IoT device security vaulted into the public consciousness in recent years. Media coverage of successful attacks against IoT devices and supporting systems, botnets powered by compromised devices, and a range of other security issues have raised public concern.
But now California is on the verge of enacting the first actual law in the US to mandate IoT device security.
Unfortunately, according to some in the industry, the bill now awaiting the governor’s signature will do little in its present form to improve the security of IoT, or the companies deploying it, or the people using it.
ZDNet reports that the California bill’s main provision is to require “a manufacturer of a connected device shall equip the device with a reasonable security feature or features.” Other than this very vague directive, the bill contains only one specific security requirement, according to ZDNet: If a device can be accessed from outside its local area network, it must have a unique default password, or require users to create a unique password when deploying the device.
“And that’s all of the SB-327 bill,” ZDNet writes. “No other provisions. Just a very precise specification regarding the handling of default credentials for IoT devices, and the use of a generic term of “reasonable security” that every IoT device vendor could interpret the way they want.”
The bill prompted even more criticism from cybersecurity expert and pundit Robert Graham. In his blog he called it a “typically bad bill based on a superficial understanding of cybersecurity/hacking” and he warned it will drive up costs while reducing innovation.
“The law makes the vague requirement that devices have ‘reasonable’ and ‘appropriate’ security features,” Graham says. “It’s impossible for any company to know what these words mean, impossible to know if they are compliant with the law. Like other laws that use these terms, it’ll have be worked out in the courts.”
These comments echo those of a speaker at last month’s Black Hat security conference, Ijay Palansky, partner at the law firm Armstrong Teasdale, who addressed the civil litigation aspects of IoT security and who predicted a massive wave of legal activity over IoT security on the horizon.
Graham also is concerned about the security strategy and mindset represented by the California bill. “It’s based on the misconception of adding security features … . the point is not to add ‘security features’ but to remove ‘insecure features.’”
Securing By Design
The debate over the legal ramifications of IoT security will no doubt continue. But what’s clear is that the developers and manufacturers of IoT devices should make security a primary focus when bringing products to market.
Security can no longer be an afterthought, to be added on after the product has been designed and is being prepared for release.
To paraphrase Graham’s comments, the best approach is to design in security at the outset of a product’s development — keeping the attack surface small, avoiding extraneous functions not needed for the application, enabling secure booting and secure patching, and so on.
At Timesys we have been working with IoT device manufacturers to help them adopt the industry’s best practices for embedded system IoT security.
Our Secure By Design services enable a device developer to conduct embedded Linux hardening early in product design, along with IoT device security auditing, which can pinpoint security gaps, lax access controls, and other issues.
Our Threat Resistance Security Technology (TRST) Product Protection Solutions will help you ensure your embedded products are secure by design, and will stay secure throughout their lifecycles.
Contact us to learn more.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.