As the home of the world’s largest tech companies, California is now leading the charge to beef up the cyber security features of connected devices manufactured or sold in the region. California legislators have passed a law, known as the Information Privacy: Connected Devices Bill, which requires manufacturers to implement “reasonable” security features (such as the elimination of weak passwords) for Internet-connected devices such as webcams and wireless routers by January 1, 2020. The goal is straightforward: eliminate the risk of cyber attacks that specifically target these devices.
Solving the weak passwords problem
By banning weak passwords, California legislators are attempting to eliminate a well-known security loophole that hackers have already used to their advantage. The situation right now is that many connected devices ship from the factory with identical passwords, thereby making it much easier for hackers to attack thousands, if not tens of thousands, of these devices simultaneously. As a result, hackers are able to create sophisticated botnets of connected devices, all controlled from one central location.
Even if users are prompted to change the passwords of these devices, it is far too often the case that they opt for weak passwords such as “admin” or “password” or “123456.” It is very easy for hackers to take advantage of these default or easy-to-guess passwords to get access to personal data.
New security features for connected devices
The new bill (SB-327) will force device manufacturers to adopt one of two counter-measures. Either they must supply a unique password for each device at the time of manufacture, or they must include a mandatory startup procedure that forces users to generate a strong password when using a device for the first time. A consumer picking up a new wireless router for the home, for example, would be required to physically go into the default settings of the router and change the password. Weak passwords would theoretically become a relic of the past, and the ability of hackers to string together thousands of devices at one time into botnet attacks would be severely compromised.
At least, that’s the thinking on the part of California lawmakers, who have been sufficiently warned about the risk of weak passwords and connected devices. For the past 24 months, there have been massive botnet attacks (including the much-publicized Mirai attack in 2016), all powered by simple consumer devices that happen to be connected to the Internet. Thus far, most of these cyber attacks have been massive DDOS attacks that have taken down websites of the world’s biggest companies, including Twitter, Spotify and Reddit. But, the thinking goes, the prospect exists for more sophisticated attacks that eventually target the nation’s critical infrastructure.
Rising sophistication of botnet attacks targeting connected devices
At one time, the prospect of Wi-Fi routers and home webcams crashing the Internet might have sounded outlandish, or something out of a science fiction movie. But now that the Internet of Things (IoT) includes nearly a billion connected devices, it’s possible to view every American home as a potential node of a much larger connected network. Just think of all the connected devices in your home right now that are connected to your home Wi-Fi network. Any of them, if guarded only by weak passwords, could be the target of unscrupulous hackers.