A smart thermostat, printer, security camera or lightbulb. Homeowners can now install these items that connect to the Internet, and life is suddenly much more convenient. But it can also be a big security risk.
Who should address that risk — government or the industry — will be a question before the California Legislature this year. Legislation introduced this month by Assemblywoman Jacqui Irwin, D-Thousand Oaks, would require that manufacturers equip smart devices with security features.
At issue is how to beef up the security on the billions of gadgets that connect to the Internet — the “Internet of Things” or “IoT” devices that the FBI last year warned have much less robust security features than a home computer or phone.
And consequently, the FBI warned, these devices, if compromised, can be used by a cybercriminal to facilitate attacks on other systems or networks, send spam emails, steal personal information, interfere with physical safety, and leverage compromised devices in distributed denial-of-service (DDoS) attacks.
“With billions of IoT devices already in our homes, offices, and public spaces and billions more expected to be added in the coming years we must set minimum standards for security,” Irwin said in a statement to Techwire. “Recent large-scale DDoS attacks using IoT devices that were controlled through default passwords have made clear that unique authentication features need to be a cornerstone of any future IoT device.”
Among recent attacks was a big one in 2016 when hackers temporarily took down a number of corporate websites, including the New York Times, Airbnb and Twitter, by tapping into hundreds of thousands of routers, Web-connected cameras and other devices with what has been called the Mirai botnet. And security researchers are tracking more malware creations, according to MIT Technology Review.
For consumer advocates, Irwin’s measure is a welcome step toward protecting Californians, many of whom are unaware a hacker might be able to get onto their network and control their television or alarm system. A 2016 study by Accenture showed that consumers are clearly concerned, with 47 percent saying they wouldn’t buy a smart device because of the privacy risks or security.
But for manufacturers and the technology industry, Irwin’s approach is perhaps an unnecessary government mandate.
“You have to question whether this is something the government ought to weigh in on,” said Assemblyman Jay Obernolte, R-Big Bear Lake, who owns a video game developer company.
Rather, Obernolte says, consumers should perhaps be given more information about the risks of Internet-connected devices so they can make their own decisions about what to purchase — a free-market approach that has worked in the past.
The California Manufacturers & Technology Association, which has not taken a position on the bill, said its organization is working with lawmakers to make sure technology bills are “not overly prescriptive, provide manufacturers with adequate notice of requirements, and do not create unnecessarily burdensome mandates that stifle innovation, especially in relation to the Internet of Things.”
“Consumer protection and cybersecurity are crucial for California manufacturers to lead the world in inventing the cutting-edge products that make up the Internet of Things,” Jarrell Cook, the association’s policy director, said in a statement. “It’s important for our state’s legal and regulatory framework to be as dynamic as the pace of innovation.”
Irwin’s bill, AB 1906, would require manufacturers that sell a connected device in California to equip it with reasonable security features — either a pre-programmed password unique to each device or a feature that requires the user to create a new password before the device can be used.
That requirement of a password, however, is a sticking point for the Electronic Frontier Foundation. The nonprofit digital civil liberties organization says that manufacturers have abdicated their responsibility to protect consumers and that government ought to step in.
“There are plenty of situations where passwords are not the best security feature,” said Jeremy Gillula, a senior staff technologist at the foundation. “I like the idea (of the bill) but not the implementation.”
The bill has not yet been assigned to a committee for review. In her statement, Irwin said she intended to work with stakeholders to ensure the provisions of her bill could be “implemented quickly and we can enter the era of smart homes, business, and cities without the specter of Internet disabling botnets.”