Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

California to Ban Weak Passwords

California Bill Requires Unique Passwords in Connected Devices

The state of California recently passed a bill that requires the manufacturers of connected devices to use unique hardcoded passwords for each device manufactured.

California Bill Requires Unique Passwords in Connected Devices

The state of California recently passed a bill that requires the manufacturers of connected devices to use unique hardcoded passwords for each device manufactured.

The bill, meant to combat the widespread use of weak passwords in connected devices such as Internet of Things (IoT) products, also demands that manufacturers implement a security feature in their devices to require users to select new means of authentication upon first use. 

The use of weak passwords in connected devices is a well-known security issue that has fueled a broad range of cyber-attacks, including the emergence of numerous, large IoT botnets

By targeting devices improperly secured with default or easy-to-guess passwords, IoT botnets such as Mirai (and its many variants), Gafgyt (also known as Bashlite), Reaper, Hide ‘N Seek, and Torii can then be leveraged to launch massive distributed denial of service attacks, to send spam emails, for malware distribution, and for various other nefarious activities. 

However, it’s not only IoT devices that are impacted by the use of default or weak passwords. The issue was also found in industrial control system (ICS) products, and security researchers even published a list of default credentials for ICS devices. 

Recently signed into law by California governor Jerry Brown, the new bill, SB-327, which is set to enter in effect on January 1, 2020, attempts to mitigate the problem by requiring the makers of connected devices to properly secure those products. 

“This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified,” SB-327 reads. 

“There’s always more to do with information security, but sometimes targeted legislation addressing a specific problem can be effective,” Tim Erlin, VP, product management and strategy at Tripwire, told SecurityWeek in an emailed statement.

“Weak passwords are a problem, but this bill aims to address a more challenging and serious problem with poor default security in vendors’ products. It’s important that vendors see security as their responsibility, even after the customer takes possession of the product,” Erlin continued. 

Ilia Kolochenko, CEO of security company High-Tech Bridge, also commented: “One should, however, keep in mind that banning weak passwords may also have a collateral effect. Some people will likely start using the same passwords everywhere, set long passwords and forget them, subsequently leaving the device without regular updates, or just invent passwords that will not fall under the legal definition of weak password but will remain easily brute-forceable. Nonetheless it’s still much better than inaction and ignorance.” 

Related: Weak Passwords Abused for ‘FruitFly’ Mac Malware Distribution

Related: Meet Torii, a Stealthy, Versatile and Highly Persistent IoT Botnet

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

Today’s growing attack surface is dominated by non-traditional endpoints.

IoT Security

Vulnerabilities in electric vehicle charging management systems can be exploited for DoS attacks and to steal energy or sensitive information.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Australia's Defense Department said that they will remove surveillance cameras made by Chinese Communist Party-linked companies from its buildings.

IoT Security

Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV...