The Cybersecurity 202: California’s new Internet of Things law only protects against a small portion of cyberthreats

Listen to this article

“Password123” isn’t an easy password option anymore. At least, it isn’t in California.

The Golden State’s governor just signed a law barring companies from selling Internet-connected devices with preprogrammed passwords that are easy to guess or crack and leave them vulnerable to malicious hackers. Starting in 2020, all Internet of Things devices made or sold in California – whether they’re refrigerators, thermostats or cars – must come equipped with unique passwords, or a feature that requires the user to set their own unique password.

The law makes California the first state in the country to set cybersecurity standards for the rapidly proliferating IoT business. It’s a step toward defending against cyberattacks such as the massive Mirai botnet that harnessed the power of hijacked devices to disable major websites in 2016.

But eliminating weak default passwords is an elementary move that only offers a basic safeguard against a sliver of digital threats. The fact that it’s only California that’s taking action — and is considered a trailblazer for such a simple step that many security experts think should already be a best practice — underscores the challenges facing policymakers and manufacturers when it comes to improving the notoriously poor security of connected devices.

“Hooray for doing something, but it’s a small piece of a very large problem,” said Bruce Schneier, a security technologist at the Harvard Kennedy School and author of a new book on IoT security. “If I have a house with 50 unlocked windows, you just secured the one in the second bedroom.”

By and large, IoT devices make easy targets for hackers, and poor password security is part of the problem. Many IoT devices come out of the box with fixed passwords, some of them as basic as “admin” or “1234.” Even when given the option of changing a device’s default password, users often don’t take action. Hackers can crack these weak passwords with malicious software — or even good guesswork. That could allow them to break into an individual network — or even to turn large masses of connected devices into disruptive botnets. It happened on a huge scale in the Mirai attack, in which hackers seized control of hundreds of thousands of webcams and other devices and used them to flood the networking company Dyn with fake traffic. As a result, sites such as Twitter, PayPal and Netflix were knocked out for hours.

California’s law seeks to address the problem by requiring that all connected devices in the state come with a “preprogrammed password is unique to each device manufactured,” or allow the user “generate a new means of authentication before access is granted to the device for the first time.”

But even simple measures like this add costs for manufacturers, meaning further protections lawmakers seek to impose could be met with resistance from the industry.

And passwords aren’t the only way in to devices for more sophisticated attackers,as TechCrunch’s Zack Whittaker notes. Instead, they exploit bugs in their software. California’s law doesn’t do anything to mandate that companies patch these types of vulnerabilities or offer users ways to make security updates themselves. Beyond banning default passwords, the law only requires manufacturers to equip devices with “a reasonable security feature or features,” without defining what those features should be.

It’s not even clear that barring default passwords like this would have staved off the Mirai attack, according to security researcher Robert Graham, a prominent critic of the California law. “A device doesn’t have a single password, but many things that may or may not be called passwords” that could have allowed attackers another way in, he wrote on the blog Errata Security. And any of these other authentication systems could have an issue. “Most of the devices vulnerable to Mirai did the right thing on the web interfaces (meeting the language of this law) requiring the user to create new passwords before operating. They just did the wrong thing elsewhere.”

Graham insisted that the law is backwards looking, and offered a different suggestion: Preventing connected devices from interacting or potentially infecting each other. “Forward looking, by far the most important thing that will protect IoT in the future is ‘isolation’ mode on the WiFi access-point that prevents devices from talking to each other (or infecting each other). This prevents ‘cross site’ attacks in the home. It prevents infected laptops/desktops (which are much more under threat than IoT) from spreading to IoT.” But he’s skeptical lawmakers will actually take action. Lawmakers, he said, “don’t think in terms of what will lead to the most protection, they think in terms of who can be blamed. Blaming IoT devices for moral weakness of not doing ‘reasonable’ things is satisfying, regardless if it’s effective.”

Still, the rudimentary fix is likely to usher in changes across the IoT industry, Schneier said. “If you buy an Internet connected toaster, the model has to have a no-default password to be sold in California. The manufacturer won’t make another that has bad security to sell elsewhere,” he told me. “For software it’s ‘write once, sell everywhere.’ ”

The passage of the California law also represents another area of technology policy where the state is moving faster than the rest of the country – and Congress. In the wake of the Mirai attack, Sens. Mark R. Warner, D-Va., and Cory Gardner, R-Colo., floated legislation that would apply more rigorous standards to companies that supply connected devices to the federal government. Their bill, the Internet of Things Cybersecurity Improvement Act, includes a provision that would ban weak default passwords, as well as language that would require that their connected devices are patchable and are otherwise free of known security vulnerabilities. But after more than a year, the legislation hasn’t gained traction in the Senate.