In the past, I know I have written at least one blog on a topic called the “Internet of Things”, or “IoT” for short. Essentially, this is a concept in which we as individuals are connected on a daily basis to the objects that we interact with the most in both the real and virtual world.
There are many applications for this, one of them being as a means of positively confirming our identity on a very accurate level, even more so than what Biometrics can do.
Another application you may have heard about is the “Smart Home”. This is where everything in our home is interlinked with another, and all we have to do is say a command, and that particular object will be started, or a process will be completed.
This has already started to happen on a primitive scale, where we can use the Virtual Personal Assistants of both Siri and Cortana to issue the commands to. For instance, if we say to either one of them “Turn on TV or Stereo”, it will be done automatically.
To be honest, I have not kept too much with the world of IoT since then, except for reading about it in the headlines. But this morning, something caught my eye very quickly. There is actually a formalized IoT Bill of Security that was just passed in California at the end of August, and is now awaiting the signature from the Governor.
This Bill is a huge landmark, as this is the first of its kind ever in the United States. It is formally known as “SB-327”, and the details of it can be seen at the link below:
If there is no opposition to this Bill from the public and the Governor, it will become law effective as of January 1st, 2020. But, it is already having its fair share of critics. The main complaint is that it is still too vague, and does not address each and every Security issue surrounding the deployment and use of an IoT based infrastructure.
In fact, the main caveat of this Bill is that “. . . a manufacturer of a connected device shall equip the device with a reasonable security feature or features.” (SOURCE: https://www.zdnet.com/article/first-iot-security-bill-reaches-governors-desk-in-california/). But despite this, it does specify in some detail as to how the IoT device authentication process should appear, which as follows:
*If the IoT device comes with a default password, the password must be unique to each and every device;
*The device must force users to set up their own password whenever they set up the device for the very first time.
The idea behind this process is to ensure that the manufacturer of that particular IoT device does not have the same default password in two or more separate devices.
My thoughts on this?
Well, there you have it. That is pretty much the context of this new IoT Bill. This is another area where critics are pointing, is its lack of details. They claim that while the intentions of the Bill are good, there is just not enough substance behind it really offer any level of real Security. The critics are also pointing out that simply adding more Security features is not enough, it is far important to remove the “insecure” features of the IoT device in order to make is more secure (sound confusing yet???).
So, for example, what the critics want is to have something like the listening ports and cross-site/injection issues in web management completely removed. In other words, the goal is to decrease the Cyber attack surface of the IoT device, but rather to reduce it.
I agree with the critics on the first point of contention: That is what defines “reasonable security”? As mentioned, it could mean anything to anybody. For the average person, it could mean simply using a password, but to a Cyber security specialist, it may mean using Two Factor Authentication (2FA).
However, I do not agree with the critics on the second point of contention, which is reducing the attack surface. In theory, yes, this is ideal, and what one should aim for.
But right now, the IoT is such a murky application that it needs all the protection it can get, even if it means implementing firewalls and routers. Without such Security devices in place the IoT is much more prone and vulnerable to a Cyber-attack.
Also, it seems like to me this law was rushed in a haste in order to just have something in place, and look good. But what is the point if there is nothing substantial behind it?
Rather than having the individual states pass their own IoT Legislations, why can’t something be introduced in the Senate and Congress so that there is some uniformity for all of the states?
This would be ideal, but given the current political climate, it may not be a reality for a long time to come yet. But whatever Legislation is ultimately passed, it comes be literally updated in real time in order to keep with the dynamic world of the Internet of Things.