On September 28, 2018, California became the first US state to specifically regulate the security of connected devices (otherwise known as ”Internet of Things” or “IoT devices”).
The new laws aim at increasing the security of IoT devices, whose global use is growing rapidly. Statista has estimated that in 2018 there are over 23 billion IoT devices currently in use, and this number is expected to grow to over 26 billion in 2019 (Gartner has estimated 20 billion such devices will be online by 2020). Unfortunately many IoT devices remain dangerously unprotected from cybercriminals and vulnerable to malware as they enter the market with no passwords, default passwords (think ”123”, ”admin” or even worse, ”password”) or otherwise hard-coded passwords that cannot be modified or updated.
These concerns are not merely speculative. By way of ‘real life’ example, beginning September 2016, massive distributed denial of service (DDoS) attacks took down various US Internet infrastructure companies/DNS providers, leaving much of the Internet inaccessible on the east coast of the United States and incapacitating popular websites (including AirBnB, Amazon, Github, HBO, Netflix, Paypal, Reddit, the New York Times and Twitter, just to name a few). Originally created by three teenaged hackers, the Mirai malware responsible for the attack was specifically designed to target and infect susceptible IoT devices such as security cameras, home routers, air-quality monitors, digital video recorders and routers using a table of more than 60 common factory default usernames and passwords. These devices were turned into a network of remotely controlled bots that were used to launch the DDoS attacks which later spread globally, impacting such diverse organizations as OVH (a large European provider), Lonestar Cell (a Liberian Telecom Operator) and Deutsche Telekom. At its peak, Mirai infected over 600,000 vulnerable IoT devices.
These two new substantially similar IoT laws (California Senate Bill 327, chapter 886 and Assembly Bill No. 1906, “Security of Connected Devices” (2018 Cal. Legis. Serv. Ch. (S.B. 327)(to be codified at Cal. Civ. Code § 1798.91.04(a)) (collectively, the “IoT Laws”) require manufacturers of connected devices to equip the device with a ”reasonable” security feature or features that meet all of the following criteria: (i) appropriate to the nature of the device; (ii) appropriate to the information it may collect, contain, or transmit; and (iii) designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure. The IoT Laws broadly define a ‘connected device’ to mean any devices or other physical object that is capable of connecting to the Internet (directly or indirectly), and that is assigned an Internet Protocol address or Bluetooth address, meaning that consumer, industrial, and other IoT devices are covered.
Additionally, if the connected device is equipped with a means for authentication outside of a local area network, either of the following requirements must be met before it shall be deemed to possess a “reasonable security feature”: (i) it must have a preprogrammed password unique to each device manufactured; or (ii) the device must contain a security feature that requires a user to generate a new means of authentication before access is granted for the first time.
The IoT Laws broadly capture “manufacturers” to include the producers of the devices themselves and those who manufacture on behalf of such organizations, connected devices that are sold or offered for sale in California. However, manufacturers are not responsible for any unaffiliated third-party software or applications that a user chooses to add to the device. Contracts with organizations or persons involving the mere purchase of connected devices or purchasing and branding a connected device are excluded.
Manufacturers are obliged to allow users to have full control and/or access over connected devices, including the ability to modify the software or firmware running on the device at the user’s discretion. Additionally, no obligations or duties are imposed upon electronic stores, gateways, marketplaces or other means of purchasing software or applications to review or enforce compliance with these statutes.
The IoT Laws contain various exclusions and limitations. For example, they do not apply to manufacturers of connected devices that are already subject to security requirements under US federal law, regulations or the guidance of federal agencies (presumably FDA-regulated medical devices, for example). They do not prevent law enforcement agencies from continuing to obtain connected device information from a manufacturer as authorized by law or pursuant to a court of competent jurisdiction. They also do not apply to the activities of covered entities, providers of health care, business associates, health care service plans, contractors, employers, or other persons subject to the U.S. federal Health Insurance Portability and Accountability Act of 1996 (better known as HIPAA) or California’s Confidentiality of Medical Information Act.
Significantly, the IoT Laws do not provide individuals with a private right of action against non-compliant manufacturers. Only the Attorney General, a city attorney, a county counsel, or a district attorney has the authority to enforce these requirements.
The IoT Laws are scheduled to come into force on January 1, 2020.
The enactment of the IoT Laws was clearly motivated by the desire to improve the security of smart devices and mitigate security vulnerabilities that leave such devices open to cyber-attacks such as Mirai malware. By not mandating what security features are ”reasonable,” the legislation is effectively leaving it up to the manufacturer to determine whether its security features meet the three-prong test described above. Guidance from agencies such as the National Institutes for Standards and Technology (NIST) and other industry self-regulatory guidelines can help determine what will be reasonable under the circumstances (in fact NIST is currently seeking comments on its draft guidance document which includes recommendations for addressing security and privacy risks associated with IoT devices—see Draft NISTIR 8228, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks”.)(“NIST Guidance”).
The new IoT Laws are not without their flaws and skeptics. Critics charge that certain aspects of the IoT Laws are vague and ambiguous given the lack of clear standards (what does “reasonable security feature or features” mean practically?) with no way to validate that the manufacturer actually designed to those standards. While the IoT Laws may address the security threats associated with hardcoded or default passwords that are easily guessable and may force manufacturers to in turn force consumers to change their passwords before using such devices (or otherwise install unique passwords), they do not address many other security concerns or truly enhance device security. These concerns include the failure of many manufacturers to routinely update the software/firmware accompanying many IoT devices (or otherwise compel consumers to update such software/firmware if patches/upgrades are actually available) to address security and other concerns. Other pre-market security means to enhance security are also ignored (device attestation, security audits for firmware from third party providers, improvements in device access, management, and monitoring, requirements to remove unnecessary insecure features, etc.). As the NIST Guidance has noted, an IoT device may be a black box that provides little or no information on its hardware, software, and firmware or may not offer any built-in capabilities to identify and report on known vulnerabilities. And users can still deploy terrible passwords.
However, while arguably incomplete from a security perspective, California is a large market and a standard setter for the U.S., and the IoT Laws may serve as an example for other jurisdictions to follow. Accordingly any manufacturer of an IoT device that intends to ship its products into California must start employing better security features that meet the requirements of the IoT Laws; as such the IoT Laws may be the catalyst required to nudge IoT-connected devices in the right direction to better security.