IoT bills and guidelines: a global response

IoT bills and guidelines: a global response

You may not have noticed, but Internet of Things (IoT) rules and regulations are coming whether manufacturers want them or not. From experience, drafting up laws which are (hopefully) sensible and have some relevance to problems raised by current technology is a time-consuming, frustrating process.

However, it’s not that long since we saw IoT devices go mainstream—right into people’s homes, controlling real-world aspects of their day-to-day lives, and also causing mishaps and serious issues for people dealing with them.

The theoretical IoT wild west may be drawing to a close, so we’re taking a look at some IoT related bills and guidelines currently in the news.

Where did this all begin?

You’ve probably seen articles in the last few days talking about multiple upcoming changes and suggestions for IoT vendors, but in actual fact the first steps were taken last year when California decided the time was ripe for a little bit of IoT regulation.

If you sell or offer IoT devices, which count as any Internet-connected device in California, the device must be equipped with “reasonable security features.”

Bills, bills, bills

Here’s the text of the California bill.

The key parts are these:

“Connected device” means any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.

A connected device is as wide ranging as you’d expect, so that’s a good thing considering anything from your printer to your refrigerator could be communicating with the big wide world outside.

That’s great—but what, exactly, is a reasonable security feature?

Next up:

(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:

(1) The preprogrammed password is unique to each device manufactured.

(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

We’re essentially in password town. If the shipped password is unique and not something you can plug a serial number into Google to discover, or the device owner is forced to create a unique password the first time they fire it up, that would count as “reasonable security.”

One small step for IoT

Is that enough, though? Some US-based legal eagles suggest it isn’t, and they may well have a point. If IoT legislation doesn’t end up considering things like secure communication, tampering, updates, or even what happens when a device is no longer supported, then this could become messy  quickly.

Even so, cheap devices with zero password functionality built in are commonplace and an absolute curse where trying to secure networks and keep users safe are concerned.

The California bill won’t just apply to devices being sold in California; it doesn’t matter where they’re made. If your password name isn’t down, you’re not getting in—for want of a better and considerably less mangled expression.

This is due to roll into action on the first of January 2020, not only in California but also Oregon. It seems the US is taking the potential for IoT chaos seriously and I’d be amazed if this doesn’t end up going live in additional states in the near future.

Tackling the IoT problem globally

It’s not just the US trying to get a grip on IoT. Australia just pushed out the voluntary code of practice: securing the Internet of Things for consumers [PDF]. Spread across 13 principles, it seems to be significantly more in-depth than the US bill, which so far leaves a lot of areas up for debate. The 13 principles tackle communication security, updates, the ability to easily scrub personal data, and more besides.

Of course, we should temper our expectations somewhat. The US bill goes live in two states only, and there doesn’t seem to be much (or any!) information with regards to punishment, fines, or anything else.

Additionally, you yourself as a consumer can’t do anything off the back of the bill directly. It would have to be the California Attorney General or similar stepping up to the plate. On the other hand, as impressive as the Australian code is—and it is still under consultation—it’s currently only voluntary.

Even so, getting people in a position of authority to think about these issues is important, and at the very least these guides will help people at home to make considered, informed decisions about the technology they allow into their homes on a daily basis. Some good first steps, then, but we have a long way to go.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.