Oregon Bill to Better Secure Home IoT Devices Moves to Senate

House Bill 2395 requires manufacturers to take steps such as giving each device a unique password, so hackers can’t crack multiple devices by obtaining the password for one.

by Mike Rogoway, The Oregonian / April 17, 2019
Shutterstock/Creativa Images

(TNS) — Connected microwaves, smart light bulbs, intelligent electrical outlets.

They’re on the frontier of the Internet of Things, or IoT, a catchall term for everyday devices with online connectivity built in to make them more convenient or useful. But like any online device, they can turn against their owners if hackers gain access.

A bill moving forward in the Oregon Legislature would require such devices to have “reasonable” security features to guard against hacking and protect owners’ privacy. It echoes a similar bill that won approval from California lawmakers last September.

The Oregon House of Representatives approved the bill 53 to 5 on Tuesday. It now heads to the state Senate.

Oregon House Bill 2395 requires manufacturers to take steps such as giving each device a unique password, so hackers can’t crack multiple devices by obtaining the password for one.

Another suggested measure: requiring users create a new means to authenticate themselves before gaining access to the device. That’s another step that gives each device some individual security, which could prevent them from being used in a coordinated attack.

In 2016, hackers compromised 100,000 connected devices and used them in a massive attack that disrupted a company that provides a key role in routing internet traffic. That resulted in many popular internet sites going offline for several hours.

Stephen Ridley, chief executive of Portland online security startup Senrio, said the Oregon bill is a sensible first step toward improving security. He called it “basic hygiene,” analogous to a requirement that health professionals wash their hands before interacting with patients.

Oregon’s legislation won’t prevent all hacking, Ridley said, but will address the problems that are easiest to prevent and start a broader conversation about how to secure the emerging technology.

“A simple series of suggestions like the ones that are in this bill are probably best and constitute good forward momentum,” Ridley said.

Oregon’s Department of Justice made the bill a priority for the current session, arguing that it could help prevent attacks like the ones that took place in 2016.

“The features should protect information that the connected device collects, contains, stores or transmits from access, destruction modification, use or disclosure that the consumer does not authorize,” Cheryl Hiemstra, the department’s deputy legislative director, wrote in written testimony supporting the bill.

Other backers include the American Civil Liberties Union of Oregon. Policy director Kimberly McCullough testified that the proliferation of connected microphones, cameras and other gadgets that can collect personal data will be intolerable without legal safeguards for consumers.

“This bill is a common-sense approach to ensuring that Oregonians can trust that the information collected by digital devices is secure from data breaches and hackers,” she said in written testimony.

GlobalAutomakers, a trade group of motor vehicle manufacturers, opposed the bill in its original version. The organization said the Oregon legislation lacked an exemption for automakers, which California had. GlobalAutomakers said its industry is already subject to federal regulation and has put in place its own measures to protect consumers.

The trade group didn’t immediately respond to a question Tuesday about whether subsequent amendments addressed automakers’ concerns.

©2019 The Oregonian (Portland, Ore.). Distributed by Tribune Content Agency, LLC.

Platforms & Programs