On September 28th, California passed the first law in the country designed to address the security of internet-connected devices, more commonly known as the Internet of Things (IoT). The law bans the use of default passwords on internet-connected devices sold in the state and requires manufacturers to use strong passwords. The law is scheduled to go into effect on January 1, 2020.
The IoT generally includes all devices, including simple sensors, routers, DVRs, smartphones and wearable gadgets, that connect to the internet and collect and share data. Improperly secured IoT devices have led to notable security breaches. In 2016, a malware known as Mirai caused huge portions of the internet to go down, including Twitter, Netflix, Reddit, CNN, PayPal, Spotify and The New York Times, when the company servicing these websites, Dyn, was attacked. The attack occurred after millions of IoT devices were hijacked and then used to overwhelm Dyn’s servers with fake traffic. The fake traffic caused a denial of service to the websites Dyn hosts. The IoT devices were hijacked by Mirai continually searching the internet for vulnerable IoT devices known to use factory default usernames and passwords, and then infecting the devices with malware to target the Dyn servers.
Today, billions of devices connect to the internet. Experts have been calling for increased security measures for these devices and warning of the security risk associated with sub-standard security protection on these devices. The new California IoT law aims to address this concern by requiring devices that “are capable of connecting to the Internet “directly or indirectly” via Internet Protocol (IP) or Bluetooth addresses to have “reasonable” security controls. The law states that devices must have “a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”
The law also adds additional security to internet-connected devices by obligating manufacturers to provide a security feature “that requires a user to generate a new means of authentication before access is granted to the device for the first time.”
California has been aggressive in 2018 in passing legislation relating to data privacy and security. In June, California passed the California Consumer Privacy Act (CCPA), a statute that grants California residents specific rights on how their personal data can be stored, accessed, sold and deleted. The CCPA also goes into effect on January 1, 2020.