Originally Posted On: zdnet.comdnet.com
California IoT security bill criticized by security researcher. Expert says bill "is based upon an obviously superficial understanding of the problem."
The first Internet of Things (IoT) security bill in the US has been approved in California at the end of August and has now reached the Governor's desk to be signed into law.
The bill, SB-327, was introduced in February 2017 and was the first legislation of its kind in the US.
It even predated by almost six months the Internet of Things Cybersecurity Improvement Act of 2017, a bill introduced in the US Senate by Sen. Mark Warner [D-VA].
But while dust gathered on Sen. Warner's proposal to secure IoT devices across the US, the California bill saw active discussions and was approved on the California Assembly and Senate floors on August 28, and 29, respectively.
Barring any strong opposition to the bill from the public or the private sector, if signed by Gov. Jerry Brown, the new bill would enter into effect starting January 1, 2020.
The bill's main provision is that "a manufacturer of a connected device shall equip the device with a reasonable security feature or features."
Just like most legislative efforts, the bill is pretty vague in what "reasonable security" should be, but it does go into details when it comes to device authentication procedures.
According to the bill's approved text, "if a connected device is equipped with a means for authentication outside a local area network," the authentication system must meet one of two criteria.
- If the device uses a default password, the password must be unique to each device; or,
- The device must prompt users to set up their own password whenever the user sets up the device for the first time --criteria put in place to avoid manufacturers shipping devices with the same default credentials.
And that's all of the SB-327 bill. No other provisions. Just a very precise specification regarding the handling of default credentials for IoT devices, and the use of a generic term of "reasonable security" that every IoT device vendor could interpret the way they want.
As security researcher and infosec pundit Robert Graham points out, this new IoT security law, despite its good intentions, isn't particularly useful in the current state of the IoT market, and will not fix any of the problems that plague IoT devices.
"It's based on the misconception of adding security features. It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips," Graham wrote yesterday in his analysis of the bill.
"The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add 'security features' but to remove 'insecure features'.
"For IoT devices, that means removing listening ports and cross-site/injection issues in web management," Graham said. "We don't want arbitrary features like firewall and anti-virus added to these products. It'll just increase the attack surface making things worse."
"In summary, this law is based upon an obviously superficial understanding of the problem," the researcher concluded. "It in no way addresses the real threats, but at the same time, introduces vast costs to consumers and innovation."