Week Ten
Hello! Welcome to this week's Ryan Report. Today, I will discuss the recently passed cybersecurity law in California regulating Internet of Things (IoT) devices.
In the security community IoT has been a significant cybersecurity concern for a long time. The explosion of network-connected devices has posed cybersecurity risk because of the frequent lack of security capabilities. There have been large scale distributed denial of service attacks carried out by botnets of IoT devices. These types of attacks on and using IoT devices are possible because of vulnerabilities like weak or hard-coded passwords.
California is hoping to address the cybersecurity vulnerabilities that IoT devices introduce by enacting this legislation, which goes into effect January 1, 2020. It applies to manufacturers of connected devices sold or offered for sale in California, and requires them to equip such devices with reasonable security features that are appropriate to the nature and function of such device and the information that it may collect, contain, or transmit.
If a connected device can be accessed outside a local area network with a password, the device must either:
In the security community IoT has been a significant cybersecurity concern for a long time. The explosion of network-connected devices has posed cybersecurity risk because of the frequent lack of security capabilities. There have been large scale distributed denial of service attacks carried out by botnets of IoT devices. These types of attacks on and using IoT devices are possible because of vulnerabilities like weak or hard-coded passwords.
California is hoping to address the cybersecurity vulnerabilities that IoT devices introduce by enacting this legislation, which goes into effect January 1, 2020. It applies to manufacturers of connected devices sold or offered for sale in California, and requires them to equip such devices with reasonable security features that are appropriate to the nature and function of such device and the information that it may collect, contain, or transmit.
If a connected device can be accessed outside a local area network with a password, the device must either:
- Come with a password unique to each device, or
- Require consumers to set a password (other than the default) before accessing the device for the first time
Although the specific security requirements for IoT devices are limited to passwords, this legislation has significant potential to reduce cybersecurity risk posed by the IoT. As I mentioned initially, weak, default, and hard-coded passwords make the compromise of IoT devices low-hanging fruit for cyber criminals and hackers. Hopefully, other states and perhaps even the US federal government follow suit with similar laws.
Comments
Post a Comment