When setting up a new router, networked storage device, Internet-connected media device, or a security camera, odds are the password was "admin." Whether or not the password is still "admin" has a lot to do with how security-aware the user is.
California governor Jerry Brown signed the “Security of Connected Devices” bill (SB-327) into law, which requires anyone manufacturing an Internet-connected device to set unique passwords or force users to change the password before they can use it. California has taken the lead again on security and consumer privacy, becoming the first state with a law specifically dealing with the security of the Internet of Things.
Consumer devices capable of connecting to the home wireless network and the Internet are flooding the markets. The average U.S. household has 20 Internet-connected devices, according to recent research by BitDefender, but very few of them are secure. Many of them have either no password at all, or they come with default or hard-coded passwords that are easy to guess. In some cases, one has to guess—the manufacturer writes down the password in the user manual for anyone to see. It’s easier for the manufacturer if they all have the same password, and far cheaper to put the responsibility for changing the passwords on to the user.
Most users won’t change the password, because—they don’t know how, don’t realize they should, or decide it’s safer to keep the password that’s written down than to forget a new one. That is exactly what criminals are banking on when they trawl the Internet looking for devices like wireless routers and security cameras to add to their botnets. And there are quite a lot of devices. Statista estimates there were about 20 billion connected devices worldwide in 2017, and that number is projected to be more than 75 billion by 2025.
Criminals can search for passwords based on the device name and model number, or just run through a list of commonly used passwords such as “admin,” “password,” and “1234.” That’s exactly what happened with Mirai, the massive botnet of compromised routers and IP cameras that took down sites like Twitter, Netflix, Reddit and other parts of the Internet with distributed denial-of-service attacks. The Mirai operators were able to take over the devices because they still used the factory-default usernames and passwords. And once criminals have access to the device, they can move around the rest of the wireless network.
"Default passwords in consumer IoT devices are a primary attack method used by malicious actors," said Jeff Wilbur, technical director of the Online Trust Alliance.
Manufacturers can make consumer devices more secure simply by giving each device its own unique password, but thus far, only a few manufacturers do so. Part of it is cost, but it’s also because some manufacturers aren’t thinking about security. California’s new law stops waiting for manufacturers to do the right thing, and requires all new Internet-connected devices made or sold in California to include either “a preprogrammed password unique to each device manufactured” or “a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”
"While we would prefer that manufacturers to this on their own, legislating this widely accepted best practice will reduce risk for users of IoT devices and limit use of such devices to attack the Internet itself," Wilbur said. The law aligns with one of the points in OTA's IoT Trust Framework, which highlights the need for manufacturers to provide unique passwords for each device, or at least require users to change the password on first use.
The way the law is phrased, there’s nothing stopping companies from letting users select bad passwords, but at least it is still better than having the same password across thousands of devices. No more shipping devices with the username/password combination admin/admin.
The law, which comes in effect Jan. 1, 2020, will make it illegal for companies to have a weak default password on the device because connected devices must have a “reasonable” security feature or features “appropriate to the nature and function of the device.” California is a large consumer market, and if companies want to keep selling to California residents, then they have to make those changes, which means everyone else who don’t live in California benefits. There won't be any push from the federal government, since it doesn't look as if any of bills floating around Congress, including the IoT Cybersecurity Improvement Act of 2017, will be moving anytime soon.
Thank you, California.
The law isn’t perfect. Some critics say it doesn't go far enough, since manufacturers aren't required to use encryption to protect the data being collected or how they are being transmitted. Others thought if the bill was going to tackle weak passwords, then it should have also insisted on two-factor authentication. There is nothing about creating an update mechanism to make it possible to fix security vulnerabilities in devices. Robert Graham of Errata Security said the language was too vague to the point where manufacturers won't be able to comply. The phrase “reasonable security feature” could mean a lot of things, and it would be “impossible for any company to know what these words mean” and “if they are compliant with the law,” Graham said.
“Nonetheless it’s still much better than inaction and ignorance.” High-Tech Bridge's CEO Ilia Kolochenko.
Weak default and hardcoded passwords in connected devices need to go away, but it would be a shame if the new California law creates a sense of complacency over the state of Internet of Things. There are so many other problems to address, and the law is just one small step forward.