We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Illustration of a lock superimposed over a collage of home gadgets
  • The Noun Project
  • Business Impact

    California wants to stop hackers from taking control of smart gadgets

    A proposed state law would help bolster the security of internet-connected devices, but what’s really needed is federal action.

    California has been a pioneer when it comes to shaping policies to tackle everything from climate change to consumer privacy. Now it could take the lead in yet another area: cybersecurity for online gadgets.

    The state’s lawmakers have just sent California’s governor, Jerry Brown, draft legislation that aims to tighten the security of web-connected devices.

    If he approves it, California will become the first US state with a law specifically tailored for the internet of things (IoT).

    It’s not hard to see why such legislation is needed. Barely a day goes by without some new report of hackers compromising all kinds of products, from web-connected dolls to security cameras. And billions of new connected devices will be flooding onto the market over the next few years.

    Some experts think it’s only a matter of time before hacked gadgets cause serious injuries, and perhaps even kill people (see “For safety’s sake, we must slow innovation in internet-connected things”).

    California’s legislation, which would come into effect in January 2020, requires connected devices to have a “reasonable” security feature or features “appropriate to the nature and function of the device.”

    It also requires manufacturers to either create a different default password for every gadget they sell or prompt users to change a common default password before they use a device for the first time.

    All too often, gadgets still come with common hard-coded passwords. That means if hackers can crack the password, they can take control of a large number of similar devices. Other security controls governing things like communication with different devices vary widely, and often reflect industry-developed standards.

    There are federal and state laws that dictate how consumer data gathered via IoT products should be handled. However, until now there hasn’t been legislation that focuses on IoT security.

    Some cybersecurity experts, like Robert Graham of Errata Security, have criticized the California legislation for being too vaguely worded, and for not doing more to stop firms from building insecure features into their devices.

    Supporters say that the potential threat of litigation will force manufacturers to focus more on security as they build their smart devices. “The [bill’s] language is deliberately very loose,” says Beau Woods, an Atlantic Council fellow specializing in information security, “but that’s to get companies to think about how they can make [products] secure by design.”

    Sign up for Clocking In
    A daily look at the workplace of the future

    By signing up you agree to receive email newsletters and notifications from MIT Technology Review. You can change your preferences at any time. View our Privacy Policy for more detail.

    There’s another good reason for not being overly prescriptive: things can change incredibly fast in cybersecurity, so what may seem like a reasonable defensive measure today could soon feel outdated.

    Still, the law could usefully have included a specific requirement that companies swiftly release patches for any security holes found in their products’ software. And it could have forced them to set up systems that make it easy for people to report flaws and be rewarded for doing so (see “Crowdsourcing the hunt for software bugs is a booming business—and a risky one”).

    The fact that it missed this opportunity doesn’t mean the draft legislation should be vetoed. If companies beef up their products’ security so they can keep selling them in California’s massive market, those changes will likely benefit other states too.

    California’s initiative could also spur action at the federal level, which is where the critical issue of IoT security really needs to be addressed.

    A couple of draft bills have already been floated in Congress, including one known as the IoT Cybersecurity Improvement Act of 2017 that would require companies doing business with the federal government to make sure their web-connected products use software that can be easily patched, don’t contain known security vulnerabilities, and and have passwords that can be changed.

    The bills are languishing in committees. California’s legislative push could help breathe new life into them and generate bipartisan support for action.

    Want to go ad free? No ad blockers needed.

    Become an Insider
    Already an Insider? Log in.
    Illustration of a lock superimposed over a collage of home gadgets
    More from Business Impact

    How technology advances are changing the economy and providing new opportunities in many industries.

    Want more award-winning journalism? Subscribe to Insider Plus.
    • Insider Plus {! insider.prices.plus !}*

      {! insider.display.menuOptionsLabel !}

      Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

      See details+

      Print + Digital Magazine (6 bi-monthly issues)

      Unlimited online access including all articles, multimedia, and more

      The Download newsletter with top tech stories delivered daily to your inbox

      Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

      10% Discount to MIT Technology Review events and MIT Press

      Ad-free website experience

    You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.