California’s New IoT Password Law. A Nice Try but…

California governor Jerry Brown recently signed a bill into law called the ‘Security of Connected Devices,’ or SB-327. Starting in 2020, the new law requires any California manufacturer of Internet-connected devices to equip every new device with a unique password or have a setup procedure that requires users to change the default password as part of the setup procedure.

The law is an effort to address a geometrically growing problem – customers that simply take their latest Internet-of-Things device, plug it in or connect it to their wifi, and then forget about it leaving default and hard-coded service passwords in place. This is how automated malware like NotPetya and WannaCrypt recently wreaked havoc around the world.

Like many government initiatives, there are good intentions but while the new law may provide some help it unfortunately misses the much larger problem; failure to update software. There are many ways to access an IoT device and a username/password is just one of them.

New security holes are discovered all the time and they usually take advantage of elements of the device whose operation is invisible to users.

It’s hard enough for Apple and Microsoft to get users to update their main computer systems, so imagine the difficulty in getting users to update a smart light bulb socket, a security camera, or a smart refrigerator? Or how about hundreds or thousands of devices in a home or business?

So what’s the takeaway? First, don’t rely on manufacturers to supply perfect products or products that update themselves. In fact, many self-updates create more problems than they fix (hey – some of this stuff is complicated!). And don’t look for a government magic wand to solve the problem. The new California law makes nice press and allows legislators to claim that they ‘did something about the problem,’ but understand that you have to take responsibility for what you connect to your network.

Especially at work, be extra careful. In addition to thinking twice about whether you really need that IoT device, we recommend deploying a system like our Ransomware Guardian that can restrict unknown and rogue IoT devices from functioning on your network.

Everyone stay safe out there!


 

Author: Glenn Mores

President & CEO MicroData