The State of California enacted a law requiring manufacturers of connected devices to equip their products with “reasonable” security features.
On 28 September, California Governor Jerry Brown approved SB-327. The law, which is entitled “Security of Connected Devices,” stipulates that manufacturers of web-connected devices implement security measures that are suitable to the name and function of as well as the types of information collected, handled and/or transmitted by their products. Those controls must also help fortify the devices against instances of modification and unauthorized access.
The legislation has even more to say about devices that come equipped with authentication features for outside a local area network. In those cases, manufacturers must implement an adequate security measure by making a unique pre-programmed password for each unit of the device they produce. Alternatively, they must provide users with the means to change the default password protecting their device before they can gain access.
Kieren McCarthy, executive director of the International Foundation for Online Responsibility (IFFOR), said that the provisions of the law constitute a step in the right direction but amass to a “missed opportunity” because they fail to address some of the larger security issues facing the web. As McCarthy wrote for The Register:
While default passwords are a particular problem, a bigger one is the failure to update software. There are many ways to access an electronic product – and a username/password is only one of them. New security holes are being discovered all the time and they typically take advantage of the various authentication systems that exist in such products but which are invisible to consumers.
McCarthy went on to vocalize his support for an “Internet Device Security Bill” that takes into account multiple issues pertaining to web security including the need for better education and for a greater emphasis on security basics like two-factor authentication.
SB-327 is set to become effective on 1 January, 2020