California’s Proposed IoT Bill

October 15, 2018 Kevin Kish

Now also known as the growing Internet of Things (IoT), connected devices are becoming more and more integrated into our everyday lives, continuously collecting our personal and non-personal data to make life more convenient.  As such, manufacturers are constantly searching for new ways to connect devices, expanding the IoT to include home security systems, healthcare devices, smart locks, and children’s toys to meet both expectation and demand. Though all of this indicates positive technological innovation and progress, one substantial problem remains – data security and privacy.

Security concerns around internet-connected devices are a common discussion among security groups—particularly concerning are situations in which IoT devices can be manipulated to stage a powerful attack on a target. It remains a widespread problem, as countless relevant stories have surfaced in the media in recent years—including the prominent example of the casino high-roller database that was stolen after hackers found their way in through a connected fish tank thermometer.

Per the U.S. Department of Justice in the 2017 Internet of Things report:

“Although malware has existed for many years, the burgeoning popularity of IoT devices has significantly increased the number of Internet-accessible targets that may be exploited; the advent of a new generation of malware dedicated to exploiting IoT devices is largely to blame.”

Although IoT security considerations and associated vulnerabilities are nothing new, California has just passed another groundbreaking bill (SB-327) to further address standard security baselines and lessen the attack surfaces of the IoT devices.  Some of the bill’s key provisions include:

Provision: General Description:
(1798.91.04(a)(1-3) Applying reasonable security features to protect the confidentiality, integrity, and availability of data processed using the device, and relevant to the categories and types of data that are collected, processed or transmitted
(1798.91.04(b)(1-2) Designing products with a unique, pre-programmed password or to require user authentication prior to accessing the device for the first time


Industry Experts’ Criticism and Review

However, these newly introduced security “features” being promoted by lawmakers have drawn scrutiny from the industry, and many experts are questioning whether the ambiguous security requirements stipulated in the bill truly address the root of the problem. To put it concisely, are they enough?  Even as some basic security features become a mandatory consideration in IoT product development, some continue to suggest that these provisions will not prevent several different kinds of major incidents, including those listed below. 

IoT Attack: Description: Contributing Factor(s):
Mirai Botnet attack that used vulnerable IoT devices to launch coordinated attacks (i.e. DDoS) Manufacturer default usernames and passwords
My Friend Cayla Doll Unprotected Bluetooth allowed unauthorized connections that could intercept incoming images, sounds, and data feeds Insecure Bluetooth connections
Finland Heating Crisis DDoS attack on nearly two city blocks of HVAC units in Lappeenranta during winter, shutting off the heat for several days Unauthorized access to insecure IoT devices

In fact, these new security features may actually expand the attack plane (i.e. vulnerable security services, new backdoors, etc.), and may upsurge the impact and severity of these malicious events. Obviously, huge security questions remain—and huge concerns with them, especially since over 20 billion IoT devices will be in use by 2020 according to recent forecasts.  Yes, the proposed security requirements in California may seem reasonable for general consumer protection, but the bill is clearly not a perfect solution.

Some of SB-327’s more debated potential flaws are:

  • Lack of precedence on device hardening
  • Removing encoded encryption keys and removing unnecessary services/features
  • No specific mandates for data encryption in transit
  • Enforcement in California alone won’t be sufficient (i.e., only ~11% of Mirai bots were US-based)
  • The bill looks at historical events rather than the evolving, dynamic environment today and predicted future landscapes

The Entertainment Software Association, one of three notable industry groups that are opposed to SB-327, reiterates that the bill’s requirements are:

"Not necessary to provide protections to California residents. It contends that existing law already requires manufacturers to implement reasonable privacy protections appropriate to the nature of the information they collect."

And even aside from the remaining security liabilities, some industry advocates are also suggesting that these new requirements will restrict the innovation and growth of IoT research and development while also passing unnecessary costs on to the consumer.  At the same time, this may result in adding additional services, and these add-ons might themselves increase the attack surface, rather than removing unneeded features. Given all these remaining problems without current solutions, it begs the question—what are the benefits to SB-327?

What Does This Mean for Consumers?

The answer is yes. Even if industry experts feel there should be more specificity in the security measures, establishing baseline requirements should be a good measure for consumers -- no one can contest a well-established cybersecurity standard for devices that continuously gather personal data.  And while consumers may see a rise in cost due to further development efforts as a result of this bill, it shouldn’t be so much as to have a major impact on purchasing decisions.  Consumer advocate groups also suggest that this bill will be particularly helpful for protecting consumers of all ages, especially children:

“By ensuring that connected devices meet basic security standards, SB 327 will help families make informed choices about these devices and the information they collect and share. It’s time to make sure that families know what information the devices they buy are capable of collecting and that they have control over that collection.”

Similarly, the Privacy Rights Clearing House supports this bill, stating:

“The market for connected devices continues to grow. However, little has been done to ensure device manufacturers are building in privacy protections from the ground up, or that they are informing consumers about the data collection and sharing capabilities of what they are purchasing.”

What’s Next for Manufacturers

As with any new piece of legislation, there are both advocates and critics of the bill’s provisions, especially in cases where the matter is subject to interpretation (i.e. reasonable security features) as it is with the IoT bill.  As such, the industry is required to assume responsibility and apply their best judgment in meeting the legal requirements for applying appropriate security using unbiased, proportionate measures to protect consumer data that is processed using the IoT services.  The bar of what constitutes “sufficient” security in order to comply with SB-327 must be reasonable and dynamic, based on court decisions, and clear evidence of negligence by organizations; otherwise, it may be practically impossible to meet the standard and will be a major failure in legislation.  Though there are less favorable stipulations of the bill, some things are clear enough to add a temporary roadblock to the attackers seeking to use IoT for malicious purposes. It would be unfair to the industry to expect that this is a perfect solution to remediate all technical flaws, but in end, it may be a push in the right direction to set the course on the future of IoT security.

About the Author

Kevin Kish

Kevin Kish is a Privacy Technical Lead with Schellman & Company, LLC. With nearly 8 years industry experience, he has a strong history of implementing, maintaining, and assessing global information security and privacy requirements, including ISO 27001, HITRUST, Privacy Shield and the General Data Protection Regulation. As an industry advocate, he is passionate about researching and writing on the fundamentals and concepts of sustainable data privacy; and, providing education to clients on the risks, challenges, and best practices around data privacy legislation. He holds several privacy designations from the international association of privacy professionals, including CIPP/US, CIPP/E, and CIPM.

More Content by Kevin Kish
Previous Article
Flight Delayed Because Of A "Technology Issue"? Better Get Used To It
Flight Delayed Because Of A "Technology Issue"? Better Get Used To It

If you had a ticket on Delta Air Lines last week, maybe your flight was delayed a few hours. You...

Next Article
PCI in 3…2…1
PCI in 3…2…1

A fresh new release of the PCI SSC's flagship security standard PCI-DSS v 3.2.1


First Name
Error - something went wrong!