The California State Capitol Building in Sacramento passing new law to make weak passwords for connected devices illegal
New California Law Will Make Weak Passwords for Connected Devices Illegal

New California Law Will Make Weak Passwords for Connected Devices Illegal

As the home of the world’s largest tech companies, California is now leading the charge to beef up the cyber security features of connected devices manufactured or sold in the region. California legislators have passed a law, known as the Information Privacy: Connected Devices Bill, which requires manufacturers to implement “reasonable” security features (such as the elimination of weak passwords) for Internet-connected devices such as webcams and wireless routers by January 1, 2020. The goal is straightforward: eliminate the risk of cyber attacks that specifically target these devices.

Solving the weak passwords problem

By banning weak passwords, California legislators are attempting to eliminate a well-known security loophole that hackers have already used to their advantage. The situation right now is that many connected devices ship from the factory with identical passwords, thereby making it much easier for hackers to attack thousands, if not tens of thousands, of these devices simultaneously. As a result, hackers are able to create sophisticated botnets of connected devices, all controlled from one central location.

Even if users are prompted to change the passwords of these devices, it is far too often the case that they opt for weak passwords such as “admin” or “password” or “123456.” It is very easy for hackers to take advantage of these default or easy-to-guess passwords to get access to personal data.

New security features for connected devices

The new bill (SB-327) will force device manufacturers to adopt one of two counter-measures. Either they must supply a unique password for each device at the time of manufacture, or they must include a mandatory startup procedure that forces users to generate a strong password when using a device for the first time. A consumer picking up a new wireless router for the home, for example, would be required to physically go into the default settings of the router and change the password. Weak passwords would theoretically become a relic of the past, and the ability of hackers to string together thousands of devices at one time into botnet attacks would be severely compromised.

At least, that’s the thinking on the part of California lawmakers, who have been sufficiently warned about the risk of weak passwords and connected devices. For the past 24 months, there have been massive botnet attacks (including the much-publicized Mirai attack in 2016), all powered by simple consumer devices that happen to be connected to the Internet. Thus far, most of these cyber attacks have been massive DDOS attacks that have taken down websites of the world’s biggest companies, including Twitter, Spotify and Reddit. But, the thinking goes, the prospect exists for more sophisticated attacks that eventually target the nation’s critical infrastructure.

Rising sophistication of botnet attacks targeting connected devices

At one time, the prospect of Wi-Fi routers and home webcams crashing the Internet might have sounded outlandish, or something out of a science fiction movie. But now that the Internet of Things (IoT) includes nearly a billion connected devices, it’s possible to view every American home as a potential node of a much larger connected network. Just think of all the connected devices in your home right now that are connected to your home Wi-Fi network. Any of them, if guarded only by weak passwords, could be the target of unscrupulous hackers.

Raising the stakes even further is the risk of hackers attacking Industrial Control Systems (ICS) products that are part of a company’s supply chain or manufacturing operations. Now that utility companies and grid operators are using IoT devices to improve efficiency and effectiveness, it’s no longer out of the question that hackers could one day target these ICS devices and knock a utility company offline for days at a time, or play havoc with a city’s transportation network.

The key breakthrough of the bill, say experts, is that the responsibility for securing connected devices and getting rid of weak passwords now rests with vendors, and not individuals. “Weak passwords are a problem, but this bill aims to address a more challenging and serious problem with poor default security in vendors’ products,” says Tim Erlin, VP, product management and strategy at Tripwire. “It’s important that vendors see security as their responsibility, even after the customer takes possession of the product.”

In other words, it’s no longer up to the tech-savvy consumer buying a new device to set up unbreakable passwords; it’s now up to California tech companies to make sure that easy-to-guess default passwords are no longer possible. And to fully incentivize California tech companies to comply with bill SB-327, the state has mandated that customers can sue for any damages resulting from connected devices having weak passwords.

Eliminating weak passwords is a necessary first step

But will it be enough? After all, California is just one of 50 states, and device manufacturers exist all over the world, not just in Silicon Valley. In May 2018, the U.S. Department of Homeland Security (DHS) warned that a U.S. attempt to tackle botnets powered by the Internet of Things would not be enough, due to the globalization of the tech industry and the decentralization of risk. At one time, Internet-connected devices resided only within the guarded perimeter of a company, now they can exist just about anywhere there’s an Internet connection.

Moreover, consumers are notoriously lazy when it comes to changing weak passwords. For example, say critics, consumers who are forced to change a password when setting up a wireless router might opt for easy-to-remember passwords – such as the street address of the home – rather than truly hard-to-guess passwords. Moreover, many consumers may use the same password for every connected device in the home, so as soon as a hacker guesses one password correctly, all the other devices can be immediately hacked as well.

Re-thinking the responsibility for information privacy and data security

But the California bill is a good first step, primarily because even skeptics admit that the range of connected devices covered is “incredibly broad.” The California bill will apply to any device that connects to the Internet, either directly or indirectly, and that has an IP address or a Bluetooth address. “There’s always more to do with information security, but sometimes targeted legislation addressing a specific problem can be effective,” says Erlin of Tripwire.

California's new law is a good first step to shift #cybersecurity responsibility from users to device manufacturers.Click to Tweet

Going forward, the hope is that the new California bill that sets higher security standards for connected devices and weak passwords will encourage both vendors and consumers to take information privacy seriously. That means greater attention to security features, as well as greater attention to educating consumers about the risks involved with Internet-connected devices.