{"id":16970,"date":"2019-11-22T09:10:10","date_gmt":"2019-11-22T17:10:10","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/11\/22\/news-10707\/"},"modified":"2019-11-22T09:10:10","modified_gmt":"2019-11-22T17:10:10","slug":"news-10707","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/22\/news-10707\/","title":{"rendered":"IoT bills and guidelines: a global response"},"content":{"rendered":"

Credit to Author: Christopher Boyd| Date: Fri, 22 Nov 2019 16:27:47 +0000<\/strong><\/p>\n

You may not have noticed, but Internet of Things (IoT)<\/a> rules and regulations are coming whether manufacturers want them or not. From experience, drafting up laws which are (hopefully) sensible and have some relevance to problems raised by current technology is a time-consuming, frustrating process.<\/p>\n

However, it\u2019s not that long since we saw IoT devices go mainstream\u2014right into people\u2019s homes, controlling real-world aspects of their day-to-day lives, and also causing mishaps and serious issues<\/a> for people dealing with them.<\/p>\n

The theoretical IoT wild west may be drawing to a close, so<\/span>\u00a0we’re taking a look at some IoT related bills and guidelines currently in the news.<\/p>\n

Where did this all begin?<\/h3>\n

You\u2019ve probably seen articles in the last few days talking about multiple upcoming changes and suggestions for IoT vendors, but in actual fact the first steps were taken last year when California decided the time was ripe for a little bit of IoT regulation.<\/p>\n

If you sell or offer IoT devices, which count as any Internet-connected device in California, the device must be equipped with “reasonable security features.”<\/p>\n

Bills, bills, bills<\/h3>\n

Here\u2019s the text of the California bill<\/a>.<\/p>\n

The key parts are these:<\/p>\n

\n

\u201cConnected device\u201d means any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.<\/em><\/p>\n<\/blockquote>\n

A connected device is as wide ranging as you\u2019d expect, so that\u2019s a good thing considering anything from your printer to your refrigerator could be communicating with the big wide world outside.<\/p>\n

That\u2019s great\u2014but what, exactly, is a reasonable security feature?<\/p>\n

Next up:<\/p>\n

\n

(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:<\/em><\/p>\n

(1) The preprogrammed password is unique to each device manufactured.<\/em><\/p>\n

(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.<\/em><\/p>\n<\/blockquote>\n

We\u2019re essentially in password town. If the shipped password is unique and not something you can plug a serial number into Google to discover, or the device owner is forced to create a unique password the first time they fire it up, that would count as \u201creasonable security.\u201d<\/p>\n

One small step for IoT<\/h3>\n

Is that enough, though? Some US-based legal eagles suggest it isn\u2019t<\/a>, and they may well have a point. If IoT legislation doesn\u2019t end up considering things like secure communication, tampering, updates, or even what happens when a device is no longer supported, then this could become messy\u00a0 quickly.<\/p>\n

Even so, cheap devices with zero password functionality built in are commonplace and an absolute curse where trying to secure networks and keep users safe are concerned.<\/p>\n

The California bill won\u2019t just apply to devices being sold in California; it doesn\u2019t matter where they\u2019re made. If your password name isn\u2019t down, you\u2019re not getting in\u2014for want of a better and considerably less mangled expression.<\/p>\n

This is due to roll into action on the first of January 2020, not only in California but also Oregon<\/a>. It seems the US is taking the potential for IoT chaos seriously and I\u2019d be amazed if this doesn\u2019t end up going live in additional states in the near future.<\/p>\n

Tackling the IoT problem globally<\/h3>\n

It\u2019s not just the US<\/a> trying to get a grip on IoT. Australia just pushed out<\/a> the voluntary code of practice: securing the Internet of Things for consumers<\/a> [PDF]. Spread across 13 principles, it seems to be significantly more in-depth than the US bill, which so far leaves a lot of areas up for debate. The 13 principles tackle communication security, updates, the ability to easily scrub personal data, and more besides.<\/p>\n

Of course, we should temper our expectations somewhat. The US bill goes live in two states only, and there doesn\u2019t seem to be much (or any!) information with regards to punishment, fines, or anything else.<\/p>\n

Additionally, you yourself as a consumer can\u2019t do anything off the back of the bill directly. It would have to be the California Attorney General or similar stepping up to the plate. On the other hand, as impressive as the Australian code is\u2014and it is still under consultation\u2014it\u2019s currently only voluntary.<\/p>\n

Even so, getting people in a position of authority to think about these issues is important, and at the very least these guides will help people at home to make considered, informed decisions about the technology they allow into their homes on a daily basis. Some good first steps, then, but we have a long way to go.<\/p>\n

The post IoT bills and guidelines: a global response<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Christopher Boyd| Date: Fri, 22 Nov 2019 16:27:47 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
IoT laws and guidelines abound, as we take a look what’s happening around the world in the name of securing Internet-connected devices.<\/p>\n

Categories: <\/p>\n