The IoT has been a gamechanger in the past few years, both personally and professionally. We are connected to everything, creating massive amounts of data which has been rather enticing to cyber criminals. IoT is seen as one of the most important aspects of technology today and also one of the most vulnerable. After the DDoS attack in 2016 it was evident that we need to beef up IoT security, but for the most part the onus has been on the consumer and not the device company. But that’s all about to change thanks in large part to California’s IoT law.
California’s IoT law is a first for the nation, but likely not the last of it’s kind. It’s incredibly important coming from California too, with most major companies headquartered in the Silicon Valley, but I’ll get more into that later. For now, let’s dive into what the law is and how consumers will benefit.
All About the New California IoT Law
After a three year process, California’s IoT law will take effect January 1, 2020. The main provision requires each manufacturer of an IoT device equip it with reasonable security features to ensure the safety of its owner. However, ‘reasonable security’ is not defined and leave interpretation up to the IoT device manufacturer, which in my opinion will lead to more complications down the road.
The law did specify, though, that devices that use default passwords will need to require new and unique passwords and will need to prompt users to develop new passwords during the initial setup of the device.
That’s all the bill includes. It’s a short and concise law that has a lot of room for interpretation.
Will California’s IoT Law Work?
So, the question on everyone’s mind is, obviously, will it work? Will consumers be safer just because devices are equipped with reasonable security and we create a unique password? I’m going to pessimistic here and say while although this is a good start, it’s not enough.
I think, “reasonable security” is too broad of a statement, and manufacturers can interpret that phrase in any way they want. Security won’t be consistent across devices. Apple for example could step it up and create firewalls and security measures for their devices that will be top of the line. While Fitbit could go with the bare minimum. How is that a solution?
Security experts in the field have concluded that the law wouldn’t do anything to fix the real problems facing IoT. Instead, it will mask them—and I agree. When it comes to these devices, we should be focused on removing the insecure features instead of masking them with security features. An insecure device won’t become secure just because of an added feature that may or may not work. By removing what makes the device insecure in the first place, we have a greater chance of protecting its user.
The Importance of IoT Safety Regulations
It really seems to me that California’s IoT law, is based on a superficial understanding of the IoT and the potential threats. But I do think it will force us to head in the right direction.
In the past few years, governments of all sizes have really stepped up their game when it comes to cyber security protections for consumers. From the California IoT law to the GDPR, governments are realizing that companies aren’t doing enough to protect us.
It makes sense too that governments are intervening. Think about cars, for example, when they were first made, they didn’t have seat belts. Now every car has a seat belt and it’s a requirement during the manufacturing process all because a government intervened and made it a law. Adding security measures to our IoT devices is the same basic premise. We need seatbelts to protect our data. Especially now in light of the large number of cyber security hacks.
Like I mentioned previously, hackers caused the huge global DDoS attack in October of 2016 by gaining access to a network through an unsecured IoT device. This revealed major vulnerabilities. Companies have reported malicious hacks on unsecured printers. Recently, researchers found vulnerabilities within IoT baby monitors that could be used to monitor live feeds, change the camera’s settings and authorize other users to view and control the monitor. IoT car devices can be hacked by those wanting to cause havoc included unlocking doors or shutting down the car itself.
Attackers who gain access to these connected devices gain access to your entire network. That is a scary thought! And device manufacturers have not been held accountable till now.
It’s Only the Beginning
Although California’s IoT law is only the beginning, it’s a stepping stone towards laws that would govern manufacturers and smart device creators, requiring them to offer only secure tools and devices to consumers.
There’s still a lot to be done and California’s IoT law might be too little for the time being, but it’s definitely far from being late. Now is the time for regulations to be put in place to secure devices and networks from malicious activity. In the near future, I foresee more bills being written to follow suit. Until then though, it’s still on us to secure our IoT devices so be sure to check out my article on the importance of IoT security during cybersecurity planning.
The original version of this article was first published on Futurum.