California has enacted the nation’s first law regulating Internet of Things (IoT) devices, which was signed by Governor Jerry Brown on September 28, 2018. IoT refers to the rapidly-expanding world of internet-connected objects such as home security systems, video monitors, enterprise devices that track packages and vehicles, health monitors, connected cars, smart city devices that manage traffic congestion, and smart meters for utilities.
IoT devices promise to bring efficiencies to a broad range of industries and improve lives. But these devices also collect vast troves of information, and this raises data security and privacy concerns. In 2016, a distributed denial of service (DDoS) attack on the internet infrastructure company Dyn was powered by millions of hacked IoT devices such as web cameras and connected refrigerators. Hackers have used baby monitors to view inside homes, with a prominent recent example being the widely-deployed Mi-Cam baby monitor. If hackers are able to get into critical IoT systems in first responder networks, then there could be public safety risks.
The most obvious vulnerabilities with IoT devices used by consumers are easily-guessed default passwords and weak authentication. Consumers rarely change default passwords because they do not know how to or because the user interface is confusing or hard to access.
California has responded by enacting a law (SB-327) that addresses some vulnerabilities. As a broad measure, the law requires manufacturers to equip IoT devices with “a reasonable security feature or features” that are appropriate to the nature and function of the device; appropriate to the information it may collect, contain or transmit; and designed to protect the devices and information on them from unauthorized access or disclosure.
The law states that having a unique preprogrammed password for each IoT device or requiring the user to generate a new means of authentication before access to the device is granted for the first time is deemed to be a reasonable security feature. There are some exceptions, but this should cover many consumer-grade IoT devices. The law goes into effect on January 1, 2020. There is no private right of action, and the law will instead be enforced by the state Attorney General and local authorities.
Will this increase the security of IoT devices? It probably will to some degree. The law only applies to devices that are sold or offered for sale in California, but due to the size of the California market it could become a national standard for manufacturers. On the other hand, IoT devices have additional vulnerabilities that are not addressed. Overall, it is likely the start of initiatives in other states and the federal government to bring greater security to IoT. Hopefully those measures will promote security without slowing innovation in this exciting industry.