The End of Easy Password guessing ….. in California

24th Jan 2020

As a user of countless web accounts for banking, utilities, social media, ecommerce, email, and more, you have probably heard that it is a very bad idea to use the same password across several (or even all) accounts. If one of those sites get compromised (e.g. one of your social media accounts) an attacker may be able to use this information to log in to your online banking.

If we think about this for IoT products: how insecure and irresponsible isn’t it to have the same password for all the manufactured devices? It is amazing that vendors of routers and other internet public facing can get away with selling their products using the same hardcoded default password! For hackers this makes it easier to compromise such a device than stealing candies from kids. There are online services available where one can get a list ip-addresses with access to certain products with these characteristics. It shouldn’t be like this.

Luckily, this is about to come to an end …. in California

A new law by January 1st 2020

Bill No. 327 Information privacy: connected devices now regulates the above mentioned recklessness for any vendor selling products in California.

The introduction of the bill reads:

“Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable.

Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages

This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified”

To read the full text, please click here.

The Essence of the new bill

The essence of the bill can be read in 1798.91.04. (b) which reads:

(1) The preprogrammed password is unique to each device manufactured.

(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

For any vendor in the industry, this text is so plain and easy to understand, we should have great faith in the outcome of this bill.

Hopefully, this bill, although only applying to the state of California, will set a precedence and ensure vendors of all connected devices regardless of where their products are being sold, will abide by these two simple, but important security measures.

Kudos to California Governor Jerry Brown who signed the bill, and showed there is hope getting the uncontrollable IoT security disaster under control.