The End of Easy Password guessing ….. in California

As a user of countless web accounts for banking, utilities, social media, ecommerce, email, and more, you have probably heard that it is a very bad idea to use the same password across several (or even all) accounts. If one of those sites get compromised (e.g. one of your social media accounts) an attacker may be able to use this information to log in to your online banking.

If we think about this for IoT products: how insecure and irresponsible isn’t it to have the same password for all the manufactured devices? It is amazing that vendors of routers and other internet public facing can get away with selling their products using the same hardcoded default password! For hackers this makes it easier to compromise such a device than stealing candies from kids. There are online services available where one can get a list ip-addresses with access to certain products with these characteristics. It shouldn’t be like this.

Luckily, this is about to come to an end …. in California

A new law by January 1st 2020

Bill No. 327 Information privacy: connected devices now regulates the above mentioned recklessness for any vendor selling products in California.

The introduction of the bill reads:

“Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable.

Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages

This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified”

To read the full text, please click here.

The Essence of the new bill

The essence of the bill can be read in 1798.91.04. (b) which reads:

(1) The preprogrammed password is unique to each device manufactured.

(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

For any vendor in the industry, this text is so plain and easy to understand, we should have great faith in the outcome of this bill.

Hopefully, this bill, although only applying to the state of California, will set a precedence and ensure vendors of all connected devices regardless of where their products are being sold, will abide by these two simple, but important security measures.

Kudos to California Governor Jerry Brown who signed the bill, and showed there is hope getting the uncontrollable IoT security disaster under control.

Recent articles

The top challenge for autonomous vehicles: What does adding AI to cars mean for OEMs?

The top challenge for autonomous vehicles: What does adding AI to cars mean for OEMs?

The critical question for the automotive industry is: how can you shorten the time to market and innovate faster in software and AVs to meet more demanding customer requirements?
What’s New in Mender 3.7: Introducing the C++ Client for portability

What’s New in Mender 3.7: Introducing the C++ Client for portability

Mender 3.7 is released, including all the features published on hosted Mender over the last few months as part of our continuous development and rolling release process.
How over-the-air (OTA) updates help emergency response teams

How over-the-air (OTA) updates help emergency response teams

Discover how over-the-air (OTA) updates revolutionize emergency response teams, ensuring secure and seamless device maintenance and functionality in critical situations.
View more articles

Learn more about Mender

Explore our Resource Center to discover more about how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices.