In a landmark move, California is the first US state to regulate IoT security after Governor Jerry Brown signed a bill into law. In fact, it’s the first state, local or national government, to make such a move.

The law, which takes effect on Jan. 1, 2020, was first introduced in 2017 and has been discussed ever since.
  • The bill addresses weak security and information privacy by demanding manufacturers provide ‘reasonable security features’ for connected devices released on the market.

It’s a significant move and one that will arguably be followed by other law makers. An official document coming out of California says:
  • This bill… require[s] a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature 
  • [These] features [need to be] appropriate to the nature and function of the device 
  • Appropriate to the information… [the device]  may collect, contain, or transmit 
  • Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified

Of course this is official legal speak so it is constrained and impartial.

But in essence the legislation is saying that IoT devices with default passwords hardcoded into them will no longer be sold in California.

These default passwords are used on devices’ web interface to ostensibly stop people, other than the device owner, access the device and altering its settings.

The problem with default hardcoded passwords is that hackers can easily discover them, often by doing a simple web search.

It’s then only a small step to create malware that exploits these passwords.
  • How many times have you seen or read of reports in which IoT botnets hijack routers, IP cameras, and other web-connected devices because of weak default passwords that ship with the devices. 
  • The infamous Mirai botnet, for instance, recruited a zombie army of IoT devices using a list of common factory default usernames and passwords. The botnet took down a large number of high profile websites in the US, by knocking a service provider, which supported the sites, offline.

However, it’s important to also keep the following points in mind:
  • It’s important to ensure IoT devices have tough passwords for their web interfaces, but there are other IoT vulnerabilities hackers can exploit. 
  • The Mirai botnet scanned the internet, searching for open Telnet ports, and attempted to gain access to devices via Telnet by using the default passwords. 
  • Despite these dangers, many devices continue to use Telnet, which is vulnerable to interception and easy brute force cracking, rather than the preferred safer Secure Shell (SSH) protocol. 
  • Some IoT devices have weak or non-existent encryption, or connected technologies which have no means of being updated if a vulnerability is discovered.

The legislation is an important step in the right direction, even though it is confined to California, because it’s a recognition of how pervasive vulnerable IoT devices are and how much damage can be done when hacked.

It also reflects a large uptake of IoT devices in California which is probably not as common in other parts of the world – yet.

That said, a lot more needs to be achieved around IoT security for consumers to be truly comfortable with them, unless they have alternative means of locking down their smart devices.