Cyber Security

California outlaws poor default passwords in connected devices

The law is intended to help curb attacks that rely on weak, non-existent or publicly disclosed passwords that far too often ship with web-connected gadgets

California has passed a piece of legislation that bans weak default passwords on internet-connected devices sold in the region.

Under the “Information privacy: connected devices” bill – which is the first Internet-of-Things (IoT) cybersecurity law in the United States – the manufacturers of myriad internet-connected gadgets will need to equip their products with “reasonable security features” out of the box.

What this means is that each device will either need to be shipped with a password that is unique to it or that each device will need to contain “a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time”. In the latter case, users must be able to pick their own passwords.

The bill – already signed into law by the Golden State’s governor Jerry Brown and coming into effect at the beginning of 2020 – is short on additional details of how specifically the vendors should go about securing their products. Nor is the law intended to mandate that manufacturers release enhance their tech’s security further, for example by shipping easy-to-install security patches for known vulnerabilities on a regular basis. Even so, it is certainly a step in the right direction.

Easy pickings

Internet-connected devices – such as routers, digital video recorders (DVRs) and, somewhat ironically, security cameras – are notoriously insecure and a particularly inviting target for attackers, who can compromise them in order to gain a foothold into the victim’s wireless network.

The devices’ default login credentials are often trivial to guess or, in some cases, vendors even make them public on their websites in order to aid quick device set-up for the owners. At times, devices marketed under the same brand use the same default credentials. In addition, it is still not rare for passwords to be hard-coded.

However, even when the credentials can be changed, users often don’t give much thought to replacing them with unique and strong login credentials.

To put things into perspective – ESET’s test on 12,000 home routers in 2016 showed that 15 percent of the devices used poor passwords.

With security concerns pushed aside, the devices are prone, for example, to being dragged into botnets. The attack that took down chunks of the internet mainly in the United States on October 21, 2016, was facilitated by poorly-secured IoT devices.  Earlier in 2018, half a million routers in over 50 countries were compromised with malware dubbed VPNFilter.





Articles You May Like

Tampering with Conditional Access Policies Using Azure AD Graph API
Reliance JioMart to cut 11,000 jobs, report says
New Mirai Variant Campaigns are Targeting IoT Devices
Ransomware tales: The MitM attack that really had a Man in the Middle
Predator Android Spyware: Researchers Uncover New Data Theft Capabilities

Leave a Reply

Your email address will not be published. Required fields are marked *