First IoT security bill reaches governor's desk in California

First IoT security bill reaches governor's desk in California

California IoT security bill criticized by security researcher. Expert says bill "is based upon an obviously superficial understanding of the problem."

The first Internet of Things (IoT) security bill in the US has been approved in California at the end of August and has now reached the Governor's desk to be signed into law.

The bill, SB-327, was introduced in February 2017 and was the first legislation of its kind in the US.It even predated by almost six months the Internet of Things Cybersecurity Improvement Act of 2017, a bill introduced in the US Senate by Sen. Mark Warner [D-VA].

But while dust gathered on Sen. Warner's proposal to secure IoT devices across the US, the California bill saw active discussions and was approved on the California Assembly and Senate floors on August 28, and 29, respectively. Barring any strong opposition to the bill from the public or the private sector, if signed by Gov. Jerry Brown, the new bill would enter into effect starting January 1, 2020.

Also: New Hakai IoT botnet takes aim at D-Link, Huawei, and Realtek routers

Just like most legislative efforts, the bill is pretty vague in what "reasonable security" should be, but it does go into details when it comes to device authentication procedures. According to the bill's approved text, "if a connected device is equipped with a means for authentication outside a local area network," the authentication system must meet one of two criteria.

  1. If the device uses a default password, the password must be unique to each device; or,
  2. The device must prompt users to set up their own password whenever the user sets up the device for the first time --criteria put in place to avoid manufacturers shipping devices with the same default credentials.


Click here to chat with us