Calif. Law Takes Aim at Weak IoT Passwords

Concerns over data privacy and security push California to roll out the first legislation on connected devices.

In a first of its kind law, California Governor Jerry Brown signed a bill that bans the use of default “admin” passwords on internet-connected devices sold in the state and requires manufacturers use strong passwords instead.

California has been taking aggressive legislative action in 2018 to address resident’s concerns over data privacy and security.  The California Consumer Privacy Act (CCPA) was passed in June and gives residents certain rights on how their personal data can be stored, accessed, sold and deleted.  It also provides residents an “opt-out” on having their data collected without penalties from businesses.

The quick passage of the CCPA was in response to a more stringent ballot initiative that was slated to be voted upon in November of this year. Laws passed by ballot initiatives cannot be modified by the state legislature so the CCPA was quickly stewarded through the legislative process with built-in mechanisms that allow the law to be adjusted in the future.  The law has been compared to the European Union’s recent General Data Protection Regulation (GDPR) and is scheduled to take effect on January 1, 2020.

To further shore up the State’s data privacy and security legal framework, the legislature turned its attention to connected devices, more commonly known as the Internet of Things (IoT).  The Information Privacy: Connected Devices legislation (SB-327 and AB-1906) was signed into law on September 28 and is the first law in the nation to address IoT security.

The law requires devices that “are capable of connecting to the Internet “directly or indirectly” via Internet Protocol (IP) or Bluetooth addresses to have “reasonable” security controls.  The law states that devices must have “a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”

The law also mandates that each device must have a unique preprogrammed password. Weak or common passwords such as “admin” or “password” have been a specific concern in connected devices for years. Often users were unable to update these passwords as they were hardcoded into the firmware by the manufacturers.  This further opened the attack surface on these devices to threat actors.

The law further stipulates that the manufacturer must provide a security feature “that requires a user to generate a new means of authentication before access is granted to the device for the first time.”  This control adds another layer of security for these devices.

The law is scheduled to go into effect on January 1, 2020.

Improperly secured connected devices have been behind some of the largest botnets, such as Mirai or Reaper, which contained millions of compromised IoT devices.  These botnets have been used to bring down Reddit, Twitter, The New York Times and Spotify back in 2016.  For years the search engine Shodan has highlighted the looming problem of insecure connected devices.  With cameras, industrial controls and other IoT consumer tech easily accessed via its interface.

The law is not without its detractors who say that the legislation does not go far enough to address the multitude of IoT security concerns. However, as countless new devices connect to the Internet each day, it is a start.

Suggested articles