California’s ‘SB-327 Information Privacy: Connected Devices’ Bill Could Be The First To Establish IoT Regulation

California Could Be The First To Establish IoT Regulation.jpg

By Aaron Guzman

After passing state legislature on August 29th, California’s "SB-327 Information privacy: connected devices” bill will be the first state to establish regulation around IoT.

If signed by Governor Brown on September 30th, this bill will require connected devices sold or offered for sale in California to have “reasonable security features appropriate to the nature of the device”.

If access is available outside of your LAN, the product must provide authentication that is a unique preprogrammed password for each device or a feature that requires a user to generate a means of authentication by January 1, 2020.

Connected devices are defined as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” Everything from TVs, home routers, appliances, wearables, doorbells, kids’ toys and an awful lot more devices fall into this category. 

The bill is a good start and provides a common sense baseline to securing products from the influx of IoT Mirai botnet variants that take advantage of static hardcoded passwords in devices but do not thwart against other commonly exploited IoT vulnerabilities. Crucial requirements are missing and would be nice to include in future IoT security bills, like requiring manufacturers to develop secure update features, hardening of firmware components with code signing, and guidance relating to embedded system security such as removal of insecure/unneeded network services.

The bill does not provide manufacturers with actionable guidance to implementing reasonable security features “appropriate to the nature and function of the device”. Although, do we want a government agency determining technical security controls for hardware and software components? 

A better approach may be the adoption of NTIA’s Software Component Transparency multi-stakeholder process or the Cyber Shield Act of 2017, both of which promote clarity to an IoT device’s software supply chain by exposing applicable third-party code and components for making better risk and purchasing decisions.

Much of today's IoT malware exploits flaws in third-party software developed by suppliers that partner with several OEM manufactures. Additional IoT security related regulatory efforts are also in flight, such as IoT Cybersecurity Improvement Act of 2017, Securing IoT Act of 2017 and IOT Consumer TIPS Act of 2017, amongst others.

Only time will tell which regulation will take industry precedence and adoption.

About Aaron Guzman

Aaron Guzman is Head of Automotive & IoT at Aon, as well as OWASP Los Angeles Board Member and Cloud Security Alliance LA/SoCal Board Member.

More About Aaron