New California Law Aims to Fix the Internet of Broken Things

But security experts say it will take a lot more than regulation to fix this particular dumpster fire.
Image: ChrisPerriman/Flickr

California is hoping a new law will help fix the security and privacy problems that plague the so-called internet of things, but experts say a lot more needs to be done to seriously tackle the problem.

For numerous companies, security and privacy was an afterthought as they rushed to connect everything and anything to the internet and cash in on the internet of things craze.

As a result, countless ordinary household objects have become weaponized. Your kids’ Barbie dolls can now be hacked to spy on you, your refrigerator can expose your gmail credentials, your television can be used to listen in on your living room conversations, and your webcam can be hijacked and incorporated into a botnet DDoS before you’ve had time to read the manual. California’s SB-327 was introduced last year, passed by the California Senate last August, and now awaits signature by California Governor Jerry Brown. The bill would, among other things, ban default login credentials and require that devices urge customers to change their username and password upon first use.


It also vaguely mandates that such devices incorporate “reasonable security features” that are “appropriate to the nature and function of the device.” And while a good first step in a much-needed conversation, it’s going to be easy for Chinese manufacturers to ignore aspects of US law. Security experts like Robert Graham also argue that the California bill’s fixes are too vague, and don’t go far enough to address the core dysfunction inherent in the IOT sector.

“It’s impossible for any company to know what these words mean, impossible to know if they are compliant with the law,” Graham argued in a blog post. The bill leaves these terms as something that will need to be hashed out in the courts, which he argues won’t be able to keep up with the quickly-shifting changes in standard security practices.

Graham argues that the bill operates under the misconception that simply adding more security features will fix the problem, when removing inherently broken features and functions (like unnecessary listening ports) may be the better bet.

“It’s like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips,” Graham said.

Still, California’s bill at least takes the first, uneasy steps toward addressing the fact that the millions of new attack vectors being introduced in homes and businesses annually thanks to the IoT. It’s a problem security experts like Bruce Schneier previously told Motherboard readers could result in notable catastrophe, especially if infrastructure is impacted.


Schneier has well documented how the IoT market continues to struggle with security and privacy because neither the consumer nor the company selling the gear much cares.

“The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks,” Schneier said. “The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features.”

The solution, according to experts like Schneier, is going to require a cross collaborative effort between industry, security researchers, academia, government, and the public. That may include regulation, but it’s also going to require greater transparency, as well as naming and shaming companies that see security and privacy as an afterthought.

That includes the Princeton computer science lab’s IoT Inspector, which attempts to give consumers more insight into what these devices are actually doing on the internet. Others are working hard to incorporate device security and privacy (or lack thereof) into product reviews, something that has been the cornerstone of a new effort by Consumer Reports.

There’s no quick and easy fix to the dumpster fire that is the internet of things sector, and legislation alone isn’t likely to be a magic bullet. But well-crafted laws will play an important role in tackling the problem, and California’s proposal is likely just the first of many similar legislative efforts to come.