An internet of things (IoT) bill that would mandate unique passwords for connected devices has been approved by the California state legislature.
It will be the first potential connected device regulation to come into effect in the United States if California Gov. Jerry Brown decides to sign it — however, some researchers say that the legislation, called Information Privacy: Connected Devices, fails to address fundamental issues plaguing IoT security.
The bill (SB-327) would require “reasonable security feature or features that are appropriate to the nature and function of the device.” More specifically, “if a connected device is equipped with a means for authentication outside a local area network,” any default password must be unique to each device; or, users must be prompted to set a unique password when he or she sets up the device.
Devices shipping with hard-coded passwords is a common problem which has led to vulnerabilities across multiple types of IoT devices, including the Samsung IoT Hub). But IoT security experts say that the bill doesn’t go far enough.
“The ‘reasonable security’ measures proposed in SB-327 are nice, but are sadly meaningless in the face of the security complexity introduced by connected devices,” Joe Lea, vice president of product at Armis, told Threatpost.
While issues have persisted for years, IoT security was really thrust under the spotlight when the 2016 Mirai botnet mounted a distributed denial of service (DDoS) attack through 300,000 vulnerable IoT devices, like webcams, routers and video recorders — and it showed just how many IoT devices lacked basic security posture.
Since then, from connected cars to power grids, the impact of IoT security issues seem to be getting graver (including privacy issues in connected consumer devices and the potential for dangerous industrial IoT system hacks). At the same time, the sheer scope of potential attack vectors is proliferating; for instance, Google Home devices, smart plugs and smart padlocks have all recently been in the spotlight for security flaws.
Given this, merely requiring better password hygiene as a security measure completely falls short, given the other issues that connected devices face, IoT experts say.
“Bad default passwords are problematic on multiple levels, so moving away from default passwords is a wise choice, but password hygiene won’t prevent other types of attacks targeting the tsunami of devices in the enterprise and the exposures they create,” Lea said. “There are other ways to attack these devices and exploit them. We need to recognize the extent to which these devices represent entryways onto enterprise networks and critical information.”
Anscombe said that he recently tested 12 IoT devices, such as smart scales and wearables, and found that they were susceptible to a broad array of vulnerabilities. For instance, he found that Nokia’s IoT scale (the Nokia Health Body+ Scale), which connects to mobile to collect data like body fat and BMI, was susceptible to a man-in-the-middle (MITM) attack between the Android app and the cloud, allowing hackers to intercept firmware updates and access that data.
“The law requirement for a unique password is a good progress but unfortunately, it is not enough,” said Ruth Artzi, Senior Product Marketing Manager at VDOO, in an email to Threatpost. “As written, the law only provides protections against the most basic automated threats. The law should be defined in a more specific manner, as the requirement for an ‘appropriate’ security procedure, depending on the device nature and function, is too ambiguous with no real mechanism to verify that the vendor took the appropriate steps. There should be clear standards per the device’s components that a manufacturer will be able to follow and a way to validate that the manufacturer designed to those standards.”
Security-by-design and privacy policies around IoT devices for manufacturers (and to an extent, end users) are another critical issue that isn’t addressed in the bill. For instance, security policies around penetration testing to identify vulnerabilities, or other design-level security measures, are vital for IoT security.
“This bill acknowledges that security considerations are lacking in the development of many embedded systems,” Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, told Threatpost. “What it doesn’t do is provide specific guidance as to how to deal with this issue, or implement security measures.”
If the bill, which was originally introduced by Sen. Hannah-Beth Jackson (D-Calif.), is signed by California’s governor, it will go into effect in Jan. 2020.
Moving forward, security experts agree that the bill is a step in the right direction – but more needs to be done in terms of understanding the complex IoT security landscape and implementing controls. Luckily, other regulation efforts around IoT — including Sen. Mark Warner’s (D-Va.) IoT Cybersecurity Improvement Act of 2017 — are also ramping up.
“IoT is the new attack landscape. Most connected devices have no inherent security or way to patch or update them,” said Armis’ Lea. “And it is a false sense of security to assume that simply because an IoT device is behind the firewall, it is safe. We showed that half a billion unmanaged and IoT enterprise devices are exploitable via DNS rebinding. Firewalls and network security would not protect these devices.”