As the consumer IoT installed base is expected to reach 13 billion units by 2020, we've seen some noteworthy IoT safety legal movements in the past few months. In this issue of our home network security monitoring series, we provide an update on the latest proposed IoT security regulations.
Oregon bill proposed for IoT devices to have "reasonable security features"
At its third reading in April, the Oregon Legislative Assembly passed House Bill 2395, which proposes that device manufacturers equip connected devices with "reasonable security features" to protect said devices from unauthorized access. The bill lists potential security features, including:
- Devices' having unique preprogrammed passwords
- Devices' requiring that the user generate a new means of authentication prior to their first use
- Devices' being compliant with security measures dictated by federal regulations or law
Oregon appears to be following suit of California, which last year became the first state with an IoT cybersecurity law when Senate Bill 327— a bill that also focuses on the manufacturer's role in securing IoT devices— was passed. The Oregon Bill has since moved forward to the Senate; you can view the activity log for updates.
Update: On May 23, 2019, House Bill 2395 was passed by the Senate, making Oregon the second state to have an IoT cybersecurity law in place.
Consumer IoT security regulations proposed by UK Government
The UK Government's regulatory proposals for consumer IoT security also mandate that manufacturers should equip their devices with unique passwords. However, this requirement is part of a larger effort— a new device labeling system that aims to signify to the consumer how secure a particular device actually is off-the-shelf.
According to the proposals' May 2019 consultation by the Department for Digital, Culture, Media & Sport (DCMS), the labeling system would require that IoT devices meet the following guidelines to obtain a security label and thus be allowed on store shelves:
- The manufacturer should set unique default passwords that are not allowed to be reset to a universal factory value.
- The manufacturer should offer a point of contact to whom users can report vulnerabilities or issues.
- The manufacturer should clearly state the length of time in which security updates will be made available for the device.
The UK Government began a Secure by Design initiative last year, which includes guidance on achieving IoT security for both manufacturers and consumers. This consultation is part of that initiative, and will run until June 5, 2019.
Takeaway
These rulemaking proceedings each highlight the importance that device credentials play in overall IoT security. In his recent IoT Agenda blog on the Nest account hacks, Minim Co-founder and CTO Alec Rooney also points out the role that general account password security plays:
"These attacks were successful because end users tend to reuse credentials — usernames and passwords — as they create accounts all over the internet. As we have seen in the news, some of those accounts and services get compromised, and then those credentials leak out onto the dark web, where attackers can try those same credentials against other sites, like Nest accounts. Many of them fail, but some of them will succeed and will lead to hacked accounts."
And while these rulemaking proceedings each focus on the part that manufacturers play in overall device security, end users shouldn't think they are in the clear. Securing IoT devices requires action from all parties involved, and Alec shares that end users can start by:
- Never reusing credentials across different accounts
- Adopting two-factor authentication for all accounts
But, these are just the first steps. Minim is on a mission to make comprehensive network-level security simple and accessible. Follow along @MinimSecure and let us know if you're interested in learning more!
