Experts: California's IoT Security Law Falls Short

California has passed new legislation set to make it illegal for connected device manufacturers to ship them with default passwords, but experts want lawmakers to go further.

The Information Privacy: Connected Devices bill will come into force on January 1, 2020, and is an attempt to force improvements in IoT security following some headline-grabbing incidents over recent years.

The law mandates manufacturers either to create a unique credential for each device on the production line, or ensure that the user is forced to do so on booting up for the first time.

In the context of this law, “connected device” refers to any “physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”

The law will help to reduce the risk of IoT attacks like Mirai which work by scouring the web for exposed devices protected only by simple, factory default log-ins, before conscripting them into botnets.

The technique has been aped by multiple variants since Mirai first appeared in 2016, with a new threat discovered just last week, dubbed “Torii.”

While the new law will certainly do its bit to improve IoT security, many of the devices which the Mirai botnet compromised were not built in China rather than California .

Experts lined up to argue the law should do more to improve baseline security.

Nabil Hannan, managing principal at Synopsys, argued that it would help to solve the problem of dictionary attacks or common password-based attacks, but not other threats.

“This, however, doesn’t stop the problem of say, a user’s password getting stolen through a vulnerability like SQL injection or through a phishing attack. Now the attacker can use the complex password and still get into the user’s account,” he explained.

“Or a user maintaining the same complex password across all applications. If one application is breached due to a vulnerability such as SQL injection, where all user passwords are stolen, then the attacker can now use the same complex password to get into the user’s account across all applications.”

AlienVault security advocate, Javvad Malik, claimed the law should also cover things like forcing manufacturers to ensure patches and security fixes are regularly issued and easy-to-deploy.

“Finally, many internet-connected devices are only usable when they are connected to the manufacturer’s cloud. If the manufacturer decided to stop support, or end-of-life a product, then often the customer is left with an unusable device,” he added.

“One option to combat this, is that manufacturers place the device code in escrow, so that if the company stops supporting the devices, or ceases to exist — customers, or a third party can manage the devices themselves.”

The British Standards Institution launched a new kitemark scheme earlier this year which will aim to raise security standards in the IoT industry. One of the requirements to be accredited is to produce devices with unique passwords which aren’t resetable to a factory default.

If you found this article insightful, why not join our #InfosecWebinar on Malware in IoT, Crypto-coins & Smart Devices 

What’s Hot on Infosecurity Magazine?