Default passwords on IoT devices sold in California must be more secure

California outlaws poor default passwords in connected devices

The law is intended to help curb attacks that rely on weak, non-existent or publicly disclosed passwords that far too often ship with web-connected gadgets

The law is intended to help curb attacks that rely on weak, non-existent or publicly disclosed passwords that far too often ship with web-connected gadgets

California has passed a piece of legislation that bans weak default passwords on internet-connected devices sold in the region.

Under the “Information privacy: connected devices” bill – which is the first Internet-of-Things (IoT) cybersecurity law in the United States – the manufacturers of myriad internet-connected gadgets will need to equip their products with “reasonable security features” out of the box.

What this means is that each device will either need to be shipped with a password that is unique to it or that each device will need to contain “a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time”. In the latter case, users must be able to pick their own passwords.

The bill – already signed into law by the Golden State’s governor Jerry Brown and coming into effect at the beginning of 2020 – is short on additional details of how specifically the vendors should go about securing their products. Nor is the law intended to mandate that manufacturers release further enhancements to increase their tech’s security, for example by shipping easy-to-install security patches for known vulnerabilities on a regular basis. Even so, it is certainly a step in the right direction.

Easy pickings

Internet-connected devices – such as routers, digital video recorders (DVRs) and, somewhat ironically, security cameras – are notoriously insecure and particularly inviting targets for attackers, who can compromise them in order to gain a foothold into the victim’s wireless network.

The devices’ default login credentials are often trivial to guess or, in some cases, vendors even make them public on their websites in order to aid quick device set-up for the owners. At times, devices marketed under the same brand use the same default credentials. In addition, it is still not rare for passwords to be hard-coded.

However, even when the credentials can be changed, users often don’t give much thought to replacing them with unique and strong login credentials.

To put things into perspective – ESET’s test on 12,000 home routers in 2016 showed that 15 percent of the devices used poor passwords.

With security concerns pushed aside, the devices are prone, for example, to being dragged into botnets. The attack that took down chunks of the internet mainly in the United States on October 21, 2016, was facilitated by poorly-secured IoT devices.  Earlier in 2018, half a million routers in over 50 countries were compromised with malware dubbed VPNFilter.

Discussion