California Eyes Questionable Legislation In Bid To Fix The Internet Of Broken Things

If you hadn't noticed, the much-hyped internet of things is comically broken. WiFi connected Barbies that spy on your kids, refrigerators that cough up your Gmail credentials, and "smart" televisions that watch you as often as you watch them are all now the norm. And while this has all been the focus of a lot of humor (like the Internet of shit Twitter feed), security experts have been warning for a while about how introducing millions of security flaws into millions of homes and businesses is, sooner or later, going to come back and bite us all on the ass.

As security analysts like Bruce Schneier have pointed out, few people in this dance of dysfunction really care, so things tend to not improve. Customers often aren't even aware (or don't care) that their device has been compromised and hijacked into a DDOS attacking botnet, and hardware vendors tend to prioritize sales of new devices over securing new (and especially older) gear.

Efforts to regulate the problem away are the option for many. That's what California lawmakers are considering with the recent passage of SB-327, which was introduced in February of last year, passed the California Senate on August 29, and now awaits signing from California Governor Jerry Brown. If signed into law, it would take effect in early 2020, and mandates that "a manufacturer of a connected device shall equip the device with a reasonable security feature or features," while also taking aim at things like default login credentials by requiring devices auto-prompt users to change their usernames and passwords.

But as you might expect, critics of the bill state it's not likely to actually fix the problem, in part because Chinese gearmakers (a major source of the problem) can just ignore the law. Others state California's solution is superficial at best, given that just "adding security features" doesn't really help if the technology is just fundamentally unsecure on the skeletal level:

"It's based on the misconception of adding security features. It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips. The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add "security features" but to remove "insecure features". For IoT devices, that means removing listening ports and cross-site/injection issues in web management. Adding features is typical "magic pill" or "silver bullet" thinking that we spend much of our time in infosec fighting against."

So if legislation isn't the solution, what is? Some believe transparency is a better bet, as exemplified by the Princeton computer science department's IOT Inspector, which aims to better educate users as to what their devices are actually doing on the internet. Others, like Consumer Reports, have been pushing to include privacy and security issues as standard operating procedure in hardware reviews. Both could go a long way toward making it much clearer as to what kind of product you're actually buying and what it's doing, since many vendors (and their user interfaces) refuse to.

Whatever the solution, it's going to likely require a coordinated response by consumers, hardware vendors, governments, and security professionals alike. While there have been some scattered efforts around the world on this front, as a whole that's generally not yet happening. As folks like Schneier continue to argue, it's likely going to require IOT devices causing massive damage and a potential loss of life (say, via attacks on core infrastructure) before the willpower for such a super-union truly materializes.