Reasonable Security
Matthew C.
Vice President, CISO at IAT Insurance Group, Cybersecurity Strategist, Board Advisor, Speaker
Keeping up with new regulations is no small matter. California leads the way with regulating everything from cow flatulence to throwing Frisbees, and SB-327 is no different. Governor Jerry Brown recently signed the California Security of Connected Devices Law, which dictates that starting in 2020; all Internet connected devices will have “reasonable†security measures out of the box.
One of the issues with dictating specific security measures is that threats constantly evolve over time. What is a “reasonable†security control today can be easily outdated tomorrow. Still, some of these requirements should be filed under the heading of “duhâ€, other more obvious ones are overlooked.
The law mandates that new devices either:
1. Have a unique preprogrammed password for each device manufactured
2. Require the end user to generate a new password before the device can be used for the first time
The first requirement could be satisfied by using a preexisting unique string such as the MAC address or serial number of the device.
The second requirement may prove to be a little more difficult. While many devices already allow the end user to change the default password, very few of them allow for the change before first use. As more home-connected devices are manufactured, passwords could be changed through a smartphone app before first use; however, that’s a short-term solution as smartphones can realistically only scale so high.
Due to the size of California’s economy, regulations started in the state eventually tend to show up elsewhere. Removing default passwords from new devices is a good start, and may eventually resolve botnet attacks reliant on this security vulnerability… eventually. It will take years for the Internet to purge itself of the millions of vulnerable consumer devices that are already out there.
The law is a good start, but it stops short of resolving any meaningful security issues. It doesn’t require device manufacturers to patch known vulnerabilities. Currently, most people patch their router by replacing it whenever they get tired of rebooting it to make their Internet connection faster again. I just don’t see legions of Walmart or Amazon consumers manually patching their home router, printer, or smart lightbulb themselves.
Should there be a law that requires manufacturers to update their devices? The free-market capitalist in me screams, “No!†but so far the market hasn’t pushed manufacturers towards security and we’re still dealing with default passwords. Consumers are still demanding “fast,†“cheap,†and “easy†over “secure†and “private.†Until that change occurs, the market is not going to provide solutions that are securely coded – if that’s even possible out of the box.
And, therefore, we will continue to read about casinos being hacked through Internet-connected fish tanks and banks being robbed because someone purchased CCTVs solely based on price.