California cracks down on Internet of Crap passwords with new law to stop the botnets

It's good news, but overall a wasted opportunity

Anyone manufacturing an internet-connected device in California will, from 2020, have to give it a unique password in an effort to increase overall online security.

That's the main impact of a new bill recently signed into law by Cali governor Jerry Brown, SB-327 called "Security of connected devices."

The law is the US state's effort to deal with an ever-increasing problem: sloppy security on millions of new consumer devices that are being sold and attached to home wireless networks.

In recent years, automated malware has wreaked havoc across the globe, from NotPetya to WannaCrypt, shutting down everything from an average user's PC to entire hospital networks. As well as hacking systems and grabbing sensitive information, miscreants have also managed to create huge global networks of compromised devices to carry out denial-of-service attacks.

The new law is intended to deal with one of the more common routes to mass infection: default or hardcoded passwords.

It is much easier and simpler for a manufacturer of, say, security cameras to have a single password on all their devices and prod users to change it. But, with depressing predictability, most consumers don't bother – they just fire up their device, connect it to their wireless and leave it be. That leaves the device – multiplied by millions – wide open to attack.

Do I look bovered?

Manufacturers know this, and they know the answer is to give each device its own unique password, but many still don't bother because it costs money and once the device is out their hands, it is not longer their responsibility.

The law changes that to a degree, without adding extra liability, by requiring that manufacturers either include "a preprogrammed password unique to each device manufactured" or "a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time."

It will kick in on January 1, 2020 and will "require a manufacturer of a connected device… to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device… and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified."

Which is all great.

But it is also a massive missed opportunity and a sign that there remains a dangerous lack of decent technical knowledge in the corridors of power.

The idea of the bill is to address – and get ahead of – massive and increasing insecurity in the internet overall. Seemingly everything connects to the internet these days – even baths and showers – in large part because a huge percentage of the population in Western economies now have smartphones and internet access. It helps that it is easier and cheaper than ever to put internet connectivity into a device.

But while requiring that every device have its own unique password is a step forward, it represents the lowest-hanging fruit on the security tree and may even give lawmakers their own false sense of security that they have fixed the problem. They have not.


While default passwords are a particular problem, a bigger one is the failure to update software. There are many ways to access an electronic product – and a username/password is only one of them.

New security holes are being discovered all the time and they typically take advantage of the various authentication systems that exist in such products but which are invisible to consumers.


Arm isn't saying IoT firmware sucks but it's writing a free secure BIOS for device makers


Even when a manufacturer does go to the trouble to update their software to deal with the latest security threats, it often falls to the consumer to run updates on their system to install it. And if consumers can't be bothered to change a default password, they almost certainly can't be bothered to periodically update their devices' software.

The largest companies – like Apple, for example – go to some trouble to prod their users into downloading and installing updates where security fixes are often mixed with new or improved features. But you only have to look at the long delays in security updates with Google and Android to see that without some kind of persistent prodding or shiny incentive, updates do not happen.

And that's phones and computers: things that people typically look at and directly interface with multiples times a day. Updating is a much, much bigger problem with things like internet routers or security cameras or smart lights, smart sockets and other smart-whatevers that you rarely interact with.

It would likely be a mistake to mandate automated security updates because that would then make the system that companies set up to provide those automated updates a prime target for attack by hackers. If you could hack a manufacturer's system, you can install whatever you wanted on every device in one fell swoop.

Alert! Alert!

But using alerts and transparency could achieve the same goal: get people to pay attention to their insecure devices. Battery powered smoke alarms go off every year when the battery runs out – what if other devices emitted a similar alarm once a year, requiring you to check and install any updates before the noise stops?

Many device manufacturers also have clunky update interfaces that puts people off using them – but that would almost certainly change if consumers have little choice but to use them to get the device working optimally again.

Similarly, there are other lazy shortcuts that manufacturers take that leave their devices insecure. Leaving unused ports open, for example. Or allowing their devices to communicate with anything and everything else on the same network.

If manufacturers were forced to adopt a GDPR-style minimization effort where the philosophy is that only what is needed is allowed, then it would not only make everything more secure but would force companies to put greater thought into the security of their device. Or how about two-factor authentication?

Not that these proposals are perfect – they are just ideas – but they are they sort of ideas that should be doing the rounds in Sacramento and Washington DC, with consumers groups, technical experts and internet-connected device manufacturers all asked to supply their viewpoints and suggestions. There's also the underestimated impact of actually educating people about the risks.

We need an Internet Device Security Bill with a clear goal to improve overall online security in a real way, with proper examination of all the issues and political will driving to a series of real, effective changes.

We need a new Ralph Nader and an internet seat-belt law. And we need it before the next wave of malware causes every greater problems.

California's SB-327 is one step on that path, but it is only one step and it's not clear anyone is planning to take another one anytime soon. ®

Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • More than $100m in cryptocurrency stolen from blockchain biz
    'A humbling and unfortunate reminder' that monsters lurk under bridges

    Blockchain venture Harmony offers bridge services for transferring crypto coins across different blockchains, but something has gone badly wrong.

    The Horizon Ethereum Bridge, one of the firm's ostensibly secure bridges, was compromised on Thursday, resulting in the loss of 85,867 ETH tokens optimistically worth more than $100 million, the organization said via Twitter.

    "Our secure bridges offer cross-chain transfers with Ethereum, Binance and three other chains," the cryptocurrency entity explained on its website. Not so, it seems.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading

Biting the hand that feeds IT © 1998–2022