What steps have California and UK taken to secure IoT devices? Here’s what you need to know.
Thinking of buying a smart door lock or a thermostat? Good news, consumers! Starting Jan 1, 2020, new internet-connected consumer products such as mobile phones, smart appliances, home alarms, monitors, trackers, and cameras that are sold in California must now be equipped with “a reasonable security feature or features.”
Two nearly identity bills, Assembly Bill No. 1906 and California SB-327, were recently signed into law by CA Gov. Jerry Brown. The first-of-its-kind law is aimed to tighten the privacy and security of California residents. The 15-month delay is designed to hold IoT device manufacturers accountable without stifling innovation.
Across the pond, the U.K. government also sought to secure smart gadgets by releasing a new voluntary Code of Practice (CoP) for consumer IoT devices, just a few weeks after California bill SB-327 was passed. Two companies, HP Inc. and Centrica Hive Ltd, have already pledged to implement CoP by 2021.
California’s Internet of Things Security Law, on the other hand, requires manufacturers of connected devices to adhere to the law.
The differences don’t stop there.
California vs. UK: A deeper look
California’s Internet of Things Security Law is a great first step in a very long road to ensure privacy and security.
California’s new IoT law does not clearly define what constitutes a “reasonable” security feature. However, it specifies that any such feature must be:
Appropriate to the nature and function of the device
Appropriate to the information the device may collect, contain, or transmit
Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure
A statute in the law also takes aim at generic, hard-coded passwords. In addition, if the device is capable of authentication outside of a local area network, a pre-programmed password must be unique to each device or the consumer must generate a new password before initially using the device.
In comparison, the U.K.’s detailed code ― drawn up by the Department of Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre ― includes 13 separate steps, which manufacturers of small smart gadgets can take to produce secure products. The most notable steps:
No default passwords; they must be unique
Making it easy for users to delete data off the product
Securely storing credentials and data
Having a public point of contact to report issues
The government also released a mapping document to make it easy to follow HP and Centrica Hive’s example; as well as a guide for consumers to secure their IoT devices at home.
These efforts are part of UK’s £1.9bn national cyber security strategy in response to (and in preparationagainst) a major cybersecurity attack in the future. Since its founding in 2016, the UK’s National Cyber Security Centre has thwarted over 1,600 cyber attacks or 10 attacks per week.
Precedence of unsecured IoT devices
These security measures come at a time when a number of high-profile events continue to expose the vulnerability of IoT devices.
Just last week, a mother in Long Island reported a nightmare situation to her local news. It was a regular habit on workdays for her husband to communicate with their 5-year-old son through a Nest Cam in the child’s playroom. One day, to the mother’s great horror, the boy came running out of his playroom, alarmed that it wasn’t Daddy on the other end of the Nest Cam. A stranger had hacked the line and was asking the boy personal questions. When the woman complained to Nest, she was told to strengthen her password and start using 2-factor authentication.
And, last year, internet-connected teddy bears by Spiral Toys exposed more than 2.2 million voice recordings between children and their parents, as well as over 800,000 customer email addresses and password details. The stuffed toy was designed to enable parents and children to stay in touch using voice messages, but the poorly secured data sat on a MongoDB database, which was not protected by a firewall or a password; and voice messages were housed on Amazon S3 that required no authentication to access. Adding insult to injury, it took over 2 months before Spiral Toys notified the victims or even disclosed the breach.
There are literally billions of IoT devices with lax security sitting in homes like unintentional secret doors. Cybercriminals have a 15-month head start before California’s IoT security law kicks in, so users everywhere are urged to stay vigilant over their own IoT security in the meantime.
But is it enough?
California’s IoT law is a significant departure from California’s approach to data security legislation to date. The State’s overarching data security law (Cal. Civ. Code § 1798.71.5) requires reasonable data security measures to protect certain types of personal information. This new legislation requires reasonable security measures regardless of whether a device processes any personal information at all.
However well-intentioned the California IoT law is, the question remains: is it enough?
And more importantly, aren’t we beyond passwords?
For the past couple of years, companies and security experts have persuaded us to enable two-factor authentication, which combines two or three factors:
something the user knows (i.e. password, pin or answer to a secret question),
something the user has (i.e. mobile phone, a token or key fob); and/or
something the user is (i.e. facial recognition, behavioral biometrics or fingerprint).
If IoT device manufacturers adhered to California’s minimum requirements, it would be easy for hackers to deploy three types of password attacks with just a program or a script.
Brute force attacks - usually starting with the easiest-to-guess passwords. Kanye West wouldn’t be immune with his phone password revelation (It’s 000000. Surprise!)
Dictionary attacks - cycling through a combination of common words.
Keylogger attacks - tracking user’s keystrokes.
The legislation not only lacks specific guidance on password length or complexity, part of it also permits access to law enforcement via a court order or other applicable law. Malicious entities could potentially exploit and abuse these same access points to gain entry into devices.
The Register’s Kieren McCarthy wrote that the California password law could make things worse by giving “lawmakers their own false sense of security that they have fixed the problem. They have not.”
Moreover, no private right of action is provided. Instead the “Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this title.” That means a private person/citizen cannot sue manufacturers in a private litigation.
Global spending is forecasted to grow at a Compound Annual Growth Rate of 44%, or $4.4bn by 2022, driven by increasing IoT adoption and new regulations such as California’s law and UK’s CoP.
With more points of exposure and increased impact of attacks, security must happen across the stack from the hardware layer, communication layer (messaging), cloud layer, and lifecycle management.
We’re proud to have products and services, such as Avast Smart Home Security, that protects connected devices and detects real-time threats at the network layer. The internet router is fast becoming the new attack surface for cybercriminals.
For example, if a device is turned on at an unusual time or begins transmitting data to an unknown entity, these could be indications that the device is being hijacked. In this situation, Avast Smart Home Security will shut down the attack and alert the family immediately via a mobile app before any harm can be done.
See the many IoT entry points for hackers to hack in your home: