lonestar Cell (a Liberian telecom operator) and Deutsche Telekom. At its peak, Mirai infected more than 600,000 vulnerable IoT devices.
These two new substantially similar IoT laws — California Senate Bill 327, chapter 886 and Assembly Bill No. 1906, “Security of Connected Devices” — require manufacturers of connected devices to equip the device with a “reasonable” security feature or features that meet all of the following criteria: appropriate to the nature of the device; appropriate to the information it may collect, contain or transmit; and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.
The IoT laws broadly define a “connected device” as any device or other physical object that is capable of connecting to the internet directly or indirectly and that is assigned an IP — or internet protocol — address or Bluetooth address, meaning that consumer, industrial and other IoT devices are covered.
Additionally, if the connected device is equipped with a means for authentication outside of a local area network, either of the following requirements must be met before it shall be deemed to possess a “reasonable security feature”: It must have a preprogrammed password unique to each device manufactured or the device must contain a security feature that requires a user to generate a new means of authentication before access is granted for the first time.
The IoT laws broadly capture “manufacturers” to include the producers of the devices themselves and those who manufacture them on behalf of such organizations and connected devices that are sold or offered for sale in California. However, manufacturers are not responsible for any unaffiliated third-party software or applications that a user chooses to add to the device. Contracts with organizations or people involving the mere purchase of connected devices or purchasing and branding a connected device are excluded.
Manufacturers are obliged to allow users to have full control or access over connected devices, including the ability to modify the software or firmware running on the device at the user’s discretion. Additionally, no obligations or duties are imposed upon electronic stores, gateways, marketplaces or other means of purchasing software or applications to review or enforce compliance with these statutes.
The IoT laws contain various exclusions and limitations. For example, they do not apply to manufacturers of connected devices that are already subject to security requirements under U.S. federal law, regulations or the guidance of federal agencies (presumably FDA-regulated medical devices, for example). They do not prevent law enforcement agencies from continuing to obtain connected-device information from a manufacturer as authorized by law or pursuant to a court of competent jurisdiction. They also do not apply to the activities of covered entities, providers of health care, business associates, health-care service plans, contractors, employers or other persons subject to the U.S. federal Health Insurance Portability and Accountability Act of 1996 or California’s Confidentiality of Medical Information Act.
Significantly, the IoT laws do not provide individuals with a private right of action against non-compliant manufacturers. Only the attorney general, a city attorney, a county counsel or a district attorney has the authority to enforce these requirements.
The IoT laws are scheduled to come into force on Jan. 1, 2020.
The enactment of the IoT laws was clearly motivated by the desire to improve the security of smart devices and mitigate security vulnerabilities that leave such devices open to cyberattacks such as Mirai malware. By not mandating what security features are “reasonable,” the legislation is effectively leaving it up to the manufacturer to determine whether its security features meet the three-prong test described above.
Guidance from agencies such as the National Institutes for Standards and Technology and other industry self-regulatory guidelines can help determine what will be reasonable under the circumstances. In fact, NIST is currently seeking comments on its draft guidance document, which includes recommendations for addressing security/privacy risks associated with IoT devices.
The new IoT laws are not without their flaws and skeptics.
Critics charge that certain aspects of the IoT laws are vague and ambiguous given the lack of clear standards (what does “reasonable security feature or features” practically mean?) with no way to validate that the manufacturer actually designed to those standards. While the IoT laws may address the security threats associated with hardcoded or default passwords that are easily guessable and may force manufacturers to get consumers to change their passwords before using such devices (or otherwise install unique passwords), they do not address many other security concerns or truly enhance device security. These include the failure of many manufacturers to routinely update the software or firmware accompanying many IoT devices (or otherwise compel consumers to update such software/firmware if patches/upgrades are actually available) to address security and other concerns.
Other pre-market security means to enhance security are also ignored, such as device attestation, security audits for firmware from third-party providers, improvements in device access, management and monitoring and requirements to remove unnecessary insecure features.
As the NIST Guidance has noted, an IoT device may be a black box that provides little or no information on its hardware, software and firmware or may not offer any built-in capabilities to identify and report on known vulnerabilities. And users can still deploy terrible passwords.
However, while arguably incomplete from a security perspective, California is a large market, a standard setter for the U.S. and may serve as an example for other jurisdictions to follow.
Accordingly, any Canadian manufacturer of an IoT device that intends to ship its products into California had better start employing better security features that meet the requirements of the IoT laws and, as such, the IoT laws may be the catalyst required to nudge IoT connected devices in the right direction to better security.