Beyond SB-327: Moving toward true IoT security
In light of a cybersecurity environment of never-ending attack vectors, legislators are working to make the digital world more secure. The California Consumer Privacy Act (CCPA), set to take effect on January 1, 2020, has grabbed most of the headlines in this regard, but a little-known bill called CA SB-327 was also recently passed in California. This bill is focused on IoT security and goes into effect on the same day as CCPA.
The goal of SB-327 is to stop manufacturers from continuing the dangerous practice of shipping IoT devices with the same default password on every device. This password is rarely changed by consumers, primarily out of ignorance, leaving their devices vulnerable to attack.
SB-327 requires that all manufacturers of devices that connect to the internet have a unique preprogrammed password on those devices. While some believe that this will provide consumers with adequate levels of security, the legislature is actually choosing to mandate archaic 20th century technology that has proven to be notoriously vulnerable.
That is, in fact, what passwords are. This outmoded form of authentication is the leading cause of data breaches on the internet, accounting for more than 80% of hacking-related breaches. This — in addition to the bands of botnets with billions of stolen credentials for reuse in attacks on websites — presages a major security risk to consumers across not only the state of California, but across the country. When you combine this with the knowledge that even billion-dollar companies are incapable of recognizing vulnerabilities in their infrastructure or detecting attackers on their network — as Uber’s and Marriott’s recent breaches showed — you begin to understand how ignorant and incompetent we appear from the perspective of our adversaries. The sooner we as a society understand the threats we face, the sooner we can begin to take corrective measures.
Initial steps toward change
The drafters of SB-327 chose to replace default manufacturer passwords with individual, preassigned passwords — the assumption being that IoT devices are unsafe because the passwords used to secure them are the problem — versus recognizing the very method of using passwords is outdated. This underscores the fact that progress toward stronger authentication based on modern, passwordless technology is far too slow to protect us from nimble and capable attackers across the globe.
It’s not for a lack of alternatives that the problem persists. The FIDO Alliance, a non-profit standards group of more than 200 companies from around the world, has been working for more than five years to eliminate passwords from the internet. It has standardized three protocols that have had dozens of implementations on the market for the past four years. What are missing are an awareness that such systems exist and the resolve to use them to protect ourselves.
Had the lawmakers been better informed, they likely would have opted to recommend a FIDO protocol in this law. In 2017, NIST published “Special Publication 800-63-3, Digital Identity Guidelines,” naming FIDO-based technologies as the highest level of authentication technology assurance for federal use.
Then the organization put its money where its mouth is, so to speak. The NIST National Cybersecurity Center of Excellence (NCCoE) has successfully completed two projects and is working on a third where FIDO protocols were specifically chosen to address mission-critical problems for public safety and first responders, as well as to mitigate the risk of e-commerce fraud on the internet. Practice guidelines have also been published by the NCCoE to assist anyone choosing to adopt this superior authentication capability.
Additionally, multiple U.S. federal agencies are starting to incorporate FIDO-based authentication technology into their web applications, while the UK government has named deployment of FIDO-based strong authentication as one of its most important initiatives in its five-year cybersecurity plan.
The passwordless opportunity
SB-327 will go into effect in just a few months. It presents an opportunity for enterprising companies to move into this new niche with a better alternative for authenticating humans to devices. The vast majority of these authenticating devices only need the basic Universal Second Factor protocol in passwordless mode that can enable the registration of the first U2F key presented as the administrator’s key to the device.
Accordingly, IoT devices won’t ever need to store more than two registered keys. Manufacturers can make many assumptions about the protocol when they are designing something for their specific device. Given the price of basic U2F authenticators on e-commerce sites, manufacturers could even give away a free U2F authenticator with each $50 IoT device to bootstrap this process. There is even open-source FIDO-certified software that will allow manufacturers to bootstrap this process.
Even though consumers agree that passwords are inconvenient and ultimately unsuccessful, people are reluctant to forego them because they are familiar — it’s the way things have always been done. But when passwords are responsible for the vast majority of hacking-based breaches, it’s time to admit that what was meant to keep us safe is actually putting us in jeopardy.
Legislators are on the right track in terms keeping consumers safe. They passed CCPA to safeguard consumer data and keep it private, and they passed SB-327 to protect consumer IoT devices. However, more must be done, since one kind of liability was exchanged for another. An opportunity remains to enable a stronger method of authentication through a modified SB-327 and begin the process of strengthening our digital infrastructure. But, as a business or consumer, don’t wait for the law to catch up to reality; you can choose to secure access to many popular websites on the internet — Gmail, Facebook, Twitter and so forth — right away using FIDO protocols, at little more than the price of a latte.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.