California cracks down on Internet of Crap passwords with new law to stop the botnets
It's good news, but overall a wasted opportunity
Anyone manufacturing an internet-connected device in California will, from 2020, have to give it a unique password in an effort to increase overall online security.
That's the main impact of a new bill recently signed into law by Cali governor Jerry Brown, SB-327 called "Security of connected devices."
The law is the US state's effort to deal with an ever-increasing problem: sloppy security on millions of new consumer devices that are being sold and attached to home wireless networks.
In recent years, automated malware has wreaked havoc across the globe, from NotPetya to WannaCrypt, shutting down everything from an average user's PC to entire hospital networks. As well as hacking systems and grabbing sensitive information, miscreants have also managed to create huge global networks of compromised devices to carry out denial-of-service attacks.
The new law is intended to deal with one of the more common routes to mass infection: default or hardcoded passwords.
It is much easier and simpler for a manufacturer of, say, security cameras to have a single password on all their devices and prod users to change it. But, with depressing predictability, most consumers don't bother – they just fire up their device, connect it to their wireless and leave it be. That leaves the device – multiplied by millions – wide open to attack.
Do I look bovered?
Manufacturers know this, and they know the answer is to give each device its own unique password, but many still don't bother because it costs money and once the device is out their hands, it is not longer their responsibility.
The law changes that to a degree, without adding extra liability, by requiring that manufacturers either include "a preprogrammed password unique to each device manufactured" or "a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time."
It will kick in on January 1, 2020 and will "require a manufacturer of a connected device… to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device… and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified."
Which is all great.
But it is also a massive missed opportunity and a sign that there remains a dangerous lack of decent technical knowledge in the corridors of power.
The idea of the bill is to address – and get ahead of – massive and increasing insecurity in the internet overall. Seemingly everything connects to the internet these days – even baths and showers – in large part because a huge percentage of the population in Western economies now have smartphones and internet access. It helps that it is easier and cheaper than ever to put internet connectivity into a device.
But while requiring that every device have its own unique password is a step forward, it represents the lowest-hanging fruit on the security tree and may even give lawmakers their own false sense of security that they have fixed the problem. They have not.
While default passwords are a particular problem, a bigger one is the failure to update software. There are many ways to access an electronic product – and a username/password is only one of them.
New security holes are being discovered all the time and they typically take advantage of the various authentication systems that exist in such products but which are invisible to consumers.
Arm isn't saying IoT firmware sucks but it's writing a free secure BIOS for device makersREAD MORE
Even when a manufacturer does go to the trouble to update their software to deal with the latest security threats, it often falls to the consumer to run updates on their system to install it. And if consumers can't be bothered to change a default password, they almost certainly can't be bothered to periodically update their devices' software.
The largest companies – like Apple, for example – go to some trouble to prod their users into downloading and installing updates where security fixes are often mixed with new or improved features. But you only have to look at the long delays in security updates with Google and Android to see that without some kind of persistent prodding or shiny incentive, updates do not happen.
And that's phones and computers: things that people typically look at and directly interface with multiples times a day. Updating is a much, much bigger problem with things like internet routers or security cameras or smart lights, smart sockets and other smart-whatevers that you rarely interact with.
It would likely be a mistake to mandate automated security updates because that would then make the system that companies set up to provide those automated updates a prime target for attack by hackers. If you could hack a manufacturer's system, you can install whatever you wanted on every device in one fell swoop.
But using alerts and transparency could achieve the same goal: get people to pay attention to their insecure devices. Battery powered smoke alarms go off every year when the battery runs out – what if other devices emitted a similar alarm once a year, requiring you to check and install any updates before the noise stops?
Many device manufacturers also have clunky update interfaces that puts people off using them – but that would almost certainly change if consumers have little choice but to use them to get the device working optimally again.
Similarly, there are other lazy shortcuts that manufacturers take that leave their devices insecure. Leaving unused ports open, for example. Or allowing their devices to communicate with anything and everything else on the same network.
If manufacturers were forced to adopt a GDPR-style minimization effort where the philosophy is that only what is needed is allowed, then it would not only make everything more secure but would force companies to put greater thought into the security of their device. Or how about two-factor authentication?
Not that these proposals are perfect – they are just ideas – but they are they sort of ideas that should be doing the rounds in Sacramento and Washington DC, with consumers groups, technical experts and internet-connected device manufacturers all asked to supply their viewpoints and suggestions. There's also the underestimated impact of actually educating people about the risks.
We need an Internet Device Security Bill with a clear goal to improve overall online security in a real way, with proper examination of all the issues and political will driving to a series of real, effective changes.
We need a new Ralph Nader and an internet seat-belt law. And we need it before the next wave of malware causes every greater problems.
California's SB-327 is one step on that path, but it is only one step and it's not clear anyone is planning to take another one anytime soon. ®