The World’s First Law on the Protection in IoT

Will it really protect users or just increase the cost of producing IoT devices?

Law SB-327 on information security of devices connected to the Internet, adopted in California and will come into force in 2020. It obliges smart system developers to create unique logins and passwords for them, to ensure security on the Internet. How the community perceived this law and how it will affect the development of the industry, read below.

Why do we need this law?

The author of the bill, Senator Hanna-Beth Jackson, says that the law should have appeared a long time ago. In her opinion, ordinary consumers are rarely interested in the security of purchased gadgets. Because developers are not in a hurry to fix security vulnerabilities.

This problem is especially acute in the case of children’s toys, such as My Friend Cayla dolls. They communicate with children and forward the records to the manufacturer’s servers, for example, to analyze the question and find the answer to it. This creates a potential vulnerability for the child’s personal data. For this reason, the sale of such dolls was generally prohibited in Germany.

The main requirement of California law is that each IoT device manufacturer must provide its gadgets with appropriate protection. What will be considered “appropriate means of protection,” the law does not say, but it spelled out a specific rule in the user authentication system. The developer must either create unique login and password combinations for each individual device or need the customer to change the standard factory login data when using the equipment for the first time.

Effective or useless?

Cybersecurity experts have passed a law skeptical. One of the main critics was Robert Graham, a cybersecurity expert at Errata Security. Robert writes that the wording about “remedies” is too vague so it will be difficult for manufacturers to determine the criteria that need to be met.
Moreover, it is impossible to specify in the law how to counter specific threats, because new types of attacks constantly appear.

Graham believes that the law will only increase the cost of producing smart devices.

The law is useless in the opinion of Joe Lee, the company’s vice president, who creates a platform for protecting IoT networks. According to Joe, the security of the Internet of Things is a complex industry that is not limited to password issues for devices.

A number of information security experts supported the new bill. One of them was Bo Woods, a security specialist of the Atlantic Council. According to him, the vague wording in the law was used intentionally. This will allow companies to develop their own device protection requirements.

“The law should help solve the problem of unauthorized access to devices. However, it is not a panacea. Unique and strong passwords should make it difficult to hack smart gadgets using a trivial dictionary search. Yet, there are many other ways to gain access to devices, for example, re-binding the DNS. More than half a billion IoT devices worldwide are subject to this type of attack.”

Many experts believe that even an imperfect law is better than its absence. The author of books on cybersecurity and cryptographer Bruce Schneier said that the SB-327 is a step in the right direction, although this document is not enough to fully regulate IoT.

Users generally support the California government initiative. Residents of Hacker News says that manufacturers’ passwords may be too predictable and coincide with the serial number. But this solution is better than the standard password for all devices of the same model.

Some users find the law meaningless. The commentator on Slashdot pointed out that most often security problems of IoT devices are not solved by changing the password and are related to vulnerabilities in the firmware and software modules. For example, in 2017, a bug was found in the gSOAP library, which is used by manufacturers of IoT devices. During the demonstration, security experts hacked into the home camera and got a picture of it.

Why is this law important?

The activity of politicians in drafting legislation to protect the Internet of Things has been observed for the past three years.

The US government, starting in 2015, has been issuing guidelines for manufacturers of smart devices, in which it makes recommendations on the protection of personal data of users. Last year, several projects were considered in the US Congress that must federal agencies to develop safety standards for IoT devices.

In Europe, a similar document can be considered a directive on the security of networks and information systems adopted in July 2016. It does not concern the Internet of things, but it does establish requirements for the protection of companies’ systems in critical areas: energy, finance, health care, and the transportation industry. The document contains only a list of rules, and each EU state should determine the methods for their implementation.

The IoT Protection Act is also being drafted by the Australian government. According to politicians, they seek to create a balanced document that will protect consumers and will not limit innovation in the IoT. For this, the regulator conducts a dialogue with representatives of the industry. For now, politicians are only discussing requirements for manufacturers of smart devices.

Thus, California law was the first to plan general requirements for all manufacturers of IoT devices. And although it is not perfect, there is an opinion that the directive will become a guideline for other countries and will start active work on the security of smart gadgets.