Security News California bans default password in connected devices

[vtqhtr413]

Content source

https://techcrunch.com/2018/10/05/california-passes-law-that-bans-default-passwords-in-connected-devices/

California has passed a law banning default passwords like “admin,” “123456” and the old classic “password” in all new consumer electronics starting in 2020. Every new gadget built in the state from routers to smart home tech will have to come with “reasonable” security features out of the box. The law specifically calls for each device to come with a preprogrammed password “unique to each device.”

It also mandates that any new device “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,” forcing users to change the unique password to something new as soon as it’s switched on for the first time.

For years, botnets have utilized the power of badly secured connected devices to pummel sites with huge amounts of internet traffic — so-called distributed denial-of-service (DDoS) attacks. Botnets typically rely on default passwords that are hardcoded into devices when they’re built that aren’t later changed by the user. Malware breaks into the devices using publicly available default passwords hijacks the device and ensnares the device into conducting cyber attacks without the user’s knowledge.

Full Story California passes law that bans default passwords in connected devices

 

[Quassar]

And good

 

[DeepWeb]

As a Californian MRW a very progressive law passes I wasn't even aware of: Whoa... I mean... Good for us.

 

[SHvFl]

It says "built in the state" so if that is accurate educate me on the number of electronics build in California as my limited brain is saying probably none with all that taxes.
If they wanted it to be of some use it would have said sold and not built.

 

[TairikuOkami]

And good

Good for the security, not so much for the user though (security triangle), there are possible 2 scenarios:

1. The password will be really unique, so if the user looses his password (scratched), he will have to buy a new device, manufactures will love this.
2. The password will be generated using some algorithm based on SN, so the support can reset the device, in that case, malware can do the same.

People, who do not change a password for the router are most likely using WiFi passwords like Password123 or none at all, so whatever.

 

[LDogg]

This is a positive stance from Cali. Can have a downside in buying new routers if the password is lost in anyway.

~LDogg

 

[oldschool]

It says "built in the state" so if that is accurate educate me on the number of electronics build in California as my limited brain is saying probably none with all that taxes.
If they wanted it to be of some use it would have said sold and not built.

It is not accurate. The legislative digest for Senate Bill 327, Chapter 886 states:

"...This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified. …"

California usually leads the way.

 

[SHvFl]

It is not accurate. The legislative digest for Senate Bill 327, Chapter 886 states:

"...This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified. …"

California usually leads the way.

It's a different part of the law the one you linked. It described the requirements by the manufacturer but we don't get the part if it has to be a local manufacturer or not which the linked topic articles seems to be saying.

 

[oldschool]

It's a different part of the law the one you linked. It described the requirements by the manufacturer but we don't get the part if it has to be a local manufacturer or not which the linked topic articles seems to be saying.

I'm not sure I'm understanding your reply. All I know is this is a very short bill, which goes on to say:

"...(c) “Manufacturer” means the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the person’s behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device. …"

If I am understanding this right, the journalism is sloppy at best.

 

[SHvFl]

I'm not sure I'm understanding your reply. All I know is this is a very short bill, which goes on to say:

"...(c) “Manufacturer” means the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California. For the purposes of this subdivision, a contract with another person to manufacture on the person’s behalf does not include a contract only to purchase a connected device, or only to purchase and brand a connected device. …"

If I am understanding this right, the journalism is sloppy at best.

Yes this is the correct part. It seems to cover sales so all good. Interesting law.