Root Causes 55: California's New IoT Security Law

Tim Callan

So, today, we are going to talk about California Senate Bill 327, which is California’s IoT Security Law.

Jason Soroko

Yeah. They were one of the first, uh, definitely not the only at this point.

Tim Callan

Yeah.

Jason Soroko

But, you know, Tim probably - - I'm going to let you go through the facts and figures and explain what it is and, I've got a lot to say - - some opinions about it.

Tim Callan

I bet you do.

Jason Soroko

Yeah, I think, you know what? It's a good start. I think that one of the things we have to keep in mind is people think, hey, it's just California, but to be dead honest, there's no way you're going to build a device or be beholden to California law without, you know, your entire IoT device manufacturing - - It needs to take this into account because of the fact that it's just one state out of 50, it's a very major state and you're not going to ignore it. And if you add that with the fact that very, very similar legislation has been passed in other jurisdictions, not just the United States, but worldwide, it kind of becomes the minimum standard.

Tim Callan

Yeah, I think you are right. So, let's cover those facts and figures and then we can get into it. So, Senate Bill 327, the title of it is Security of Connected Devices. It was signed into law on September 28th, 2018, which is why it has the honor of being the first, because this was all the way back last year, more than a year ago that this was signed in and it goes into effect on January 1, 2020, and that's why we're making sure that we touch base on it now because you know, it is going into effect pretty soon. And then it's going to start to really matter. And you're correct - - this is a California law and as such, it has no power for enforcement outside of the state of California. But to your point, the general consensus is that for most use cases, for most devices and business models, it's probably easier to follow this law everywhere than it is to keep a close eye on what inventory is going into California and what inventory is going out of California. So, with probably few exceptions, what'll happen, is this will, have the force to make devices throughout the US or even beyond be compliant with the principles of this law.

Jason Soroko

Yeah. You're not going to have multiple skews just to California.

Tim Callan

Exactly. It's just not worth it. So, what is it? Before we get into the commentary what does it say? So, the security that is required by the law is that the manufacturer - - and this is a direct quote, “shall equip the device with a reasonable security feature or features”, and those will follow three criteria. The first one is that it's appropriate to the nature and function of the device. Second of all, it's, that's appropriate to the information collected or used. So, there's a point here about maybe the information is valueless or maybe it's, you know, very damaging and then finally, it will protect from unauthorized access, destruction, use modifications or disclosure. And then it goes on to describe these reasonable security features as, either a pre-programmed password unique to each device or a password that the user can change to make their own. So, what this really gets around is number one, devices with no password - which is really a thing, believe it or not. And number two, is devices that all have the exact same either password or shared secret that cannot be changed.

Jason Soroko

Yes. That is the fundamental heart of this legislation. So even when you read earlier, a lot of these, you know - - whenever you see the terms appropriate in legalese, these look like loopholes for certain kinds of manufacturers to be able to say, hey, you know, my device is just a tiny sensor or, you know, it's a toy or it's something; therefore, I don't need to put this in. We'll have to see whether or not that actually changes the way the legislation is interpreted or not, but that's not really the important thing here. The important thing is that last piece you talked about, which is the mechanism to change the authentication credential. That is key. And, Tim, I think, you know, the point I want to pause on here - - just to emphasize the point. is that this is really, really a direct response to the Mirai Botnet.

Tim Callan

Yes. So, give us a very brief reminder for the listeners about why the Mirai Botnet was so major. Right? When the Mirai Botnet came out, it was just earth shattering, they were doing - - they were DDoSing things that people thought were un-DDoSable and it was like this real eye-opener. So, the Mirai Bonet was huge in that these things were getting services were getting DDoSed that people thought were un-DDoSable essentially. And it's because so much power was being directed against them that nobody had ever seen a botnet with that much power before. And that was the Mirai Botnet. And, why was it that the Mirai Botnet in particular was so much more - - just had so much more strength than anything we'd seen before?

Jason Soroko

Sure. What we're talking about here, Tim, is really just power in numbers. At the very first form of the Mirai Botnet was, uh, if I'm not mistaken was about closed-circuit televisions - - not televisions, but recording cameras and those closed circuit recording video cameras, each of them had a certain amount of computing power, but not a ton within every device itself but when you take millions and millions of them, all of which might have had no password or a default credential to be able to take over it, the Mirai Botnet was able to harvest into the millions of these types of devices. And since then, it has been able to harvest all kinds of other types of devices with the same kind of credential problem. These static credentials are a big, big issue.

Yeah, Tim. So, the idea of the Mirai Botnet was fundamentally the reason why it worked - - the root cause of why the bad guys were able to harvest so many millions of these devices really came down to these static credentials. Credentials that either were very easy to guess because perhaps they were published or they were known. Perhaps there might have even been a mechanism to change the administrator’s user name and password to authenticate to these devices. Problem is the users of these devices didn't change them. So keep in mind, all this legislation is calling for is a mechanism to change hard-coded static credentials. That is all that the legislation is calling for at this point. It's not even asking for encrypted communication tunnels, TLS mutual authentication. It's not calling for any of that. It really is just that mechanism to change a default username and password, for example.

Tim Callan

Yeah. And the reason that this I think is necessary is that the victims of these botnets are not necessarily the people who use these devices and certainly not the people who sell these devices and so, there wasn't a built-in economic mechanism to solve this, right? If I'm giving you something that's very sensitive and you're going to store your sensitive, personal information on it or it's going to do things that might compromise your safety, if it's a car or a home burglar alarm or something along those lines, then there's a built-in economic incentive for it to be secure. You as the purchaser want it to be secure. The manufacturer wants it to be secure or someone wants it. In this case, you were talking about closed circuit televisions or cameras, right? Nobody was worried about it. So, if somebody steals video of the parking lot do you really care? And so, as a consequence, there wasn't that built-in mechanism and what happened was these devices were used to harm other people who were not in that purchase and use chain in any way. And so, the legislation puts a requirement on people to provide that minimum level of security.

Jason Soroko

Yeah, that's right. It's a start. It's a start.

Tim Callan

Yeah.

Jason Soroko

Uh, you know one of the areas we could go with this conversation, Tim, is to take a look at what other jurisdictions are doing. So, one of the - - I think one of the most interesting ones that has come out is the proposed US federal legislation on this exact topic, which actually calls for quite a bit more than California. It's sometimes - - California will call for more than federal, but in this case, it's the opposite.

Tim Callan

Yeah.

Jason Soroko

Where, you know, there are actually four main pillars, including things like, checking to make sure that software development life cycles even, you know, are part of the consideration, so it goes quite far. The second pillar in the US federal legislation calls for identity management. Which is, you know, really touching at what California has actually passed and will go into effect on January 1st. But they go a little further into say the definition of this will be, you know, will need to be set forth by NIST and NIST since then, in July of this year, actually published its IoT guidance and goes into a lot more depth and includes, you know, verbiage around things like protecting communications and firmware and all the other things that need to be protected on a device, not just the mechanism to change a static user name and password.

Tim Callan

That's right. Cause the static username and password thing obviously was a big glaring problem, but is far from all of the problems. I'm trying to think of an analogy - - It's like, you know, if you have a car that doesn't have any brakes and also it might spontaneously burst into flames, it's like you got the brakes fixed and so I guess that is good but you might still die. Um, and so this is a similar situation. There was a lot of other things that really need to be rectified as well and the California bill, though positive, only rectifies one of those things.

Jason Soroko

Yeah. I'm really glad that California did come out with this because it was - - I think it was first, and I think it did set a good precedent and a good tone.

Tim Callan

Yeah.

Jason Soroko

On the other hand, I do think that the legislation is being proposed at a US federal government, which goes quite a lot further is really where we wanna end up - is legislation that calls not just for some really good fundamentals and more than just the one fundamental, but several, and also calls on, you know, a standards body such as NIST who can really, you know, be more agile rather than having to propose legislation over and over, that that guidance can be a living document that can perhaps not be overly prescriptive, but can point the way.

Tim Callan

Yeah. And we've talked in the past about how some jurisdictions are kind of bellwethers. We've mentioned Texas and energy. We've mentioned Germany and consumer privacy. I think California you could argue is well-equipped to be a first mover in this kind of legislation for something like IoT, just with the state's history with devices of these sorts and companies of these sorts. It's not really surprising to see that state move first. Also, the victims are likely to be in California or as likely to be in California as to be in anywhere that people are hurt by these botnets. So, when you put all of that together, it's not surprising to see California was a first mover. I think it was real valuable for California to be that. It does look like the federal legislation, should it go into effect, will almost render the California legislation irrelevant.

Jason Soroko

Yeah, I think it will, Tim. I think that's the point. It's not a bad thing, you know, I don't think that that federal legislation has even passed yet. So, therefore, we'll at least in the meantime have the California legislation. I think that if you're an IoT device manufacturer, you're looking at several jurisdictions, simultaneously right now with probably the US federal legislation at the center of how far you need to push it.

Tim Callan

Yeah. And so, you know, it's good to say that they have to have passwords and they need to be changeable or unique, but obviously, you and I think that identity on devices - - like there's still a lot of weaknesses right. The obvious one is what if you don't change the password. So, if you give people a device and you give them the ability to change the password and 98% of them don't do it, then that's only 2% better than not having that ability in the first place.

Jason Soroko

Sure. And if you take a look at the advancements in the Mirai Botnet and all of its many, many variations, one of the other issues of course, is even if you do change that password and it’s sent in the clear, because there's no encryption of the communications path, then you're really haven't done much at all.

Tim Callan

Right.

Jason Soroko

This is really - - there's some things in security that are a speed bump to the bad guys and this is a fairly low bar speed bump.

Tim Callan

Yeah. And then even then, um, even if they do change their password, you still, depending on the device and the type of attack, you still get into the fact that passwords themselves are not the strongest form of authentication, right? If I can steal your password, if I can social engineer away your password, then I can still gain access to your device. And again, depending on the type of the IoT device that could be really damaging. So—

Jason Soroko

Yeah, Tim, I think where you're going with that is true. However, I think the goal of the California legislation is anti-botnet and the problem with a botnet is this ability to mass harvest. Right?

Tim Callan

Right.

Jason Soroko

Whereas what you're referring to, which is dead correct, is are you protecting yourself from, you know, from being targeted? I think if you're being targeted and your mechanism is just a username and a password, you might be in trouble.

Tim Callan

Right.

Jason Soroko

On the other hand, the ability to mass harvest is I think what California legislation is trying to at least give people the chance to make the life of a botnet harvester more difficult. I think that's the goal. It’s really baby steps.

Tim Callan

Sure. Yeah. And, um, and that's great. Right? I'm - - I want to make sure I'm clear that I'm totally in favor of that. I think you're right where I was going though is we need to be thinking about more than just that.

Jason Soroko

Yes. And thankfully the, the US federal legislation that's been proposed as well as NIST go quite a lot further, than the California legislation. That's for sure. We could even tie together legislation we've seen out of Oregon as well as the UK legislation as well - - is actually quite similar in some ways to California with a few little differences. We could probably podcast about that at some point in the future, but I think the US federal legislation takes it the furthest, as of right now.

Tim Callan

Great and so, of course, probably it is a PKI podcasts, and we're probably not surprising that you and I are both of the opinion that PKI is a really, really, really good way to handle identity for devices.

Jason Soroko

Yes. Not only will you be compliant with California legislation that has been passed but just about every jurisdiction will actually, you will pass with flying colors if you actually use an asymmetric identifier for your device, especially with respect to the identity management portion of it that's what PKI gives you. Therefore, it's something obviously that, you know, that that's my full-time day job is to educate people on this, but it’s almost like it can't be said enough.

Tim Callan

Yeah and, you know, and so yeah, if you want to be compliant, it absolutely helps with the compliance need. It also helps tremendously just with the security of your devices. So, again, if we're talking about, you know, yeah, sure if it's a bunch of CCTV cameras or baby monitors or something else where you kind of say, eh, what's somebody going to really do with this, I don't really care, then maybe what you really care about is compliance, but you can move into lots and lots of device types where we care very deeply about ensuring the integrity of our devices, or we might get hurt. Right? And you and I have talked about that in the past, that could be process control meters and things along those lines and so under those circumstances, you know, you have the added benefit of something like this, that you, it is just plain more the secure.

Jason Soroko

Isn't it interesting, Tim, that legislation had to be passed anyway, because, as you said at the top, if as a brand, if you're a manufacturer, your brand means something to you, it has value. But on the other hand, what we've seen a lot of companies do is to either just ignore it because of the fact that there was some cost involved, some complexity involved or perhaps it was going to take a little bit of time in order to implement a security mechanism and therefore, you know, time to market is just so valuable, these things just go completely to the wayside. This is - - these kinds of factors, if you couple that with what you said earlier about, hey, I'm an underdog, nobody is going to attack my stuff there's really not that much privacy or things that are at risk here. Therefore, why would anybody directly attack this? I think that the botnet concept really shows why everybody needs to be worried no matter what it is you create. And it's not just botnets for DDoS. You described the whole powerful DDoS mechanism created by these botnets, but we're also seeing things such as ransomware.

Tim Callan

Yeah.

Jason Soroko

You know, so in other words, people who are trying to monetize, based off of the fact that if you deny somebody, their services through their device you could ransom them. As well, we've seen Bitcoin miners, very, very tiny light Bitcoin miners on millions and millions of devices. So, you know, it's kind of interesting, unless you live in the security world where a lot of these kinds of concepts are somewhat intuitive, I think to a device manufacturer they're just not thinking about all the different possibilities that once their device is out in the field and being used what it could be used for in bad ways.

Tim Callan

Yeah, exactly. And it's sort of like, uh, you know, there's something very specific that I want this thing to do and you know, when I spec it, that's, that's what I focus on and then people go and they source parts and they put something together that does that specific thing and they QA and passes the spec and you go, okay, it's fine and you put it into the world and nobody ever considered this requirement. And that's what this law changes, right? Now it becomes a requirement that every product manager, when they're specifying a product like this, and they want to sell it in California, they don't want to pay penalties, they are going to work on this particular element of it and in that sense, it's good.

Jason Soroko

And thankfully, Tim, you know, we do have the consortiums.

Tim Callan

Yeah.

Jason Soroko

Which have PKI at the center of, of all of this, which shows that it's a proven ubiquitous technology that will continue to be even more ubiquitous in your future life than it ever was. And you know, a lot of IoT devices will have PKI protecting their identities, protecting their authentication mechanisms, perhaps without you even knowing it. But it's out there. It's - - it really is out there. I mean, like I say, my full-time day job is to, is to help people to understand that. And, the solutions to this are there.

Tim Callan

Great. So that's it. It's California Senate Bill 327. It goes into effect on January 1. It will be, um, it definitely is important and as we said, other legislation supersede it but for the moment it is on the cutting edge and it definitely will change the world of device manufacturing. So, very exciting stuff. It's good to see some positive progress and as always, thank you for your insights, Jay.

Jason Soroko

Hey, thanks, Tim. We'll be keeping an eye on this to see what the outcome is next year.

Tim Callan

You bet we will. And thank you, Listeners. This has been Root Causes.