Is Your Smart Thermostat Safe from Hackers? California’s New Internet-of-Things Cybersecurity Law Seeks to Address the Issue

California Senate Bill 327, 2018 Cal. Stats. ch. 886 bill hosted by California Legislative Information.

On September 28, 2018, California Governor Jerry Brown signed into law Senate Bill 327 (“SB 327”), the first Internet-of-Things (“IoT”) cybersecurity bill on the books in any state. The new law will require manufacturers to equip Internet-connected devices —such as cellphones, home assistants, and other smart hardware—with security features in order to protect against hacking and other security concerns.

The California bill is the first attempt in the United States to impose security measures on this previously unregulated area of cybersecurity. The necessity of such regulation became apparent in recent years, after several high-profile “botnet” attacks used unsecured (or easily hackable) consumer IoT devices to take down well-known websites. SB 327 requires manufacturers to include “reasonable security features” on any device that connects to the internet via IP or Bluetooth. The features must be “[a]ppropriate for the nature and function of the device” in question and “[d]esigned to protect the device and any information contained therein from unauthorized access.” While previously, some IoT devices came with preset, easily hackable passwords that consumers never changed, the new law requires more to meet the reasonable security requirement. Under the law, manufacturers must either provide authentication credentials unique to each device, or create devices that prompt users to change the password before they can access and use the device.

Reactions to the bill have been mixed. Security experts from Harvard University and Georgia Institute of Technology feel this measure is an important first step in improving security for the average consumer, particularly in view of devices with generic passwords, and that enacting it will provide a baseline on which to build additional regulations. Others have stated the bill does not go far enough, since it does not require device encryption which would help to prevent bad actors from reading any illicitly obtained data. On security blog Errata Security, cybersecurity expert Robert Graham also critiqued the approach the bill took in adding security features rather than removing insecure features. Graham argues that generic passwords are just one of many insecure features that need to be addressed, and that even the language in the bill addressing passwords is wrong, indicating only a superficial understanding of the problem.

Other experts, like Ruth Artzi of cybersecurity firm VDOO, point out that the “reasonable security features” language is vague and hard to verify, and would prefer clearer standards that are more easily validated. Some of the law’s vague language may relate to initial opposition from industry trade groups like The Internet Association and Technet, which objected to the language of an earlier draft requiring IoT products to alert consumers when their information was being collected. Both groups dropped their opposition following the changes, but other groups, like the Security Industry Association, the National Electrical Manufacturers Association, and the California Manufacturers and Technology Association, still object to provisions because of the “undefined rules” it imposes on manufacturers.