Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

California to Ban Weak Passwords

California Bill Requires Unique Passwords in Connected Devices

The state of California recently passed a bill that requires the manufacturers of connected devices to use unique hardcoded passwords for each device manufactured.

California Bill Requires Unique Passwords in Connected Devices

The state of California recently passed a bill that requires the manufacturers of connected devices to use unique hardcoded passwords for each device manufactured.

The bill, meant to combat the widespread use of weak passwords in connected devices such as Internet of Things (IoT) products, also demands that manufacturers implement a security feature in their devices to require users to select new means of authentication upon first use. 

The use of weak passwords in connected devices is a well-known security issue that has fueled a broad range of cyber-attacks, including the emergence of numerous, large IoT botnets

By targeting devices improperly secured with default or easy-to-guess passwords, IoT botnets such as Mirai (and its many variants), Gafgyt (also known as Bashlite), Reaper, Hide ‘N Seek, and Torii can then be leveraged to launch massive distributed denial of service attacks, to send spam emails, for malware distribution, and for various other nefarious activities. 

However, it’s not only IoT devices that are impacted by the use of default or weak passwords. The issue was also found in industrial control system (ICS) products, and security researchers even published a list of default credentials for ICS devices. 

Recently signed into law by California governor Jerry Brown, the new bill, SB-327, which is set to enter in effect on January 1, 2020, attempts to mitigate the problem by requiring the makers of connected devices to properly secure those products. 

“This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified,” SB-327 reads. 

Advertisement. Scroll to continue reading.

“There’s always more to do with information security, but sometimes targeted legislation addressing a specific problem can be effective,” Tim Erlin, VP, product management and strategy at Tripwire, told SecurityWeek in an emailed statement.

“Weak passwords are a problem, but this bill aims to address a more challenging and serious problem with poor default security in vendors’ products. It’s important that vendors see security as their responsibility, even after the customer takes possession of the product,” Erlin continued. 

Ilia Kolochenko, CEO of security company High-Tech Bridge, also commented: “One should, however, keep in mind that banning weak passwords may also have a collateral effect. Some people will likely start using the same passwords everywhere, set long passwords and forget them, subsequently leaving the device without regular updates, or just invent passwords that will not fall under the legal definition of weak password but will remain easily brute-forceable. Nonetheless it’s still much better than inaction and ignorance.” 

Related: Weak Passwords Abused for ‘FruitFly’ Mac Malware Distribution

Related: Meet Torii, a Stealthy, Versatile and Highly Persistent IoT Botnet

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

ICS/OT

As smart cities evolve with more and more integrated connected services, cybersecurity concerns will increase dramatically.

IoT Security

Hikvision patches CVE-2023-28808, a critical authentication bypass vulnerability that exposes video data stored on its Hybrid SAN and cluster storage products.

IoT Security

Researchers at offensive hacking shop Synacktiv demonstrated successful exploit chains and were able to “fully compromise” Tesla’s newest electric car and take top billing...

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...