California Looks To Compel IoT Security

There is a bill going through committee in the state of California which, if passed, would require a minium level of security for Internet of Things devices and then some. California SB 327 Information privacy: connected devices in its original form calls for connected device manufacturers to secure their devices, protect the information they collect or store, indicate when they are collecting it, get user approval before doing so, and be proactive in informing users of security updates:

require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device to provide a short, plainly written notice of the connected device’s information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of security patches and updates to a consumer who purchases the device.

This is just a proposal and will change as it finds its way through committee. Currently there a really no methods of punishment outlined, but recent comments have suggested individual prosecutors may have latitude to interpret these cases as they see fit. Additionally it has been suggested that the devices in question would be required to notify in some way the user when information is being collected. No language exists yet to clarify or set forth rules on this matter.

The security community has been sounding the cry of lackluster (often lack of) security on this growing army of IoT hardware and we’ve all known one day the government would get involved. Often this type of action requires a major event where people were in some way harmed either physically or financially that would push this issue. Denial of service attacks have already occurred and hijacking of webcams and such are commonplace. Perhaps what we saw in September finally pushed this into the limelight.

Any reasonable person can see the necessity of some basic level of security such as eliminating default passwords and ensuring the security of the data. The question raised here is whether or not the government can get this right. Hackaday has previously argued that this is a much deeper problem than is being addressed in this bill.

The size of California’s economy (relative to both the nation and the world) and the high concentration of tech companies make it likely that standards imposed if this law passes will have a large effect on devices in all markets.

32 thoughts on “California Looks To Compel IoT Security

  1. Calling it now. This sounds like a huge clusterfuck waiting to happen. I like the idea of what is being attempted but the myriad of ways this could be implemented in stunningly bad ways is truly monumental.

    Warning! This IoT toilet router is known to the State of California to cause bad sectors or reproductive toxicity.

  2. I laughed my head off with this (as usual) buricratic crap that will only make things worse. It’s typical of legislators who have not a clue what there dealing with and don’t seek support form the professionals involved.

    “any internet connected device” Really! Lets start with all the computers on the planet – Look out Bill they will be coming for Microsoft (Windows OS) (again) soon.

    What an absolute joke!

    It’s not these devices that *create* the likes of DDOS, they are made possible by security issues that already exist on the internet. The device is just a *vector* to get to the existing security problem.

    The DDOS attack mentioned wasn’t specifically the result of IoT devices or web cams. It was the result of the default of allowing UPnP on routers!

    What an absolute joke. The real problem is that these bureaucrats create the environment where black-hat hacker thrive.

    In my country it a criminal offense (punishable with up to 20 years imprisonment) to security test *your own god damned servers* because you are attempting to “circumvent security measures”. That’s how our idiot bureaucrats worded it and now there is no such thing as a white-hat in our country other then criminals as this specific activity has been criminalized.

    1. Gotta love the “protect it from unauthorized access, destruction, use, modification, or disclosure” language.

      Sorry Bobby, you can’t install Linux anymore because CA says your computer has to be locked down from the factory. Same thing for your router (no more OpenWRT).

  3. IoT is a buzzword for people who can’t understand — nor care about how technology is made.
    Security on low end hardware is limited by the sophistication of the users, and cost.

    If you dig deeper, I am sure there is a US company hyping a patented solution to a non-existent problem, or an agency seeking backdoors into China’s backdoors. After the CIA leaks proved their unabridged access to every uefi boot loader, we have to assume they desire the same vulnerability in other hardware variants.

    Consumers can buy secure products already, but they are just a bugged as the cheaper version from China. Legislation can’t fix the credibility gap caused by ignorance, or the lack of IT network security caused by an off-shoring accountability problem.

    1. Security on low end hardware is limited by pretty much cost. And, perhaps to a certain extent, cost externalities that vendors don’t care to bear and that average users know nothing about.

      It is also noteworthy that to build something truly well built is expensive in terms of time to get it to market. In the faster moving world of technology in particular, there is immense pressure to get something that mostly works out the door rather than stop and make it right. That doesn’t mean it is necessarily the right decision (which of course depends on what stakeholder you ask) but it is one that is commonly made.

      1. The usual idea, is dump the product out on the market as fast as possible and then fix it later. But there is no finical incentive to fix later, that would be burning profits into products that will no longer produce profits.

        Unless there is either an ongoing service charge, and/or they are collecting customer data “uploaded to the cloud”, and selling matadata about data access, or the actual data itself, to 3rd parties, then there is an incentive to update the software on products in the wild to keep other out, to guard their golden goose.

        1. Most service dependent hardware just makes the attack vector wider, as 70% of android devices are locked to a known faulty patch version. Most cameras gave telnet access for cloud service enabled remote access from mobile phones. Thus, the cloud server IPs are already on China soil, cloud data is always poorly managed, and most of China doesn’t care about foreigner problems unless they are profitable.

          There are ways to harden systems, but economics make it strategically unsustainable.
          A low end product that looks functionally similar and costs less — will dominate market share irrespective of quality.
          Q.E.D Windows 10

  4. Lol good in theory, horrible in wording. Doesn’t define what “reasonable” is, no timeline requirements for patching, no punishments listed, and to be honest, a judicial system that has no freaking clue how evaluate any of this. This will lead to 1 of 3 things happening:
    1. The retarded warning labels as a previous poster mentioned.
    2. Devices being available everywhere in the US except California.
    3. People ignoring it all together.

    Want proof? Look at COPA. (Child Online Privacy Act). Absolutely worthless legislation.

    1. It’s COPPA, and actually that is not worthless legislation. It stops companies like Facebook, Instagram, etc. from doing some pretty evil things.

      I live in California, and have found myself shaking my head at terrible regulations that come out of here– requirement for all smoke detectors to be wired, useless supply-chain verification law, useless dangerous chemical notification law. Not that the regulations aren’t based on a good idea, just that the implementation is beyond useless and causes way more problems than it solves (generally they solve none). There’s a ton of examples to pick from. Your example of COPPA is not one of them. COPPA is actually a decent legislation, and I say this as the owner of a company that is affected by it. For my company, compliance with COPPA is easy because we don’t do any of the evil things that it prevents (invading private user info). If only there was a COPPA for adults.

      1. The problem comes not from the intent but from how it is enforced or how compliance is verified. Most (smaller) companies that aren’t based in California don’t even realize that this legislation applies protections to the customer regardless of whether the parent company is. So you run into wonderful issues ignorance, inability to audit, among other things.

    1. A big portion of those Chinese networking devices are designed in Silicon Valley, either directly through legitimate contracts, or through IP piracy that is rampant in the low-end consumer device sector.

      That said, I’m not sure how California plans to regulate something that is no longer manufactured in its state. While the designs and company HQs are in California, the manufacturing is almost always outside of the US. Applying state laws to international imports is a violation of the US Constitution, so there will be loop holes that allow ports in L.A. and Oakland to bring goods in that don’t conform to these regulations. Then they’ll be trucked to Amazon distribution centers in Kansas and then shipped back to California. The regulations can keep the bulk of faulty IoT devices out of California, but we’ll still be the source of most of the nation’s exploit ridden hardware, or at least its middlemen.

  5. They mean well, but politicians just can’t help but write dumb laws that have an infinite variety of unintended consequences.

    I read the blurb at the top and it basically outlaws USB thumb drives. What stupidity.

  6. The most worrying part to me is “or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device”, because it includes everything. A brick can have a webcam pointed at it so, it is covered by this phrasing, a physical object indirectly connected to the web, so all “bricks” would need appropriate security measures.

    1. This will end up like the POTS regulation here “you can’t touch it the POTS line in your house because it might break something somewhere else, call one of our licensed contractors that charge you like a wounded bull and do a worse job with less pride than you’d do it”

      “You can’t plug that device into the internet because it might break something somewhere else”…

  7. But I *like* my IoT to be insecure, I get to hax it so much easier… I just secure it *from* the Internet (less of an ‘Internet of Things’ more of a ‘Private network of things that really want to be on the internet’)

  8. most of this sounds good.

    forcing companies to document what they gather needs to be done

    saying that they need to provide appropriate security for the use of the device is fine (although very squishy)

    what bothers me is the requirement to prevent modification of the device. As we’ve seen with wifi routers, that was used as an excuse to prevent the owners from modifying the devices

    1. Much better phrasing would require safeguards to prevent modification by an unauthorized user, the owner being an authorized user. But that’s the kind of detail all too easy to overlook if you don’t work with computer security.

  9. The ambiguity of this proposition, as well as the potential to further confiscate the user’s right to repair/ modify etc… Makes me glad I live in a red state, for the first time in a while.
    Maybe I’m naive, but I am optimistic that if the DMCA and anti ownership stuff goes too far the open source hardware movement will gain support and balance things out somewhat.
    Politicians being in the pocket[book] of big business doesn’t help anything, but neither do vaguely worded and uninformed laws about consumer protection

  10. This is either going to be a nightmare of regulation where it doesn’t belong, or completely toothless.

    which, if we are being honest here, enforcement of ANY law regarding technology has been categorically bad.

    You either get law enforcement drawing a line in the sand over something arbitrary or refusing to investigate major damages due to a lack of technical experience or competence.

  11. A law might be kind of an okay thing but it’s still a bad sign. That the government ever perceived a need to mandate such things just affirms to me that the people who are all excited about it and pushing crap out the door (to separate punters from their dollars) also suck at thinking about tech, especially their own tech, beyond getting it to work at all. I just want it to go away and I don’t care if the numbers game says that a microcontroller costs me way more after the sales volume goes to crap. Better than everything going to crap.

  12. Thinking about it, I’m 90% sure it would end up making them put in hard coded IP addresses to their cloud platform, and do all security at that end… so yah, if there’s an internet/sever outage you won’t get permission to turn your lights on.

    1. Correct me if I am wrong, but I think that hard coding IP’s on a scale like that is a big no-no in the eyes of ICANN since you do not technically own an IP address, but rather you are permitted to use a set of numbers and that permission may be revoked. While this ability may not be very well defined legally at this time, the longer we put off deploying IPV6, the more likely it becomes that we may finally see a case involving the reclaiming of address space.

  13. Can we please, PLEASE, get rid of California? I’m calling it right now – This will turn into the biggest IoT nightmare yet.

    There is some legal precedence to say that a State can not secede from the nation (it’s extremely flimsy, but it’s there), but I can’t find a single law that says we can’t kick them out when they get to be too much of a pain in the keester.

Leave a Reply to OccamCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.