Secure IoT: Not just a good idea—it's the law (in California)

Last week, the governor of California approved the state’s shiny, new, snappily titled Internet of Things law, Information privacy: connected devices.

It mandates that IoT vendors should protect Californians from harm—as perpetrated by those who would hack their net-connected light bulbs, smoke alarms, smart TVs, and other toys.

Naturally, much of the infosec community piled on to criticize and castigate. Still, this new law is at least something.

But at what cost? In this week’s Security Blogwatch, we make like Dick the Butcher.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  Swedemason 

State of Security Operations 2018: Go Inside World SOCs

‘Reasonable’ people can disagree

What’s the craic? Lindsey Turrentine and Connie Guglielmo wax lyrical—California governor signs country's first IoT security law:

Gov. Jerry Brown has signed into law a broad cybersecurity bill governing Internet of Things devices.

SB 327 … mandates that any maker of an Internet-connected, or "smart," device ensure the gadget has "reasonable" security features that "protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure."

The law … will go into effect on Jan. 1, 2020.

Much ado about nothing? Adi Robertson pens California just became the first state with an Internet of Things cybersecurity law:

If [the device] can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default credentials.

Several Internet of Things-related bills have been introduced in Congress, but none have made it to a vote. The IoT Cybersecurity Improvement Act … would set minimum security standards for connected devices purchased by the government, but not electronics in general. Taking a separate track, the IoT Consumer TIPS Act … would direct the Federal Trade Commission to develop educational resources for consumers around connected devices, and the SMART IoT Act would require the Department of Commerce to conduct a study on the state of the industry.

What does an actual lawyer make of it? Joe Stanganelli calls it Rudimentary:

California bill may begin to set a legislative standard … for basic [IoT] security, but it's such a low and vague standard in such a politically unfashionable area that it may not signal much.

Skeptics have long complained that one big problem of IoT-related laws and regulations is that there can be no practical one-size-fits-all; by definition, an IoT device can literally be just about anything. … It is hard to imagine a manufacturer going to the trouble to make and market a device with security features so inappropriately complex or burdensome as to make the device unusable.

That fluffy word "reasonable" … tends to set a very low bar in legal contexts. … Perhaps the only real meat in the California bill lies in [its] strong suggestion to manufacturers to stop shipping devices with non-unique passwords.

The [law is not] the first IoT-specific legislation. … In 2015, after a consumer-data scandal surrounding smart-television manufacturer Vizio, Calif. enacted a law putting strict requirements on the implementation of voice-recognition technology. … In 2006, California passed a law imposing similar, stricter requirements and limitations upon satellite and cable companies regarding monitoring, collecting and using subscriber data.

Now it's official. … Governor Brown did indeed sign the bill into law. … Not that, I think, anyone was particularly expecting him to veto it.

O RLY? Jerry Bowles asks if it’s too little too late?:

No one seems to believe that SB-327 will completely – or even mostly – solve the problem of insecure IoT devices.

Most connected devices have no inherent security or way to patch or update them and network security or firewalls won’t protect them. Half a billion – and growing – unmanaged and exploitable enterprise devices are a nightmare waiting to happen.

In short, the California bill is cursory and incomplete. It doesn’t even address such low hanging fruit as device attestation, code signing, or a security audit for firmware in low-level components vendors buy-in from overseas suppliers.

Still … such moves by legislative bodies are a step in the right direction. In this case, the State of California has beaten federal lawmakers to the punch. Unfortunately, that is not that much of an achievement.

Joe Lea. Joe Lea. Joe Lea, Joe Lea—we’re begging of you, please don’t take our law: [You’re fired—Ed.]

The ‘reasonable security’ measures proposed in SB-327 are nice, but are sadly meaningless in the face of the security complexity introduced by connected devices.

Bad default passwords are problematic on multiple levels, so moving away from default passwords is a wise choice, but password hygiene won’t prevent other types of attacks targeting the tsunami of devices in the enterprise and the exposures they create. … There are other ways to attack these devices and exploit them. We need to recognize the extent to which these devices represent entryways onto enterprise networks and critical information.

IoT is the new attack landscape. Most connected devices have no inherent security or way to patch or update them. … And it is a false sense of security to assume that simply because an IoT device is behind the firewall, it is safe.

With a more nuanced perspective, sbwinn has mixed feelings:

I've got mixed feelings about this one. A law that is too vague to be applied is pretty worthless. "Reasonable" security means almost nothing.

On the other hand, if legislators tried to spell out specifically what security features devices had to have, it would be laughable and outdated almost immediately.

So I guess my mixed feelings are [that] a law could be ok if it weren't too vague, but it can't be too specific either. Either way, this attempt is more symbol than substance.

Vague, you say? This is a good thing, according to Bucephalus355:

Vague lingo is currently accepted, among white-collar crime academics, as absolutely the best path forward for reining in corporate behavior.

When you have very specific lingo, it’s extremely easy to circumvent the law. You want to keep the law vague and open so you have lots of maneuver room to prosecute. This assumes you trust the government, which when compared with companies, I 97% do.

Bruce Schneier’s latest book, “Click Here to Kill,” makes the same point.

But Alan Patrick—@freecloud—disagrees:

I wonder what "reasonable" will evolve to in a few years.

As does Robert Graham—@ErrataRob:

It’s a typically bad bill based on a superficial understanding of cybersecurity/hacking that will do little [to] improve security, while doing a lot to impose costs and harm innovation. [It] is typical “magic pill” or “silver bullet” thinking that we spend much of our time in infosec fighting against.

The one possible exception to this is “patchability”: some IoT devices can’t be patched, and that is a problem. But … it’s complicated. Even if IoT devices are patchable in theory there is no guarantee … that users will apply them.

You might think a good solution to this is automated patching, but only if you ignore history. Many rate “NotPetya” as the worst, most costly, cyberattack ever. That was launched by subverting an automated patch. … The Mirai worm infected fewer than 200,000 devices. A hack of a tiny IoT vendor can gain control of more devices than that in one fell swoop.

This law is backwards looking rather than forward looking. … Lawmakers don’t think in terms of what will lead to the most protection, they think in terms of who can be blamed. … This law is based upon an obviously superficial understanding of the problem. It in no way addresses the real threats, but at the same time, introduces vast costs to consumers and innovation.

And DaMattster, too:

This won't solve the problem. … You can take all of the steps mentioned and the device still won't be secure—because the software to power the device is poorly written and full of exploitable holes like buffer overflows and null pointer de-references.

In an effort to get devices out on the market, security is at best, an afterthought. … At worst, the manufacturer doesn't really care until it gets caught with its pants down.

Even the ensuing fine and punishment will be substantially less than what they've earned on the product. Corporations just see it as a calculated profit/loss model.

Meanwhile, jiveturkey’s glass is half full:

Good time to be in law school.

The moral of the story? The letter of the law is one thing, but keep an eye on how it’s being interpreted in the courts.

And finally …

Right Said Sherlock

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Metropolitan Museum of Art (cc0)

Topics: Security