First-of-its-kind IoT security bill approved in California, criticized by researchers as 'superficial'

• If signed into law, the legislation would go into effect beginning January 1, 2020.
• Security researcher Robert Graham said the proposed bill "will do little to improve security, while doing a lot to impost costs and harm innovation."

A new Internet-of-Things (IoT) security bill has been approved in California - the first of its kind in the United States. The bill, SB-327, was first introduced in February 2017 and has reached the Governor's desk to be signed into law.

If signed into law by Governor Jerry Brown, the bill - dubbed the Teddy Bear and Toaster Act - would go into effect beginning January 1, 2020.

The proposed legislation will mandate manufacturers of connected devices to equip the devices with a reasonable security feature or features that are appropriate to the nature and function of the devices, the data it may collect, contain or transmit, and are designed to protect the device and the information it may contain from "unauthorized access, destruction, use modification or disclosure."

According to the bill's approved text, a device equipped with means for authentication outside a local area network would qualify as a reasonable security feature if "the pre-programmed password is unique to each device manufactured" or if the device "contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time."

"The more we know and the more we learn about the Internet connection of all sorts of devices, many are realizing that we don’t know the extent to which these devices are invading our lives," Senator Hannah-Beth Jackson, who introduced the bill, said last year.

Although the bill is the first to address IoT security issues in the US, security researchers have criticized it saying it is based on a "superficial understanding of cybersecurity/hacking."

Security researcher Robert Graham said the new IoT security law "will do little to improve security, while doing a lot to impost costs and harm innovation."

"It’s based on the misconception of adding security features. It’s like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips," Graham wrote in a blog post. "The key to dieting is not eating more but eating less.

"The same is true of cybersecurity, where the point is not to add 'security features' but to remove 'insecure features'. For IoT devices, that means removing listening ports and cross-site/injection issues in web management. Adding features is typical “magic pill” or “silver bullet” thinking that we spend much of our time in infosec fighting against.

Graham notes that adding "arbitrary features" such as firewall or anti-virus software to these products only increase the attack surface and worsen the underlying issue.

"The one possible exception to this is 'patchability'," Graham added. "Some IoT devices can’t be patched, and that is a problem. But even here, it’s complicated. Even if IoT devices are patchable in theory there is no guarantee vendors will supply such patches, or worse, that users will apply them.

"The bill does target one insecure feature that should be removed: hardcoded passwords. But they get the language wrong. A device doesn’t have a single password, but many things that may or may not be called passwords. A typical IoT device has one system for creating accounts on the web management interface, a wholly separate authentication system for services like Telnet (based on /etc/passwd), and yet a wholly separate system for things like debugging interfaces. Just because a device does the proscribed thing of using a unique or user generated password in the user interface doesn’t mean it doesn’t also have a bug in Telnet."

Graham describes the bill as "backwards rather than forward looking".

"The intent is for the law to make some small static improvement, like making sure IoT products are patchable, after a brief period of litigation. The reality is that the issue is going to constantly be before the courts as attackers change tactics, causing enormous costs," he notes. "In summary, this law is based upon an obviously superficial understanding of the problem. It in no way addresses the real threats, but at the same time, introduces vast costs to consumers and innovation."