Skip to main content
Nov 19, 2018

Breaking Down the New California IoT Law

Recently California passed legislation regarding the security of all IoT devices sold in the state. As of January 1, 2020, all IoT products will be required to have reasonable security features in place to protect the device -- covering everything from unauthorized access, destruction, and use to modification and disclosure. The new law specifies that “reasonable security” will include an authentication process that doesn’t rely on a local network, force unique passwords for each device and require users to create new credentials before gaining access. The legislation defines IoT devices as any device with an IP or Bluetooth address that can connect to the internet. So, does it actually have much teeth, and will it make us safer?

We believe that the California Law in itself will not dramatically improve security of devices or safety for consumers. It is a recognition of the problem, and as such, will hopefully create an increase in visibility of the security needs and potential long term loss due to failure in the court of public opinion. But it falls short in a few key ways:

  • The risk of this legislation is confusion. It may send a signal to vendors and businesses that simply setting a custom password constitutes a "reasonable" protection of data.
  • Furthermore, the California legislation really has no ‘teeth’ that would cause vendors to easily predict the hard, direct cost of violation, as you have with other legislation, like GDPR, enacted in the EU earlier this year. As such, vendors may decide it’s worth the risk of non-compliance, until California or others provide specified penalties for such actions.

Recommendations

Consumers need to increase their concerns and expectations of vendors around security. Today desirable behavior far outweighs the need for security in the mind of the early adopters driving sales of many consumer IoT devices, and the risks are not in the general consciousness.

Consumer protection and privacy organizations, in addition to leading security vendors, need to increase the visibility of security needs and the things consumers of technologies need to do on their own to decrease their chances of direct loss or of being part of a bot network that has an impact on another business or society.

And state and national legislatures need to consider evaluating the current legislation as a good first step, but augmenting it with specific penalties that will force compliance, and making it clear that this does not fully exclude manufacturers from responsibility. The law is vague and opens the door for confusion and misinterpretations of ‘reasonable security.’ Organizations need complete visibility into their devices, applications and networks in order to successfully protect customer data and navigate today’s dynamic threat landscape.

Rusty Carter

Rusty Carter is a security software executive with over 20 years experience, and the current Vice President of Product Management at Arxan Technologies, an application security company that provides application shielding and protection against reverse-engineering and tampering to the world’s largest companies. Prior to Arxan, Mr. Carter led product management at Symantec, McAfee, and Pulse Secure (formerly Juniper), and was responsible for the introduction and growth of multiple new products and lines of business. Mr. Carter holds international patents in the fields of information security, AI / machine learning, telecommunications, mobile devices, and user interaction. Mr. Carter’s background includes system and software architecture, engineering, and has a bachelors degree in Psychology from the University of Arizona.

More from the Blog
Dec 04, 2018

Why Magecart Continues to Succeed at Harming Companies

A group known as Magecart has come to light as companies such as Ticketmaster, 
Read more
Nov 26, 2018

How Web App Attacks Bypass Your WAF [Infographic]

Nov 14, 2018

Securing mobile apps against reverse engineering and hacking [Podcast]

Listen to Alissa Knight interview Ken Jochims about Arxan Technologies and application s
Read more