A home full of Internet-connected devices can spur privacy concerns, and California plans to do something to help keep them from arising. The California State Legislature passed a first-of-its-kind bill on Internet of Things (IoT) security titled SB-327 Information Privacy: Connected Devices. and sent it to the governor for his signature. The bill introduces regulations for all connected devices sold in the United States.
A quick read-through shows the bill leaves a lot to be desired. Specific guidelines are not established, and many features that need to be included in a bill centered around security are not present. For example, manufacturers should be required to perform a security audit on components purchased from overseas.
Despite not being complete, this legislation is a step toward much-needed oversight of security measures. Manufacturers like Google and Amazon place strong security protocols on their products, but even these can be broken by a determined hacker or via a weak link in a connected system. A bill like this will place pressure on American manufacturers to ensure all connected devices provide device-level protection against attacks.
A connected device is defined as any device that connects to the Internet and has an IP or Bluetooth address. As anyone could might, a lot of different products meet that definition. Here’s the exact wording of the legislation:
1798.91.04. (a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:
(1) Appropriate to the nature and function of the device.
(2) Appropriate to the information it may collect, contain, or transmit.
(3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:
(1) The preprogrammed password is unique to each device manufactured.
(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.