Written by Paul Karazuba, head of product, Rambus Security
Passed by former California governor Jerry Brown, cybersecurity law SB-327 is slated to go into effect on January 1, 2020. This proactive legislation requires manufacturers to equip IoT devices with “reasonable” security features to prevent unauthorized access, modification and data leaks. Specifically, SB-327 requires manufacturers to implement a unique preprogrammed (default) password for each device. Additionally, manufacturers must ensure that users create a new password the first time a device is activated. Together, these steps are expected to help protect California consumers, as hackers are known to routinely target vulnerable devices shipped with generic or default login credentials.
From our perspective, SB-327 is clearly long overdue. Indeed, unprotected IoT devices continue to pose a threat to both consumer privacy and security across the country. For example, a Ring camera installed in the Memphis bedroom of a young girl was recently hijacked by a hacker who seized control of the device to spy on the 8-year-old, taunt her with music and encourage destructive behavior. Another instance of a Ring camera falling victim to a hacker was reported in December by a Houston family who heard an eerily disembodied voice ask if “anyone [was] home” and promised it was “gonna find out.”
According to various reports, the recent spate of Ring hacks likely involved basic attack techniques such as credential stuffing. This simple process involves accessing accounts with stolen account credentials and large-scale automated login requests. Consequently, Ring users who don’t enable the optional two-step authentication skip setting a unique password or recycle credentials across multiple online services, and are at a greater risk of being hacked. To be sure, malicious hackers have coded dedicated software for breaking into Ring security cameras. Beyond Ring cameras, a wide range of vulnerable consumer IoT devices are frequently targeted by hackers who actively search for devices with default or weak login credentials such as “admin” usernames and “1234” passwords.
Although SB-327 sets an important precedent by requiring a unique preprogrammed (default) password for each IoT device, we believe much more needs to be done to secure connected devices. Security starts at the hardware level, and it should begin on day one of product design. Device designers need to prioritize security as a primary design goal of a connected device; not an afterthought, and certainly not lip service. A solid start to security is basing the foundation of your security in silicon; specifically, a siloed security co-processor capable of executing all security-centric processes completely independently of the main CPU.
Our CryptoManager Root of Trust is an ideal implementation. While located on the same chip as the main CPU, its physical separation and 7 layers of hardware security ensure that secure processes remain exactly that – secure. The root of trust can better help protect consumers by enabling robust remote access authentication and monitoring of anomalous system activity. This siloed approach to security ensures that a potential compromise of the main processor does not expose critical keys and credentials – or impair the execution of security applications that monitor system operation and detect tampering.
Cybersecurity law SB-327 is a good start for California consumers, although far more needs to be done to comprehensively protect IoT devices. Implementing a unique preprogrammed (default) password for each device and requiring users to create a new password can help prevent basic attacks, although a siloed security co-processor is necessary to thwart determined adversaries and complex hacking techniques.
California’s IoT Law Is A Good Start, But More Needs To Be Done