Stacey on IoT | Internet of Things news and analysis

Internet of Things

  • Home
  • Analysis
  • Startups
  • How-To
  • News
  • Podcast
  • Events
  • About
  • Advertise
  • Speaking
    • Facebook
    • RSS
    • Twitter
    • YouTube

Is the world ready for California’s new IoT laws?

December 2, 2019 by Stacey Higginbotham Leave a Comment

How secure should an Apple Watch be?

Two laws that deal with data privacy and IoT device security will go into effect on Jan. 1, 2020. Fortunately, most people building connected devices are ready for the transition, especially companies with big names and budgets. Also at an advantage are businesses that have had to adapt to the EU’s General Data Protection Regulation (GPDR), which went into effect in May 2018.

The California Consumer Privacy Act (CCPA) is probably the law with the most impact on businesses. Like GDPR, it aims to protect Californian’s consumer data and privacy by demanding that companies inform consumers about the data they, delete an individual’s data upon request, allow Californians to opt out of the sale of their data to third parties, and prohibit companies from charging more for features that protect privacy.

Lesser known is SB-327, which is the IoT Device Security Act (most people simply call it SB-327). This law demands that companies building connected products implement “reasonable security features” on said products. The definition of reasonable is vague, but the law does take into account the device’s function and the type of data it collects when determining how reasonable those security features actually are. The law also calls for devices that connect to the internet to have a unique password and to require that a user generate a new password or method of authentication when they fire up the device for the first time.

Together, the laws are forcing companies that want to sell products in California to assess  — and in some cases — revamp their security policies. Craig Payne, security and privacy officer with IoT platform provider Ayla, says that most of the requirements of the CCPA are already in place thanks to Ayla’s preparations for GDPR.

The biggest challenges when it comes to both CCPA and GDPR compliance originate with the service providers associated with Ayla. For example, text notifications about a product are sent using Twilio, which also has to comply with data privacy rules. With dozens of consumer brands serving Californians on Ayla’s platform, it has a good understanding of how prepared companies are for the law.

Determining if suppliers are compliant and getting everyone involved in building an IoT product to agree on what the rules mean would take time, and may not even be possible. A partner might interpret the law one way while Ayla interprets it a different way. And if the end consumer thinks the company isn’t obeying the laws pertaining to how the data needs to be handled, they could sue and get the court’s interpretation. In other words, it’s fair to say that many companies are going to view compliance as an ongoing process as case law around the laws matures.

Payne isn’t as worried about SB-327 because it’s something Ayla’s customers have to handle on the device side (although he says Ayla is prepared to handle anything needed in the cloud.) However, Jack Ogawa, senior director of embedded security products at Cypress Semiconductor, is less sanguine. He says it’s really unclear how California plans to test for compliance.

At issue is how unique the device password has to be as well as how it needs to be stored on the device. A security purist could argue that the password should be unique to each chip and should be implemented as the chip rolls off the manufacturing line. Additionally, the purist would argue that the device identifier should be stored in a secure enclave on the chip.

But if devices will require a secure enclave on the chip to store password data, that will be a significant change for device makers. “The vast majority of things don’t have a hardware root of trust,” Ogawa says. He adds that an even stricter interpretation of the law might require the device to store its identification in memory on the device as is done on chips destined for credit cards or devices that process payments. That would change the device requirements even more.

If the company must implement a secure password on the secure enclave early on in the manufacturing process, doing so will add even more cost and complexity. “At that point, you’re talking about custom silicon for each device,” he says. That’s an incredibly rigid interpretation, however, and he estimates the best practice would involve flashing a custom-device identifier on each product along with the device firmware right before it leaves the factory. Otherwise, it’s just too expensive.

Most companies making a connected light bulb or similar devices that don’t have access to a lot of sensitive consumer data are betting that a secure enclave would be overkill. But for companies building activity trackers, medical devices, or even smart displays, the data they have access to might push them into a category that needs a more secure password storage plan.

Unfortunately for those who want to know how this turns out, we’ll have to wait until the New Year when we start seeing decisions by California’s attorney general and California judges.

Want the latest IoT news and analysis? Get my newsletter in your inbox every Friday.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)

Related

Filed Under: Analysis, Featured Tagged With: alexa, Apple, google, security

Sponsors



Become a sponsor

Subscribe to Blog via Email

Enter your email address to receive notifications of new posts by email.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

IoT Podcast

Listen to the latest episode of the Internet of Things Podcast. Just press play!

Sponsors

Become a sponsor







Get Stacey’s free weekly Internet of Things newsletter

  • This field is for validation purposes and should be left unchanged.

Recent Comments

  • Michael Rada on Podcast: Hacking sensors and securing medical devices
  • Jon Smirl on TP-Link Tapo Smart Plug with Matter: Simple and mostly smart
  • Lawrence K on TP-Link Tapo Smart Plug with Matter: Simple and mostly smart
  • Hugo on TP-Link Tapo Smart Plug with Matter: Simple and mostly smart

Stacey on Twitter

Tweets by gigastacey
Copyright © 2023 SKT Labs, LLC · Privacy Policy