California's new laws bolster security for connected devices

Companies aren't completely happy, however.

Sponsored Links

Jon Fingas
September 30, 2018 7:38 AM
Westend61 via Getty Images
Westend61 via Getty Images

California just raised the baseline for security in the Internet of Things... to a degree. Governor Jerry Brown has signed very similar Assembly and Senate bills that require hardware makers to include "reasonable" security measures for connected devices. All gadgets will require at least some kind of protection against unauthorized data access. If they connect to the internet, they'll require either a preset password "unique to each device manufactured" or else the ability to generate a new authentication method (such as a custom password) on initial setup. You shouldn't see hackers compromise legions of security cameras or routers simply because they're using the same default password.

The two laws take effect on January 1st, 2020, so there's time for tech firms to build the features into their products.

Some industry groups are anxious about the laws. The California Manufacturers and Technology Association (which includes companies like AT&T, Intel and Honeywell) told Government Technology in a statement that the state was "imposing undefined rules" and had allegedly created a "loophole" that let imported devices avoid the rules. The Entertainment Software Association, meanwhile, claimed that existing laws already covered reasonable privacy protection.

However, that's not how the politicians see it. Senator Hannah-Beth Jackson, who introduced one of the bills, noted that foreign companies will still have to meet the standards regardless of where they make their devices. This is also about leaving companies to use "best judgment" for security on their own devices, she said.

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

You probably won't see devices with airtight security as a result of this. There's no mandates for encryption, for example. However, that's not really the goal here. This is more about preventing rookie mistakes, such as connected toys that transmit data with few if any safeguards. Cyberattackers may still get through -- they'll just have fewer obvious targets.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.
View All Comments
California's new laws bolster security for connected devices