New IoT Security Regulations

Due to ever-evolving technological advances, manufacturers are connecting consumer goods­ -- from toys to light bulbs to major appliances­ -- to the Internet at breakneck speeds. This is the Internet of Things, and it's a security nightmare.

The Internet of Things fuses products with communications technology to make daily life more effortless. Think Amazon's Alexa, which not only answers questions and plays music but allows you to control your home's lights and thermostat. Or the current generation of implanted pacemakers, which can both receive commands and send information to doctors over the Internet.

But like nearly all innovation, there are risks involved. And for products born out of the Internet of Things, this means the risk of having personal information stolen or devices being overtaken and controlled remotely. For devices that affect the world in a direct physical manner -- ­cars, pacemakers, thermostats­ -- the risks include loss of life and property.

By developing more advanced security features and building them into these products, hacks can be avoided. The problem is that there is no monetary incentive for companies to invest in the cybersecurity measures needed to keep their products secure. Consumers will buy products without proper security features, unaware that their information is vulnerable. And current liability laws make it hard to hold companies accountable for shoddy software security.

It falls upon lawmakers to create laws that protect consumers. While the US government is largely absent in this area of consumer protection, the state of California has recently stepped in and started regulating the Internet of Things, or "IoT" devices sold in the state­ -- and the effects will soon be felt worldwide.

California's new SB 327 law, which will take effect in January 2020, requires all "connected devices" to have a "reasonable security feature." The good news is that the term "connected devices" is broadly defined to include just about everything connected to the Internet. The not-so-good news is that "reasonable security" remains defined such that companies trying to avoid compliance can argue that the law is unenforceable.

The legislation requires that security features must be able to protect the device and the information on it from a variety of threats and be appropriate to both the nature of the device and the information it collects. California's attorney general will interpret the law and define the specifics, which will surely be the subject of much lobbying by tech companies.

There's just one specific in the law that's not subject to the attorney general's interpretation: default passwords are not allowed. This is a good thing; they are a terrible security practice. But it's just one of dozens of awful "security" measures commonly found in IoT devices.

This law is not a panacea. But we have to start somewhere, and it is a start.

Though the legislation covers only the state of California, its effects will reach much further. All of us­ -- in the United States or elsewhere­ -- are likely to benefit because of the way software is written and sold.

Automobile manufacturers sell their cars worldwide, but they are customized for local markets. The car you buy in the United States is different from the same model sold in Mexico, because the local environmental laws are not the same and manufacturers optimize engines based on where the product will be sold. The economics of building and selling automobiles easily allows for this differentiation.

But software is different. Once California forces minimum security standards on IoT devices, manufacturers will have to rewrite their software to comply. At that point, it won't make sense to have two versions: one for California and another for everywhere else. It's much easier to maintain the single, more secure version and sell it everywhere.

The European General Data Protection Regulation (GDPR), which implemented the annoying warnings and agreements that pop up on websites, is another example of a law that extends well beyond physical borders. You might have noticed an increase in websites that force you to acknowledge you've read and agreed to the website's privacy policies. This is because it is tricky to differentiate between users who are subject to the protections of the GDPR­ -- people physically in the European Union, and EU citizens wherever they are -- ­and those who are not. It's easier to extend the protection to everyone.

Once this kind of sorting is possible, companies will, in all likelihood, return to their profitable surveillance capitalism practices on those who are still fair game. Surveillance is still the primary business model of the Internet, and companies want to spy on us and our activities as much as they can so they can sell us more things and monetize what they know about our behavior.

Insecurity is profitable only if you can get away with it worldwide. Once you can't, you might as well make a virtue out of necessity. So everyone will benefit from the California regulation, as they would from similar security regulations enacted in any market around the world large enough to matter, just like everyone will benefit from the portion of GDPR compliance that involves data security.

Most importantly, laws like these spur innovations in cybersecurity. Right now, we have a market failure. Because the courts have traditionally not held software manufacturers liable for vulnerabilities, and because consumers don't have the expertise to differentiate between a secure product and an insecure one, manufacturers have prioritized low prices, getting devices out on the market quickly and additional features over security.

But once a government steps in and imposes more stringent security regulations, companies have an incentive to meet those standards as quickly, cheaply, and effectively as possible. This means more security innovation, because now there's a market for new ideas and new products. We've seen this pattern again and again in safety and security engineering, and we'll see it with the Internet of Things as well.

IoT devices are more dangerous than our traditional computers because they sense the world around us, and affect that world in a direct physical manner. Increasing the cybersecurity of these devices is paramount, and it's heartening to see both individual states and the European Union step in where the US federal government is abdicating responsibility. But we need more, and soon.

This essay previously appeared on CNN.com.

Posted on November 13, 2018 at 7:04 AM • 33 Comments

Comments

PhaeteNovember 13, 2018 7:40 AM

As a European, the most noticeable thing our new law did is force some website to use geoblocking as the cheaper alternative.

Sorry, nothing to see here because you are European...The content is blocked in your region...etc.

If companies are willing to stop service/sales to entire continents, then those companies would have no issue stop selling to 40m out of 7.2b people.

Nice initial effort, but nowhere near critical mass.

The intrinsic problem remains that IoT manufacturers don't pay (enough) for their mistakes, their customers have to pay for the effects of the bad practices of the manufacturer.
And as long as the damages do not eat away the profit, the manufacturer will see the flawed product as successful, as it gave them profit and fed a whole lot of families of the workers etc.

wiredogNovember 13, 2018 8:21 AM

As a programmer who has written software for networked (but not publicly networked) devices I have a personal policy of "No smart thingys in the house." Security is hard. Especially security for devices that are several years old. Will the manufacturer keep supporting that 10 year old TV or fridge? Probably not. How many OS vendors support versions more than a few years old?

Steve FriedlNovember 13, 2018 8:25 AM

Phaete wrote:
> If companies are willing to stop service/sales to entire continents, then those companies would have no issue stop selling to 40m out of 7.2b people.

The only companies that will take this stance are those whose products have crappy security; isn't it a good thing that my neighbors will no longer be able to buy those?

K.S.November 13, 2018 8:39 AM

I agree that regulation is necessary, but I don't think it should be about ill-defined security features. You can't legislate security. You can however legislate security certifications and you can legislate maintaining products for certain time from the last sale date.


"The European General Data Protection Regulation (GDPR), which implemented the annoying warnings and agreements that pop up on websites, is another example of a law that extends well beyond physical borders."

So we have warnings everywhere, did it actually reduce invasive surveillance in any meaningful way?

echoNovember 13, 2018 9:14 AM

@Bruce

The European General Data Protection Regulation (GDPR), which implemented the annoying warnings and agreements that pop up on websites, is another example of a law that extends well beyond physical borders. You might have noticed an increase in websites that force you to acknowledge you've read and agreed to the website's privacy policies. This is because it is tricky to differentiate between users who are subject to the protections of the GDPR­ -- people physically in the European Union, and EU citizens wherever they are -- ­and those who are not. It's easier to extend the protection to everyone.

I would quibble "a law that extends well beyond physical borders". I personally say "a law whose ramifications extend well beyond physical borders". The reason is there is a technical difference between accessing the EU market and the EU inlaterally forcing a foreign market with threats of punishment for issues which are wholly contained within the foreign markets domain. It's this technical difference which explains why the EU created an obligation for EU based companies to act within EU financial law to insulate EU companies from politically driven American exceptionalism and threats of sanctions if EU companies adhered to EU domestic and foreign policy when conducting none US tranactions with countries such as Iran.

This was made more compelling when the EU position is to support the nuclear agreement with Iran when direct and indirect threats of sanctions where applied to EU based companies for breaching US unilateral sanctions as punishment for not following the US in withdrawing from the treaty.

I believe there are some who would say this is more important than worrying about the LA Times throwing a hissy fit over GDPR and blocking all EU visitors.

TimothyNovember 13, 2018 9:25 AM

To add to the above on IoT awareness and the call for regulation:

CSO “Beware the IoT spy in your office or home via smart furniture, warns NSA”

NSA “Connected Desks Aren't What They Used to Be”

Report on China’s IoT “...China’s research into IoT security vulnerabilities and its growing civil-military cooperation raise concerns about gaining unauthorized access to IoT devices and sensitive data...”

[1] https://www.csoonline.com/article/3317938/security/beware-the-iot-spy-in-your-office-or-home-via-smart-furniture-warns-nsa.html

[2]
https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1669139/connected-desks-arent-what-they-used-to-be/

[3]
https://www.uscc.gov/Research/chinas-internet-things

PhaeteNovember 13, 2018 9:25 AM

@Steve Friedl
The only companies that will take this stance are those whose products have crappy security; isn't it a good thing that my neighbors will no longer be able to buy those?

Nope, enforcing your standards upon the freedom of choice of another person is bad.
Especially the standards of a very small group.

I rather have a chinese product at 10% of the price of an american one because i know i can mitigate it's flaws with my existing IoT practice.
And a neighbor complaining about that, i just offer a 'not liable indemnification' contract for stress testing my and their networks to see who is actually vulnerable and who is not.
Sofar no one took me up on that offer, but some did actually offer work to me after that.

markNovember 13, 2018 11:30 AM

Or, as Carla Schroder wrote last year, and is my candidate for acronym of the year, "The Internet of Gratuitously Connected Insecure Things (IoGIT, creatively abbreviated to pronounce as "idjit")"

Boom TishNovember 13, 2018 11:36 AM

"It's much easier to maintain the single, more secure version and sell it everywhere."

I wonder how long this will last. At what point in time will the demands become so numerous/heavy/contradictory that it will be cheaper to differentiate like the auto industry does?

K.S.November 13, 2018 1:05 PM

I think it is naive to assume that "secure version" produced to comply with this law will actually be secure. Instead, the likely scenario that IoCrap purveyors will form an industry group that will redefine status quo as “secure”.

Steve FriedlNovember 13, 2018 1:58 PM

@Phaete:
> Nope, enforcing your standards upon the freedom of choice of another person is bad.

We should not be able to forbid our neighbors from harming themselves by purchasing an insecure product (free choice), but when that free choice starts hurting other people as it's turned into a weapon, that's a different matter.

JKNovember 13, 2018 2:04 PM

I believe this statement contains an incorrect interpretation of GDPR: "This is because it is tricky to differentiate between users who are subject to the protections of the GDPR­ -- people physically in the European Union, and EU citizens wherever they are -- ­and those who are not.". It is my understanding (as verified by many websites, e.g., https://www.hipaajournal.com/does-gdpr-apply-to-eu-citizens-living-in-the-us/) that GDPR only applies to persons who are physically in the EU when the data transaction takes place. EU citizens are NOT covered if they are outside the EU.

zbootNovember 13, 2018 2:09 PM

It's not just anyone trying to avoid compliance - compliance is also hard even when you want to do it.

Let's see, say your IoT device offers up a web server for users to access data, configure settings, etc. You should us HTTPS for security which requires a certificate. A certificate requires a FQDN, which almost no IoT device will have. Using DDNS to work around this (or really any other approach that works around this) requires opening holes in your user's firewalls or some other behavior that decreases security (training users to arbitrarily install self-signed certificates for example).

Flipping the approach, having the device always act as a client is not great either. Now you need to distribute software for your user to use, which may be fine for a consumer facing device, as users already have bad security habits there but bad for business facing as now your users will need to have IT make exceptions for random IoT SW.

And of course, supporting some existing standard for which there is likely existing software that does a good job of managing security is just hugely expensive.

So, even for those who would love to be compliant, not only is there nearly zero incentive to do so, it also is not that feasible.

Men in BlackNovember 13, 2018 2:10 PM

Consumers will buy products without proper security features, unaware that their information is vulnerable. And current liability laws make it hard to hold companies accountable for shoddy software security.

Isn't there a free market here?

In particular, aren't "consumers" free to hold on to their pocketbooks and refrain from spending their hard-earned cash on shoddy insecure IoT junk?

Or even go in business themselves to create a competing product with adequate attention to security?

It's 2018, and we as consumers still cannot buy a computer without Microsoft Windows (or perhaps Apple OS) preinstalled.

Stop forcing that proprietary big corporation stuff on us and then denying us the benefits of a free market.

Denton ScratchNovember 13, 2018 2:17 PM

The GDPR didn't implement "the annoying warnings and agreements that pop up on websites". They were implemented by the website developers.

Meanwhile, I'm fed up with all the US websites that have chosen to shut out any IP that appears to be from the EU. I just click the close [x] button. Sayonara. Seriously: recipe websites seem to be particularly badly afflicted with this disease. If you won't show me your recipe for (e.g.) enchilada sauce, do you really think I won't be able to get a recipe from your competitor?

But of course I could visit the same site using a VPN or a proxy. Do these idiots think they have protected themselves from EU legislation by guessing what jurisdiction applies to be based on my IP address? That doesn't work.

GDPR doesn't protect my IP address; it protects my person.

PhaeteNovember 13, 2018 2:18 PM

Only when good security practices become (far) more profitable then bad ones, then we will see a change.
Sofar only monetary penalties and public naming and shaming combat that cause.
Most other methods try to combat the symptoms which usually fails in some predictable way.

This California law is a good thought about a small step in the right direction, but as so many good thoughts, most lack in impartial execution.
Companies will get a say (one way or another, especially in USA) and the endresult will be much diluted privacy with economic interests.

K.S. also stated that nicely.

Clive RobinsonNovember 13, 2018 3:09 PM

@ wiredog,

I have a personal policy of "No smart thingys in the house." Security is hard...

I also would add "No smart thigys in the utility supplies".

@ ALL,

As I've said before smart meters etc supposadly replace existing mechanical meters with a 25-50year useful life... Where as we have no crypto algorithms or systems with them in that have made it to the quater century and to be blunt I don't think we will in my time, or most of the rest of the people on this blog...

I realy don't want some 400lb social reject with a vendeta spraying bytes like bullets into hundreds of peoples meters in the depths of winter...

There is a proper way to develop such systems but nobody, and I realy do mean nobody is doing it.

It's why in the past I've said NIST could more usefully employ their time comming up with framework standards to address these issues rather than holding algorithm competitions....

echoNovember 13, 2018 3:33 PM

@Clive

Exploiting a smart meter might also provide cover for covert agents not to mention criminals. I suppose this would be limited given "collect it all" surveillance and "needle in haystack" algorithms.

Clive RovinsonNovember 13, 2018 3:53 PM

@ Men in Black,

Isn't there a free market here?

Short answer "No and that's the way the vendors want it".

One of the primary requirments of a "free market" is "equity of arms" that is there is no "hidden knowledge" etc by which one party --the vendors-- can gain an unscrupulous advantage over another party --the purchasers--, if not then by definition it is another type of often regulated against thus illegal market such as a "Monopoly", "Cartel", or similar.

One of the problems with the software industry is it is an intangible market where you do not buy a tangible product, or inviolate right to use what is not a service. But is made to appear to be what is at best a highly biased lease, that is close to, if not actually tortious.

Clive RobinsonNovember 13, 2018 4:14 PM

@ echo,

Exploiting a smart meter might also provide cover for covert agents not to mention criminals.

To use the old saying "Oh boy, are you in for a surprise"...

The amount of information that can be leaked is immense. Not directly but as with traffic analysis by working with what is in effect metadata.

Most mechanical electricity meters have a quite low frequency integrating function. Which acts as a low pass filter of a fraction of a Hz, so much information is removed. A digital smart meter makes "complex" measurements at 10 or more times the mains actuall freuency. Thus gathers a large amount of information, enough to work out what you are listening to or watching on the radio/TV and a great deal besides.

One such ability is to observe the behaviour of your fridge thus when you put stuff in and take it out. This can be tied to credit card statments etc. Also to the use of a microwave oven or more conventional electric oven when you have taken stuff out. From this it is possible to work out the number of people eating and what their tastes are...

Think of it as a form of "active bin-diving...

Sancho_PNovember 13, 2018 5:37 PM

”It falls upon lawmakers to create laws that protect consumers.” (@Bruce, my emph)

Herein lies the problem.
Lawmakers make laws, politicians should make decisions.
Laws like SB 327 or the GDPR fight symptoms, but not the disease.
We don’t need more laws only to serve lawyers (“click here to consent”).
A decision would be to reinstate capitalism (e.g. before lex Bill?).
Too late, not happening.

echoNovember 13, 2018 5:49 PM

@Clive

Yes and I daresay plenty of things can be inferred too. How useful it will be and why is a bigger question of course.

Steve FriedlNovember 13, 2018 10:57 PM

@Men in Black
> Isn't there a free market here?

There's a large free market in crappy IoT gear, but the big deal (for me, at least) is the externality of harm to others.

I don't care if you get hacked because you bought a crappy IoT doodad, but I very much do care if your crappy doodad becomes a base to attack me.

Clive RobinsonNovember 13, 2018 11:31 PM

@ JG4,

That is oh so true...

You may remember something called "fuzzy logic" well back in the late 1980's it was thought it could add a little spice to AI running on quite resource limited machines... Which some modern kitchen "white goods" actually have rather more of in a single "System On a Chip" these days than high end mini-computers had back then.

I never realy saw it as a viable technology at the time but Phillips/Mullard had a research place in Southern England, where they were looking into it.

Where they discovered however such research realy did have a palpable dark side. Apparently one PhD researcher who was realy into fuzzy logic augmented AI big style started to stop washing his cloths and stopped even semi-social contact with his co-workers. That none of them had said anything for over six months tells you just how socially unadjusted they all were in that lab...

Well it turned out that he was "living in the office" for real, as his girlfriend had booted him out. Apparently he could not understand why. So whilst still managing to do his assigned work, he spent much of his time trying to recreate his ex's personality in the computers in the lab using fuzzy logic AI so he could practice what to say to her to win her back...

When they fired him he went right over the edge accusing them of murder and broke back into the computing lab to rescue her... eventually he had to be sectioned under the UK mental health act.

AlexRNovember 14, 2018 3:50 AM

At that point, it won't make sense to have two versions: one for California and another for everywhere else. It's much easier to maintain the single, more secure version and sell it everywhere.

That is not necessarily the case. If properly designed, one could toggle features on and off using configuration files, compiler switches, etc. Of course, it doesn't come with no effort, but such techniques have already been in use for {localization, "light" vs "pro" versions, adding branding on top of OEM software, cross-platform compatibility, ...}. There is no reason why the same approach cannot be used to adjust the behaviour of IoT devices.

Of course, once you have a nice and secure version, why invest into creating/maintaining another branch? Well, let's see:

  • They already have current, insecure versions, so unless the new ones will be re-written from scratch, they will be implemented as "some new layer on top of the existing code". Thus, they get the insecure version "for free" because they already have it.
  • Preserve backwards compatibility with deployed infrastructure.
  • "Because the insecure version has better usability" (e.g., easier to configure, no need to tinker with NAT, etc.).
  • "The more secure version will require a greater support effort" (e.g., we cannot remotely reset the password, people will complain about the device "not working" when it was simply not configured correctly).
  • The insecure version requires fewer chips and {is cheaper to produce, consumes less power, has a longer battery life, ...}
  • Having a more secure version is an opportunity to charge more money for it.

This law is still a good thing though.

Denton ScratchNovember 14, 2018 6:11 AM

@Clive: "The amount of information that can be leaked is immense. Not directly but as with traffic analysis by working with what is in effect metadata."

I worked with a company that was analysing exactly that kind of fine-grained usage data (I worked with them on another project). They could separate out the signals from your fridge, your laptop, your telly, your cooker, your heating pump, your induction stove etc. At the time this kind of data could only be extracted in the US market; I don't know if the UK smart-meter market has now "caught up". The data (and the results of that analysis) would be made available to the energy suppliers that owned the meters.

Smart meters are being pushed on the premise that (a) consumers can be billed less for using power when demand is low; and (b) suppliers can get a more detailed picture of usage patterns, which supposedly helps with their wholesale dealing.

But knowing when my hair-drier is in use is of no value for either of those purposes; that kind of information is only of value to data aggregators, who can use it to refine their profile of me, and so target me more accurately for their advertising crud. (NOTE: actually I don't have much hair left, and I don't need a hair-drier - it's just an example)

FWIW I am ignoring all attempts to persuade me to let them install a smart meter.

Petre Peter November 14, 2018 8:47 AM

If it will be up to the manufacturer to determine what reasonable security is, can we truly have standards that are enforceable?

CallMeLateForSupperNovember 14, 2018 10:20 AM

@Men In Black
"It's 2018, and we as consumers still cannot buy a computer without Microsoft Windows (or perhaps Apple OS) preinstalled."

I understand your frustration with ubiquitous Microsquishy, but your statement is just not true. Have a look at https://system76.com/ for new computers with Unix preinstalled.

Personally, I took the cheaper route, assembling the 'puter and then d/l and installing a free DVD image of Unix.

vas pupNovember 14, 2018 11:08 AM

Bravo California!
This State is always at the very front in protecting privacy/security of Californians. They adopted before many other regulations which have stronger protection, e.g. when you read (just being crazy) your banking account kind of agreement(you have zero power to negotiate, some insurance policies and other - you know what I am talking about - there is usually special paragraph with exemption for those living in California with more protection of privacy, restriction of data sharing, etc. The other important moment is that California GDP is greater than many other industrial countries, Russia. I mean same law adopted in Vermont (good state - nothing personal) will not have similar global impact.
Regarding federal regulations - they are not clear or create loopholes to negate main protections they have. E.g. (sorry - my sore point) caller id spoofing. It considered illegal if bad intention were present (kind of 'he said' - 'she said' argument occurred after terrible consequences took place) pure REACTIVE, but regulation should be PROACTIVE. Caller id spoofing should be illegal by its fact regardless of intentions. Period.

Please see below as fact supporting my point of view (but 'swamp' will listen if it touched them personally only - bitter observation):

Call of Duty 'swatting' death prankster pleads guilty:

A California-based gamer faces up to 20 years in jail after admitting crimes including making a hoax call to US police that resulted in them shooting an innocent man dead.

https://www.bbc.com/news/technology-46206616


"He[prankster] disguised his telephone number when doing so to make it appear to the Wichita Police Department that he lived locally."

echoNovember 14, 2018 3:38 PM

My old electricity meter developed a broken diode which essentially gave me free electricity. This was a known design fault and the elecricity company eventually replaced it.

Just for giggles when it was frosty and snowy and blisteringly cold outside I regulated the temperature of my house by opening and closing the windows including when friends visited. My sense of humour must be too obscure. Nobody said a thing! Of course, later patio heaters became all the rage, horribly wasteful things that they are like outside air conditioning. The fun does wear off evcentually. It's like jumping on the sofa when you have grown up and got your first place all of your own. It's not the same.

@AlexR

Can't we all just wait for the SCHNEiER version of the firmare?

Men in BlackNovember 16, 2018 11:06 AM

https://seekingalpha.com/news/3410390-blackberry-buys-ai-startup-cylance-1_4b?ifp=0

Small news item, but it strikes me odd.

Blackberry prides itself somewhat on security, which is a good thing, but Cylance is billed as "an artificial intelligence and cybersecurity company."

The goals and objectives of the acquisition include "enterprise security for the internet of things" and a "QNX unit that makes software for next-generation autonomous cars."

I want to know what they mean when they talk about "artificial intelligence."

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.