September 19, 2018
The California State Legislature recently passed a bill called “Information Privacy: Connected Devices” that creates regulations for IoT devices sold in the United States. SB-327, which applies to all devices that connect to the Internet and include an Internet Protocol or Bluetooth address, would require that security audits be conducted on components purchased overseas. The bill is the first of its kind in the U.S. and has been forwarded to Governor Jerry Brown for his signature. While some have criticized the bill for not being specific or thorough enough, it could place pressure on manufacturers to offer better device-level protection against cyberattacks.
“The bill leaves a lot to be desired,” Digital Trends suggests. “Specific guidelines are not established, and many features that need to be included in a bill centered around security are not present.”
However, the proposed “legislation is a step toward much-needed oversight of security measures. Manufacturers like Google and Amazon place strong security protocols on their products, but even these can be broken by a determined hacker or via a weak link in a connected system.”
According to ZDNet, “the bill is pretty vague in what ‘reasonable security’ should be, but it does go into details when it comes to device authentication procedures.”
“According to the bill’s approved text, ‘if a connected device is equipped with a means for authentication outside a local area network,’ the authentication system must meet one of two criteria,” ZDNet reports:
- If the device uses a default password, the password must be unique to each device; or,
- The device must prompt users to set up their own password whenever the user sets up the device for the first time — criteria put in place to avoid manufacturers shipping devices with the same default credentials.
If signed by Governor Brown, the new legislation would take effect beginning January 2020.
UPDATE: Governor Brown recently signed SB-327 into law.