Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Government The Internet United States

California Becomes First State With an IoT Cybersecurity Law (theverge.com) 55

An anonymous reader quotes a report from The Verge: California Governor Jerry Brown has signed a cybersecurity law covering "smart" devices, making California the first state with such a law. The bill, SB-327, was introduced last year and passed the state senate in late August. Starting on January 1st, 2020, any manufacturer of a device that connects "directly or indirectly" to the internet must equip it with "reasonable" security features, designed to prevent unauthorized access, modification, or information disclosure. If it can be accessed outside a local area network with a password, it needs to either come with a unique password for each device, or force users to set their own password the first time they connect. That means no more generic default credentials for a hacker to guess.
This discussion has been archived. No new comments can be posted.

California Becomes First State With an IoT Cybersecurity Law

Comments Filter:
  • by DaMattster ( 977781 ) on Saturday September 29, 2018 @08:24AM (#57394636)
    This won't solve the problem because you can take all of the steps mentioned and the device still won't be secure because the software to power the device is poorly written and full of exploitable holes like buffer overflows and null pointer de-references. In an effort to get devices out on the market, security is at best, an afterthought, or at worst, the manufacturer doesn't really care until it gets caught with its pants down. And even the ensuing fine and punishment will be substantially less than what they've earned on the product. Corporations just see it as a calculated profit/loss model.
    • by sjames ( 1099 ) on Saturday September 29, 2018 @09:39AM (#57394840) Homepage Journal

      If by that you mean it won't end the problem 100% for all time then yes. There will still be exploits and so IOT issues.

      If you're just griping that it also won't cure athlete's foot and morning breath, so it's useless, you're quite wrong.

      The majority of cases today where the black hats get in to IOT devices is because of devices that have no password, or all share a single default factory password, easily looked up on Google.

      So, the new law isn't perfect, but it does address one of the leading holes in IoT. The other holes are a bit harder to supply a bright line for.

    • by dcw3 ( 649211 )

      Right, kinda like making drinking and driving illegal won't keep people from texting and driving, so we should just not ban drinking and driving.

  • The should have posted a required test suite (updated quarterly) that given IoT device has to go thru.
  • Expectation: IoT devices end up with at least rudimentary security measures to prevent them from becoming part of botnets because of default admin passwords.

    Reality: Companies will likely define "Unauthorized access and modification" as "anti-rooting/modding" requirement, and "reasonable measures" to consist of C&D letters to those who provide tools and procedures to mod their own purchased products.

    • I'm out of mod points today, but that was too the first thing I though when reading this.

      It will mostly end up being used as a poor excuse against the right to repair, despite any good intention that the law had upon introduction.

  • I trust the law defines "reasonable" in this context.

    Otherwise, we're going to see endless court cases quibbling over whether whatever is "reasonable" or not.

    Or manufacturers being unwilling to risk being found "not reasonable", and therefore not selling in CA.

    Got to admit I'm curious as to how buying something on eBay will work under this law. Or buying something in Oregon....

  • by mea2214 ( 935585 ) on Saturday September 29, 2018 @12:54PM (#57395480)
    There is no reason an IoT device needs to have a public IP address. Force IoT makers to only allow IPs set in the private space. This forces the user to have a router/firewall between them, script kiddies, and search engines.
  • This law is great, but without an oversight body how can someone determine if the manufacturer even bothered? That's the problem now: We assume Cisco routers are safe, then it turns out they have back doors. To make a law like this work, we need a body like the Consumer Product Safety Commission (CPSC) or Underwriters laboratory (UL) to look at the design of devices and certify them. Slap a label on them so people can tell "hey, someone actually look at this camera and said it was safe."

    Earlier this year

  • Update from the future: The law passed. [slashdot.org]

  • The first part of this bill will ensure full employment for lawyers quibbling over the definitions of "reasonable" and "appropriate" for any given device. There's nothing of substance there, just vague subjective guidelines.

    The second part requires a device's factory-default password to be unique, or that it require a password change before use. This is actually not a bad idea. It's debatable whether or not it should be the subject of legislation, but the market has shown that there is insufficient incen

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...