smart devices iot security

California, Oregon lead the way on smart home security

Legislators are focused on how smart devices protect our information. They are worried enough about the details sent back and forth—and how they are protected—to start pushing for laws that demand more security for consumers.

Sen. Mark Warner (D-VA) co-sponsored a bill on this front in 2017. It failed, but that law, now called the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, is back in play.

The state of California has beat them to it, passing a similar bill, SB 327, which was signed into law in September 2018 — and goes into effect on January 1, 2020.

Read More:


Oregon is also moving swiftly with House Bill 2395, which passed its House of Representatives on April 16 and is now moving toward its Senate. These state laws may seem less important than a federal bill — but they have their place too believes Sivan Rauscher CEO and co-founder of Sam Seamless Network. This cybersecurity tech platform works in the home to protect devices at the router level.

California and Oregon want manufacturers to assign passwords unique to each new deviceiStock

"State bills are crucial on a national level as manufacturers lack an understanding of cyber security and need more than laws - they need guidance to make their products safer," said Rauscher by email. "The IoT legislation helps pushawareness that we need to solve the security problem - getting manufacturers to write secure code, helping users understand the dangers involved and ensuring the telcos/service providers can protect the end-users."



How important is the security of smart devices? If recent data leaks are any indication, they appear very important to lawmakers. More than two billion data records were stolen in 2018 alone around the world, reports CB Insights, a research firm.

Credit card companies may give people a pass on the charges made to their accounts from stolen numbers or even hackers. But consumers are saying they want more protection around their other details: passwords, emails and passport numbers, just some of the personal data companies lost control over in 2019 alone.

In 2019, data breaches have made consumers' emails, passwords and even passport numbers vulnerableiStock

To people in the U.S, companies don't seem to be able to get a handle on protecting their information. That's why 67 percent want the government to step in on their behalf. That's the findings of a survey conducted by the data analytics firm SAS in December 2018. At that time, consumers were already taking matters into their own hands, with 77 percent changing their privacy settings, 56 percent deleting apps on their mobile devices, and 65 percent declining those lengthy terms of agreements.

State by state

The Oregon bill requires that each specific device sold have its own unique password. That's critical to avoid brute force attacks, where a hacker pushes through a basic password to crack into multiple devices. The reason that can happen so easily is that companies typically make smart products, whether they're a smart light bulb or a router, with the same password, such as "password," so consumers can launch them easily.

The expectation is that people would change their password — they often do not. That makes it simple for a hacker to use "password" to break into not just one device but thousands — as long as people haven't changed the code.

California's bill to add security measures for smart devices passed last yeariStock

California's law would require manufacturers to add a "reasonable security feature or features" to connected devices sold or offered for sale in the state. Like Oregon's law, California demands that each "preprogrammed password is unique to each device manufactured."

Oregon's law also requires manufacturers selling products in their state are in "compliance with requirements of federal law or federal regulations that apply to security measures for connected devices," reads the bill.

In other words, If the federal government adds even stricter rules — companies need to follow those, too.


Federal law

The Federal law would create cybersecurity requirements around IoT devices by March 31, 2020. A request to speak with someone from Sen. Warner was not returned. But the bill appears to state that vendors would have to make sure "their devices do not contain any known security vulnerabilities, uses industry-standard technology, and don't have any fixed credentials."

Oregon's bill to require more security in IoT products is working its way to the state's senate.iStock

Would that be enough to lock down and protect everyone from data breaches and potential hacks? Unlikely. But federal and state guidelines on smart devices and their security bring a level of basic protection—one that today isn't even there.

"The IoT legislation currently being considered is to create a standard for IoT devices with security in mind," said Sam Seamless Network's Rauscher. "The idea is to set security standards as a minimum. Even if they can enforce the laws, I think the legislation alone will not be enough as laws alone won't prevent cyber security attacks completely, but it's a step in the right direction."



GearBrain TV: How to Secure your Smart Deviceswww.youtube.com