It wants to make everyone’s smart home gadgets safer – but will it?
America’s first ever smart home security act has just been signed into law in California – but regardless of where you live, it’s something you should probably brush up on.
The bill (SB-327) dictates that from 1 January 2020, all manufacturers of IoT devices – smart speakers, smart thermostats, what have you – must include “reasonable” security features. Basically, it’s about keeping all your connected devices safe from malicious minds who could otherwise tamper with them from outside your home.
Read this: The security battle for your home tech has started
The bill has caused a lot of discussion, with some praising the legislations and underlining the importance of laying these foundations early – but it’s been criticised by others for being ineffective and even harmful. Let’s break it down.
Ok, what does the bill actually do?
The central edict of the bill sets out that IoT device makers must equip their tech with “reasonable” security features that will prevent “unauthorized access, destruction, use, modification or disclosure” of user information.
One specific requirement laid out in the bill is that any smart home tech with ways of being accessed outside of a local area network must have a unique password for that device, or allow users to set a unique password when they set the device up.
Some smart home devices come with hard-coded passwords that outsiders with malicious intentions could access (these passwords are often easily available on the web) to remotely break in.
Yeah that’s right, hard-coded passwords are still a problem in the smart home. Last year, an investigation by Finnish information-security company F-Secure found that home security cams built by company Foscam were using these hard-coded passwords. It seems laughable that a flaw like that could exist, but it’s sadly true.
I ain’t in California. Why should I care?
Easy there, pal. While the bill has only been passed in California (so far), the effects will be felt by customers all over the US, as the same security provisions will presumably be included in all devices. Ie we can’t foresee a situation where companies like Samsung and Amazon tweak their products just for the Californian market.
Even if a device is manufactured outside of California or the US, it will still have to comply by the law if it’s going to sell its device(s) in the state – in case you thought there might be a loophole there.
Sounds good. Why doesn’t everyone agree?
Because while the spirit of the bill is right, cybersecurity experts don’t think it will have the intended effects.
IoT expert Robert Graham says the bill is based on a “superficial understanding” of cybersecurity, staking the claim that it won’t improve security. Graham likens the problem to dieting: in the way that eating less is key to dieting, cybersecurity shouldn’t be about adding more security features, but removing features that are less secure. “Adding features is typical ‘magic pill’ or ‘silver bullet’ thinking that we spend much of our time in infosec fighting against,” he said.
Graham also criticized the “vague” language of the bill which demands devices have “reasonable” and “appropriate” security features. “It’s impossible for any company to know what these words mean, impossible to know if they are compliant with the law”.
Graham also believes the focus on hard-coded passwords is misguided. He agrees these should be removed but says that “they get the language wrong.” He says that the problem is more complex: a typical device “doesn’t have a single password, but many things that may or may not be called passwords”.
Other experts agree that the language is too vague in places, believing that the rules are mostly left undefined. Indeed, the bill does repeatedly state the provisions should be “appropriate” to the device without laying down specifics. But some have suggested this wording is intentional, as it allows device makers to adapt and evolve with the technology.
Another point raised by the California Manufacturers and Technology Association is that the bill could drive away competition in the state, but as we said above, it seems unlikely that companies would consider creating devices that are more secure in California than other states. What’s more, it’s likely other states will follow in California’s footsteps.
In sum, this is going to be the start of a longer conversation. The bill’s heart is in the right place; all of this is important for keeping the smart home secure. But it’s going to be an ongoing discussion before, and after, January 2020.