As people shop for loved ones this holiday season, internet-enabled gadgets are often at the top of the list. These gifts may be an automated vacuum cleaner, a doorbell with a camera or a Furbacca, a toy that combines Furby and Chewbacca and interacts with a smart device. These contraptions—collectively referred to as the “internet of things”—are ubiquitous. However, they often have weak security features, which can open up vulnerabilities in people’s homes and make a gift’s recipient an unwitting participant in a hacker’s attack.
Now, governments are acknowledging the threat these popular technologies create. In late September, California passed a law regulating the security of internet-enabled devices sold in the state. While many see it as a step in the right direction, others think the law doesn’t go far enough to secure these technologies.
The new law will affect any smart device sold in California, including consumer and enterprise tools. Starting Jan. 1, 2020, manufacturers of connected devices will have to include “reasonable security” features to protect stored or transmitted information from “unauthorized access, destruction, use, modification or disclosure.”
Currently, there are about 7 billion connected devices in the world, according to IoT Analytics, an industry research company. It anticipates this number to skyrocket to 21.5 billion devices by 2025.
This immense growth has exacerbated certain types of cyberattacks.
In 2016, Dyn, a company that manages and registers online domains, was struck by a denial-of-service attack, in which its servers were overloaded with meaningless requests forcing websites and online services to crash. This attack temporarily shut down websites such as Amazon, Netflix, PayPal, Reddit, Spotify and Twitter in the American Northeast and other regions.
This attack was possible because malware was used to take over and remotely control millions of vulnerable connected devices and point their attention at Dyn’s servers.
Similar attacks using these devices as a rag-tag band of automated perpetrators, known as a botnet, have continued and also are being used to commit “click fraud,” in which commandeered devices help defraud advertisers out of billions of dollars each year.
“The majority of IoT devices are insecure,” says Syed Ali, an expert vice president at the Bain & Co.’s Houston office and leader of its information technology practice.
Cybersecurity company Corero Network Security found that in the first half of 2018, denial-of-service attacks, like that experienced by Dyn, had increased 40 percent year over year. It attributes this increase in part to the widespread adoption of connected devices.
A major manufacturer oversight that led to these attacks has been around passwords, according to research from Ben-Gurion University in Israel. Many devices are sold to consumers or companies with no password protection or the same default login credentials across all devices, making them choice targets for exploitation.
For this reason, the California law specifically requires devices that can be accessed by an area network to either be preprogrammed with a unique password or require a user to generate a new password before using the device.
Beyond those specific prescriptions, the law requires a “reasonable security feature,” which is not otherwise defined. With no guidance yet from the state attorney general, the law remains open ended, according to some.
“Reasonableness is always the legislature’s way to build in a moving target that will be informed by industry practice” and the sensitivity of the information collected, says Christine Lyon, a partner at Morrison & Foerster in Palo Alto, California. “What’s reasonable for an industrial IoT device might be a lower standard than what would be reasonable for a consumer-facing device that collects more sensitive information, like biometrics or health information.”
As opposed to other data protection legislation, this law is different in that it applies to all data stored or transmitted by internet-enabled devices, according to Lyon.
The law “doesn’t even use the term personal information,” she says, which means “the legislature is taking a broad view of security issues that arise with connected devices.”
This is different from another bill passed in California earlier this year, which focused on the protection of consumers’ personal information. The California Consumer Protection Act of 2018 is the strictest consumer data protection law in the country, affecting many companies doing business in California or with local residents’ data.
“Taken together, these two laws represent a significant step, almost a departure, from the way data privacy has been looked at previously,” says Allison Lauterbach Dale, an associate at MoFo in San Francisco. “It’s not surprising they are happening at the same time. They are recalibrating how we look at data security.”
Unlike the CCPA, the internet of things law does not create a private right of action. The state attorney general, along with city attorneys, county counsels and district attorneys, will enforce the law. California’s Office of the Attorney General did not respond to an ABA Journal request for comment.
Not just a state issue, in May 2017, President Donald Trump signed an executive order, which required all federal agencies to use a cybersecurity framework developed by the National Institute of Standards and Technology to minimize cyber risks, including those created by connected devices.
Also in 2017, Sen. Mark Warner, D-VA, introduced a bill in Congress to create minimal standards for internet-enabled devices used by federal agencies. The bill never received a hearing.
While California’s move marks a shift toward legislating device security, the technology’s problems go far beyond the need for passwords, says Ali at the Bain & Co. Since the devices are smaller and have weaker computing power, they often can’t run security software and meet their core competencies at the same time. Academic and industry researchers are creating more secure, “lightweight” operating systems and hardware to help improve security, but these solutions won’t work for every application nor will every company adopt them, according to Ali.
Digging deeper, Ali says, there are oversight shortcomings in the sourcing of hardware and software used in these tools. This means that without a company knowing, backdoors could be placed in a device and provide a way to access its contents regardless of a password.
With this potential vulnerability in mind, Ali says encryption could further protect data collected and transmitted by internet-enabled devices. In past spring, the NIST issued a call for new “lightweight cryptography” designs to better protect smaller, connected devices.
As industry, governments and researchers continue to wrestle with vulnerabilities created by these technologies, California has, at a minimum, created a national floor, says Lyon at MoFo. However, that floor may very well move to track the emerging and evolving vulnerabilities.
“This is probably not the end state of this law,” Lyon says. “I think this is probably a starting point to get a law on the books.”