The infosec community say California’s IoT security bill is “nice,” but doesn’t hit on the important issues.
An internet of things (IoT) bill that would mandate unique passwords for connected devices has been approved by the California state legislature.
It will be the first potential connected device regulation to come into effect in the United States if California Gov. Jerry Brown decides to sign it — however, some researchers say that the legislation, called Information Privacy: Connected Devices, fails to address fundamental issues plaguing IoT security.
The bill (SB-327) would require “reasonable security feature or features that are appropriate to the nature and function of the device.” More specifically, “if a connected device is equipped with a means for authentication outside a local area network,” any default password must be unique to each device; or, users must be prompted to set a unique password when he or she sets up the device.
Devices shipping with hard-coded passwords is a common problem which has led to vulnerabilities across multiple types of IoT devices, including the Samsung IoT Hub). But IoT security experts say that the bill doesn’t go far enough.
“The ‘reasonable security’ measures proposed in SB-327 are nice, but are sadly meaningless in the face of the security complexity introduced by connected devices,” Joe Lea, vice president of product at Armis, told Threatpost.