The law is intended to help curb attacks that rely on weak, non-existent or publicly disclosed passwords that far too often ship with web-connected gadgets

California has passed a piece of legislation that bans weak default passwords on internet-connected devices sold in the region.

Under the “Information privacy: connected devices” bill – which is the first Internet-of-Things (IoT) cybersecurity law in the United States – the manufacturers of myriad internet-connected gadgets will need to equip their products with “reasonable security features” out of the box.

What this means is that each device will either need to be shipped with a password that is unique to it or that each device will need to contain “a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time”. In the latter case, users must be able to pick their own passwords.

The bill – already signed into law by the Golden State’s governor Jerry Brown and coming into effect at the beginning of 2020 – is short on additional details of how specifically the vendors should go about securing their products. Nor is the law intended to mandate that manufacturers release enhance their tech’s security further, for example by shipping easy-to-install security patches for known vulnerabilities on a regular basis. Even so, it is certainly a step in the right direction.

Easy pickings

Internet-connected devices – such as routers, digital video recorders (DVRs) and, somewhat ironically, security cameras – are notoriously insecure and a particularly inviting target for attackers, who can compromise them in order to gain a foothold into the victim’s wireless network.

The devices’ default login credentials are often trivial to guess or, in some cases, vendors even make them public on their websites in order to aid quick device set-up for the owners. At times, devices marketed under the same brand use the same default credentials. In addition, it is still not rare for passwords to be hard-coded.

However, even when the credentials can be changed, users often don’t give much thought to replacing them with unique and strong login credentials.

To put things into perspective – ESET’s test on 12,000 home routers in 2016 showed that 15 percent of the devices used poor passwords.

With security concerns pushed aside, the devices are prone, for example, to being dragged into botnets. The attack that took down chunks of the internet mainly in the United States on October 21, 2016, was facilitated by poorly-secured IoT devices.  Earlier in 2018, half a million routers in over 50 countries were compromised with malware dubbed VPNFilter.

Source: HERE

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!