We’re Not Telling You the Rules

The politicians in California have passed the first law regulating the security of Internet connected devices. However, manufacturers of said devices are going to have a difficult time complying with the law since the rules are never defined:

This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.

The California bill doesn’t define exactly what a ‘reasonable security feature’ would be but it mandates that connected devices come with unique passwords that users can change, which isn’t the case for many IoT products. If someone can log into the device outside a LAN, then it must have either preprogrammed passwords that are unique to each device (no more default login credentials) or a way to generate new authentication credentials before accessing it for the first time.

You must implement ‘a reasonable security feature or features’ but we’re not going to tell you what those features are. Oh, and if you fail to comply with our undefined rules, you will be subject to punishment. Anyways, good luck!

That sounds perfectly reasonable, doesn’t it?