What do smart fridges, helpful robots, and Amazon’s Alexa all have in common? — the Internet of Things (IoT). Even if you aren’t already well acquainted with the IoT, you have most likely heard it in passing. The IoT’s elusive and ever-changing manner makes the concept difficult to define. Likewise, many cyber experts explain it in a different way, a fact that slows legislation regarding IoT security. Yet, with Gartner Inc. estimating society will utilize 20.4 billion connected devices by 2020, it’s imperative that IoT security awareness increases. Did you know that California just passed an Internet of Things legislation to improve cybersecurity? Find out more with this helpful article.
What Is in the New Bill?
Passed in August 2018 and signed into law in September, California’s new IoT law includes both Bill 327 and Assembly Bill 1906. Jointly, the bills seek to increase the security of “smart devices.” As defined by the bills, a “connected device” refers to any device or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address. Compliance begins on January 1, 2020.
The IoT bill requires manufacturers to duly consider and implement security features for all functionality stages of connected devices. Functionality simply refers to how information will be used –– collected, stored, transmitted. Manufacturers must be able to show that, to the best of their ability, they implemented security measures designed to prevent “unauthorized access, destruction, use, modification, or unauthorized disclosure.” Notably, manufacturers will not bear the security responsibility for third-party software or applications. Likewise, device sellers and application marketplaces do not fall under the new bill’s jurisdiction. In regard to existing legislation, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Confidentiality of Medical Information Act, California’s IoT law will act as a supplement, building on those existing laws.
Who enforces the law? – Attorney general, city/county counsel, and district attorneys
What is not in the New Bill?
The bill does not require manufacturers to alert customers every time a security patch becomes available or when information is being collected. Both requirements existed on previous versions of proposed bills, but legislators scrapped the stipulations due to fears of impeding tech development. The sole defining factor of the law, and the most specific, requires manufacturers to prompt users to create a new password on activation/connection of a device.
Why is the bill important?
While this law by no means covers every facet of the IoT, it signals a start to more IoT legislation in the future. The push for greater IoT security gained momentum after the 2016 Mirai botnet attack that crippled Twitter, Netflix, and Reddit. The botnet compromised routers and security cameras using a successful DDoS attack. The issue at play -– default passwords. The IoT bill now requires that IoT device manufacturers include unique passwords for each device or require users to create one. Lawmakers designed the password requirement to work in tandem with the California’s Consumer Privacy Act of 2018, which also goes into effect in January 2020.
The Consumer Privacy Act requires a business to…
- Inform users about personal information that is being collected about them
- Provide information on how personal information is sold or disclosed and to whom
- Grant consumers the right to deny access to their information
- Verify no price stipulation is inflicted on individuals who exercise the above rights
- Provide information when requested by a consumer
- Acknowledge the “opt-out” right of consumers (i.e., upon consumer request, businesses must stop disclosing customer information)
Understanding the IoT
The IoT makes life easier, without a doubt, but it also increases security concerns. Bruce Schneier, Chief Technology Officer of IBM Resilient, highlighted a key fact to understanding the IoT — computers are no longer simply embedded in devices; rather, devices connect to computers. This concept encompasses devices that collect data (e.g., fitness trackers), machines that analyze and process data (e.g., computers), and, lastly, actuator devices (i.e., use the information and analysis to make a choice and take action). The overall point is that security breaches no longer affect only one device; a well-targeted attack possesses the possibility to create a domino effect. Health providers and industries exemplify the severe implications of IoT attacks. Consider life support machines and organ implants (e.g., innovative IoT monitored organs); they depend on secure IoT networks. As technology progresses, it’s not beyond the realm of possibility to consider a hacker launching an attack on an implanted heart monitored by an IoT device. To gain a better understanding of how important IoT laws and security considerations are, consider the following comparison.
- Efficiency – IoT devices increasingly perform menial tasks and allow employees and households to focus more time on meaningful work.
- Environmental Sustainability –Utilizing IoT devices in homes allows families to consciously track water usage and temperature irregularities. Likewise, businesses can monitor energy inputs and outputs. IoT devices possess the unique ability to self- adjust and reduce resource waste.
- Connectivity – As long as the Internet is present and reliable, IoT devices allow for clear and timely communication. Both the public and business world benefit from IoT communication platforms. Collaborating at school or sharing a presentation at work becomes much easier and encourages better communication. Rather than making a mistake at work because they did not want to waste the time asking for clearer instructions, employees can simply send a quick message to their superiors and receive almost instant confirmation.
- Cost effective – The IoT significantly reduces or nullifies transportation and printing costs. Additionally, IoT devices that monitor the functionality of other devices possess the ability to catch malfunctions quickly, saving manufacturers additional losses.
- Access – The IoT allows for remote access to information. More importantly, that information can be updated in real time. Co-workers possess the ability to communicate while traveling or working from home.
- Privacy – IoT devices involve numerous connections on a daily basis and store or have access to a large amount of personal data. This makes a breach, to a certain extent, more detrimental.
- Complexity – The many connection points IoT devices access means one “loop-whole” could risk the entire system.
- Dependency – The more dependent society becomes on the IoT, the greater the security risk these devices and networks pose.
All the positive uses for IoT encourage developers to continue innovating and pushing the boundaries of “connected device,” despite the drawbacks. However, in order for this innovation to continue, a certain level of trust between consumers and producers must be strengthened. The IoT requires two levels of trust: the consumer trusts the company to implement proper security at its mid/endpoints, and the company expects the user to also implement security measures (e.g., make a strong password). The public tends to prioritize time and convenience over security. For example, despite all the warnings security experts espouse, people connect to unsecured Wi-Fi networks simply because the network is conveniently available. Customers assume the Wi-Fi providers already implemented some kind of security measure. Consequently, businesses providing IoT connection or devices must consider strong wireless encryption (e.g., WPA2). While the majority of responsibility lies with the developer, educating the public and publicizing laws (like California’s new IoT law) empowers society as a whole to better protect their IoT devices.
Payments and the IoT
The IoT undeniably improves payment efficiency, but the process also creates new threat vectors for attackers to target. For example, payments via tablets, watches, and phones increase the prevalence of what SecureTechAlliance terms “machine-to-machine” payments. Top IoT payment sectors include: automotive (e.g., smart parking), home, wearables, industrial, and retail. By just examining smart homes, one realizes the implications of unsecured IoT devices. For example, a smart refrigerator captures data, stores data, analyzes data, and finally responds (e.g., buy more groceries). Throughout each of those steps, personal information and data protection is at risk.
IoT Payment Risks
- Security updates depend on the capabilities of the remote devices. For example, if a device has limited memory and processing power, standard updates become more difficult.
- IoT payments inevitably access large amounts of personal data (including habits and payment credentials)
- Manufacturers often ship IoT devices with minimal or “open” credentials.
Although California’s bills lack details on specific standards for the payment card industry, they do specify the need to protect against modification or unauthorized disclosure. Consequently, manufacturers, particularly in the payment industry, must seek to increase the security of products prior to shipping. This includes password management, using unique passwords or immediately prompting users to create strong passwords on opening/first using the product. Other resources provide further insight for better securing IoT payments. Several key precautions to consider include:
- Implementing credential tokenization/digitization of credentials
- Using a card lifecycle management
- Communicating with vendors and software providers regarding security testing
- Developing a security framework specific to IoT payment methods.
Additionally, IoT devices each possess a different level of personalization. The more personalized an IoT device, the more data will likely be collected and analyzed. When possible, utilizing anonymous intermediaries offers a means of reducing the amount of personal information in the IoT. For example, reloadable transit cards act as an intermediary that can be reloaded and used by the same individual; however, no information is stored.
California’s new IoT bills specify manufacturers implement “appropriate” security controls on IoT devices. Most experts would likely agree to such measures, at a minimum, include storage, transit, and authentication.
As noted above, credentials serve as a key aspect of those measures. Yet, passwords alone are not enough; rather, how those tokens or cryptographic keys are stored also requires due consideration. The Secure Tech Alliance outlines three methods: on the IoT device, in the cloud, or on a different device. If manufacturers choose to store data on an IoT device, they must implement a secure element (SE) or store data in a Trusted Execution Environment (TEE). TEEs store data separately from the operating system; in that environment, the data can be stored and processed (almost like an isolation room in a laboratory). The hardware must possess the capability to protect the data while it is “at rest” on the device. If instead, a manufacturer chooses to store payment credentials in the cloud, the connection between the IoT device and the cloud must also be secured. Lastly, two IoT devices may interact in the process of a payment transaction (e.g., smartphone).
Ideally security measures block attackers attempting to intercept data and manipulate (e.g., rerouting a monetary transaction). Two highly recommended security measures include Transport Layer Security (TLS) and using a Secure Sockets Layer. TLS protocol protects data transferred via IoT devices by encrypting that data when in transit. SSL encapsulates multiple security protocols. If transit occurs through email, devices must encrypt the data prior to transit or use PGP or S/MIME encryption tools to strengthen email security. For non-web transmissions (e.g., database to application), utilizing a cryptographic algorithm is also recommended.
Numerous methods now exist to authenticate users. Although passwords remain in use, voice recognition and biometrics continue to gain popularity. The unique nature of biometrics credentials increases the difficulty for attackers of compromising user data. For example, an electrocardiogram (ECG or EKG) possesses the same unique-to-every-individual characteristic as fingerprints. More notably ECG credentials resist replay attacks (intercepting and manipulating data before transmitting) and spoofing (pretending to be another individual).
California’s IoT law received mix reactions, with some applauding the first step to securing the IoT. However, others believe Bill 327 looks “backward” and should instead focus on an ‘isolation’ mode on the Wi-Fi access-point that prevents devices from talking to each other (or infecting each other). Other current IoT bills under review include the IoT Cybersecurity Improvement Act of 2017 , the IoT Consumer TIPS Act, and the SMART IoT Act. Regardless of whether these national bills pass in the near future, entities should seek to stay ahead of the curve by taking cues from state laws, like California’s. To learn more about cybersecurity solutions, cybersecurity services, and how California’s IoT bill may impact your business, contact RSI Security today.