What is California’s IoT Security Law and why does it matter?

Over the past several years, the Internet of Things (IoT) has come to play an increasingly important role in our lives. Smart thermostats now heat our homes, smart home hubs help plan our lives, and smart wearable devices let us monitor our health.

However, IoT security is a growing concern as the number of connected devices increases – The International Data Corporation estimates that 41.6 billion internet of things devices could be operating by 2025. This is because, despite all the fantastic benefits IoT technology has brought us, there can be no doubt that these devices still present a significant safety risk if they are not secured properly. As a result, it has never been more important for a robust security framework that protects users’ data privacy to be in place.

The State of California has taken steps to reduce this risk, and in September 2019 signed a new IoT security law, which came into effect on January 1, 2020. This law is the first of its kind in the USA. It mandates that all IoT devices sold in the state must also have ‘reasonable cybersecurity measures’ embedded. As such, from January 2020, enterprises trying to do business in California will have to deal with new guidelines and responsibilities under the IoT cybersecurity law.

What does the new law require?

More specifically, the law states that every device that can connect to the internet must now have a preprogrammed password that is unique to each device manufactured, or force users to set their own password the first time they connect.

The intention here is to get rid of generic default credentials that a hacker can easily guess. Indeed, manufacturers of IoT devices have often been criticised for posting their default device passwords online to aid in quick device setup. If smart device owners don’t change these passwords, they are significantly increasing the risk that they will be subjected to a hack. In January 2020 for example, a hacker was able to publish the credentials of more than 515,000 passwords for connected devices that were still using factory-set default usernames.

The bill has been praised as a good first step by some and criticized by others for its vagueness, especially because it provides little specificity on the types of penalties that can result from an offense, what the maximum penalties are, or if harm to consumers must be proven to seek such penalties.

How can you secure your IoT devices?

Although IoT laws are starting to become more common, consumers should still ensure they are doing everything in their power to prevent leaving the front door open to hackers.

To reduce your vulnerability, there are three key things you can do:

  • Change the device’s default password and replace it with a strong one.
  • Update the software with any patches the manufacturer creates.
  • Review any default privacy and security settings of your IoT device to make sure you are comfortable with the level of protection they give you.

It’s great to see that governments across the world are recognising the importance of IoT security and are trying to create a standard security legislation for these devices, which will better protect citizens. With measures like this law in place, IoT manufacturers will be forced to create devices that prioritise security and ultimately safeguard those who buy their products.

If you are interested in how else the IoT will impact you, read our other posts: