back to article California cracks down on Internet of Crap passwords with new law to stop the botnets

Anyone manufacturing an internet-connected device in California will, from 2020, have to give it a unique password in an effort to increase overall online security. That's the main impact of a new bill recently signed into law by Cali governor Jerry Brown, SB-327 called "Security of connected devices." The law is the US state …

  1. Anonymous Coward
    Anonymous Coward

    IoT & Patching - The bigger picture issue is Trust is Dead

    With IoT, every device has a potential secret agenda, not in your interest...

    State actors see IoT as a target to be acquired and tracked. Hackers as well, but for hijacking / extortion / DDOS purposes etc. Commercial firms see consumer IoT devices as a means for getting 'consumer intel' (Vizio-TV's etc). All of them see IoT devices as merely 'rented to you' for the purpose of different types of Monitoring / Tracking / Surveillance.

    Even if a WebCam manufacturer offered timely updates, would you trust them coming from China or Vizio-HQ etc?

    What we have basically is Intel-Management-Engine meets Adobe-Experience-Cloud in one package. Or lots of sneaky anti-consumer practices underpinning tech and fundamentally eroding trust. Even if open standards were followed at hardware and OS level, and you could get all your patches from a website you trust sha256 verified etc... There are just too many bad faith actors out there wanting to distort the process. Who can you trust? For this reason the entire premise of IoT is for sht!

  2. Anonymous Coward
    Anonymous Coward

    Re: IoT & Patching - The bigger picture issue is Trust is Dead

    https://www.theregister.co.uk/2018/05/08/adobe_hyper_personalisation_and_your_privacy/

    https://www.theregister.co.uk/2017/02/06/ftc_spanks_vizio_for_slurping_viewer_activity/

    https://www.theregister.co.uk/2017/05/05/intel_amt_remote_exploit/

  3. DaLo

    Re: IoT & Patching - The bigger picture issue is Trust is Dead

    Trust may be dead for some devices and by some technical people but the average consumer will go on amazon, buy a cheap device install it, download their app agree to 501 permissions required and put it on their network.

    Why are they to know any better? There is no mandatory test and qualification required to buy a IoT device, they don't presume the ones on sale are dangerous.

    As well as extending this bill to a larger are (e.g. all of the US or all of the EU) where every manufacturer would be forced to comply, as the author states it should be extended and certified further. A beep for an update will not work as very few cheap IoT devices ever get updated out of the factory.

    I suggest:

    # All devices need to have security assessment to provide a test of the device based upon current most likely threats. Devices must pass this and be certified before going on sale.

    # All internet connected - or connectable - devices have a grading which shows a length of time in which they guarantee updates for a device. All source code is held in Escrow in case the supplier goes under in that time.

    # Any security threats discovered in a device during its service guarantee time must be fixed in a standard length of time based upon the severity

    Therefore the customer can understand that by pay $5 for an IoT device there are likely to only get 1 year of usable life from it, someone who pays more might get a much longer guarantee.

  4. the Jim bloke Bronze badge
    FAIL

    Any device manufactured in California..

    Well, thats going to help a lot.

  5. IceC0ld Bronze badge

    Re: Any device manufactured in California..

    Any device manufactured in California..

    Well, thats going to help a lot.

    ======

    it's a start, and bear in mind that California, on its OWN is the WORLDS 5th largest economy, it is quite a start too, but as El Reg has pointed out, they have gone for low lying fruit, and there were better options available :o(

  6. bombastic bob Silver badge
    FAIL

    Re: Any device manufactured in California..

    "Well, thats going to help a lot."

    Ack on the snark. (you WERE being facetious, right?)

    The laws of 'unintended consequences' are the usual result from the "legislate yet another law" crowd, who claim good intentions. But coming from Jerry Brown and the Sacramento legislature [one of the most corrupt organizations on the planet, where paid lobbyists mull about on the legislature floor waiting to be 'consulted' on EVERY!THING! before it's voted on] I can expect an 'ulterior motive'.

    Cali-fornicate-you gummint can only affect California corporations and residents. And they can NOT stop competing products coming in 'at the border'. So you'll probably see a couple of things:

    a) a drop in the quantity of things being built within the California borders;

    b) an increase in prices to the consumer;

    c) overly-complicated setup processes if "just firmware" is involved in this regulation;

    d) all of the above

    Some of this was alluded to in the article, but I'll just say it straight out: the more governmentium and petty regulation, the LESS PRIVATE SECTOR ACTIVITY you will see. Because it costs the legislature NOTHING to "pass yet another law". It only costs those who are AFFECTED by it. That would be everybody else who is NOT THEM.

    (My state needs an enema, starting with that crap-hole called "Sacramento")

    I'd also like to point out, for the record, that all of the cheap IoT junk being sold on E-bay and Alibaba won't be affected by this. And I wouldn't be surprised if THAT stuff is MOST of the problem...

  7. A.P. Veening

    Re: Any device manufactured in California..

    @bombastic bob

    You seem to have overlooked the minor detail that no devices are actually manufactured in California. Even the devices manufactured for California based companies are manufactured in countries like the PRC and Vietnam (Thailand is already to expensive).

  8. sanmigueelbeer Silver badge
    Facepalm

    Re: Any device manufactured in California..

    What a waste of effort for something that applies to bugger-all.

    The author (of the law, that is) might as well add that this law is applicable to devices that are pointing northerly direction.

  9. Phil O'Sophical Silver badge

    Re: Any device manufactured in California..

    What a waste of effort for something that applies to bugger-all.

    Are you sure? Read the text of the bill:

    (c) “Manufacturer” means the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.

  10. Doctor Syntax Silver badge

    Re: Any device manufactured in California..

    "the person who manufactures, or contracts with another person to manufacture on the person’s behalf"

    It still doesn't apply to devices on sale from non-Californian manufacturers even where manufacturer is defined as above. Selling or offering for sale would be a better target. The killer blow would be forbidding the connection of an insecure device to the internet with liability on both the owner and the ISP. If a customer is found with an insecure device facing the net the ISP would be obligated to disconnect them until the device is removed. That kills the market for such devices.

  11. DougS Silver badge

    Re: Any device manufactured in California..

    It doesn't say that the device has to be manufactured in California, only that the "manufacturer" has to be a California company. Apple contracts out the manufacturing of iPhones, so are they are exempt? They manufacture iMacs in Ireland, but probably via a subsidiary called "Apple Ireland" or whatever - so are iMacs exempt or not?

    If Microsoft manufactured Surface devices themselves (I'm pretty sure they don't, but just as an example) are they not considered a California company since they are based in Seattle? Or does the fact that they have offices in California make them a California company?

    Seems like there's a lot of uncertainty in who this would apply to - uncertainty that would be worked out in court so it would be years before it applied to anyone.

  12. bombastic bob Silver badge
    Meh

    Re: Any device manufactured in California..

    "no devices are actually manufactured in California"

    OK technically you're right. but for a 'California corporation' that outsources the actual building of the thing, then does final assembly and test in California, it may still 'count' as 'made here'.

    I guess I'd have to see the nuances of whatever was excreted from Sacramento's "law factory"...

    [knowing them, they thought of this already]

  13. Anonymous Coward
    Anonymous Coward

    Simples

    Password1

    Password2

    Password3

    Password4

    ....

  14. Maelstorm Bronze badge
    Big Brother

    The problem...

    There are several problems with this. Let's go down the hit list, shall we?

    1. As the first commentor stated, trust in IoT is dead, and for the reasons given.

    2. IoT devices are made to be cheap, get flung out the door quickly, with security as a second though.

    3. The reason behind #2 is every manufacturer wants to be first to market with a device, so the software people don't have enough time to fully test and secure the product before it is shipped.

    4. The average lifetime of an IoT device is about (guestimate) 18 months before manufacturers no longer support it.

    5. This bill, although it is a step in the right direction, is misguided for several reasons. Those are enumerated below:

    5a. Most of this hardware is manufactured oversees, which means that the law won't even apply to most.

    5b. For those who do manufacture the hardware here in California, you are going to significantly increase the costs to the manufacturer. They will need someone to program a password into each device (or generate one automatically), and then print more, unique documentation because now the passwords between the devices are different.

    5c. Hope that the person who is typing in all these passwords gets it right.

    6. How are you going to enforce this? Have the state become a nanny? More so than it already is? Sorry, I'm tired of the nanny state. I don't need Big Brother telling me what I need to do to improve the security of my devices.

    A much better way to do this is to educate the public on the security issues. Make it part of the public school education curriculum. That way, everyone will at least be aware. However, that will not help when you have a IoT Tea Pot with a default password of 000000 that cannot be changed...

  15. Charles 9 Silver badge

    Re: The problem...

    " How are you going to enforce this? Have the state become a nanny? More so than it already is? Sorry, I'm tired of the nanny state. I don't need Big Brother telling me what I need to do to improve the security of my devices."

    Hell yeah you do, or else someone ELSE will take you with them. Or would you rather be living in the Gilded Age (Upton Sinclair's The Jungle, anyone? Sweat shops?) where robber barons did what they wanted and made or bribed governments to turn a blind eye? Which would you prefer: anarchy or the police state? Because the natural human tendency won't allow anything in between to last for very long, if the current global situation is any indication.

    "A much better way to do this is to educate the public on the security issues."

    In case you haven't noticed, we've been trying. But unless it's something that'll KILL THEM, they won't listen. You can't educate someone who doesn't care. Remember, we're talking the Facebook generation where people WILLINGLY give out all the information miscreants need to steal their identity...and feel they NEED to do it to maintain their oh-so-important social circles. Unless you propose some license to have kids, this will only continue.

  16. A.P. Veening

    Re: Education

    You may have been trying, but with the current American educational system, failure was already guaranted.

  17. Mark 85 Silver badge

    Re: The problem...

    Or would you rather be living in the Gilded Age (Upton Sinclair's The Jungle, anyone? Sweat shops?) where robber barons did what they wanted and made or bribed governments to turn a blind eye?

    I think we are already there. The lobbyists run state and federal governments.

    Which would you prefer: anarchy or the police state?

    Currently, it would appear that we are headed towards a police state because the anarchists are to be feared and government has pounded that into everyone's head.

    Sadly, we the people, don't have much choice in who we elect nor do the candidates seem to have much freedom to do what we want. Between government pressure to "think of the children", "terrorism", etc. and lobbyist bribery, we're screwed. Perhaps a revolution might occur but it would end in anarchy due to the fragmentation by various political groups. The old saying "divide and conquer" is working very well here in the US. And to the naysayers, I say "look again". Black vs. white. Haves vs. havenots. Even the political parties are fragmented in many ways other than "left vs. right".

    The problem needs to be addressed at the grass root level wherein the people realize how badly they are being manipulated, used, and abused even within their own factions. The problem is how to get them to think beyond their own noses and look at what really needs to be done for the greater good.

    Lastly, yes.. the Facebook generation... <sigh> along with "hipsters" or whatever that only think about the next shiny to buy.

  18. Alienrat

    Re: The problem...

    > They will need someone to program a password into each device (or generate one automatically), and then print more, unique documentation because now the passwords between the devices are different.

    I think it is not uncommon for a lot of routers I have seen to have the default password printed on a label on the bottom of the box. These passwords are put on automatically during manufacture. Its not done by hand and it doesn't seem that tricky

  19. Prst. V.Jeltz Silver badge

    Re: The problem...

    They will need someone to program a password into each device (or generate one automatically)

    NOPE , didnt you see option B?

    "a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time."

    So , a tiny mod to make user reset adm password on login - job done.

  20. Doctor Syntax Silver badge

    Re: The problem...

    "They will need someone to program a password into each device"

    There is an option to force the user to secure the device with its own password before it will become operational.

    "I don't need Big Brother telling me what I need to do to improve the security of my devices."

    Frankly I don't give a toss whether you take any steps to secure your devices at all. What I do care about is you exposing an insecure device on the network where it can be weaponised to attack me or anyone else. If it takes legislation to force you to do that, then so be it.

  21. Prst. V.Jeltz Silver badge

    Re: The problem...

    @Maelstrom

    1 . Irellevent - hey this will bring trust back!

    2. yes - now with unique passwords

    3. force Set password at first use = easy way, no lead time

    4. so what?

    5a. if manufactured on orders from Cali - yes it does , besides its no big deal to implement

    5b. the shit will still be manufactured in taiwan , with the no issue "force Set password at first use" added

    5c. see 5b

    6. its bloody obvious common sense , realised by unix community decades ago when it occured to them they should get the admin to change the default admin\admin password at first use. and thats a free os.

  22. Charles 9 Silver badge

    Re: The problem...

    It may be a free OS, but it's not a consumer OS used by people who who wouldn't know a password from a potato, expect things to work out of the box, and simply complain, "This trash is broken! I want a refund!"

  23. Herby Silver badge

    But will they give out the "unique" password?

    Let's say I have an older device that has been idle for a while, and I want to re-purpose it (or some other activity). The vendor has nicely provided a "factory reset" switch. I go through the process and connect y nice browser to the device in question. The nice online manual indicates that if I give a call center a nice multi character string, they will give out the factory password.

    Ah, there is one problem. It has been a while, and they vendor no longer supports this model. They just don't have said password, or the algorithm to get it.

    You have a brick. Have a nice day.

    Yes, this happened to me. I lucked out in that the user (a friend) remembered the older password, and all was well again. But still......

  24. Spoonsinger

    Re: "and they vendor no longer supports this model."

    Car manufacturers manage to support giving out radio codes for years. (I mean years. I have done it for a 20 year old Volvo in the past). I assume there must me some legal reason, (other than goodness of their hearts), which could be used as a template law for said IoT devices.

  25. Prst. V.Jeltz Silver badge

    Re: But will they give out the "unique" password?

    You have a brick. Have a nice day.

    Then you press the teeny button on the side , and device reverts to defaults , complete with "set your

    own unique password at first login" reactivated . job done .

  26. Doctor Syntax Silver badge

    Re: But will they give out the "unique" password?

    "You have a brick."

    Next time buy something that handles such stuff better.

  27. Charles 9 Silver badge

    Re: But will they give out the "unique" password?

    And if there AREN'T any?

  28. Chris Evans

    Re: "and they vendor no longer supports this model."

    Car manufacturers expect their products to be in use for a much longer time and they also have the revenue stream from spare parts which can be more profitable than the initial sale.

    Now if only technology companies could get involved in 'The Circular Economy' Where things are designed for longevity and repairability! www.wrap.org.uk/about-us/about/wrap-and-circular-economy

  29. Charles 9 Silver badge

    Re: "and they vendor no longer supports this model."

    Microchips are too small for that. At least you can use a wrench in a car. Plus component manufacturers are in cutthroat competition with each other, so the bottom line is critical for them.

  30. Pascal Monett Silver badge
    Stop

    No need for a unique password

    It seems everyone is fixated on that point, when the article clearly indicates that another option is possible : forcing the user to change the default password on setup.

    So no, there is no need to have a device-specific manual or anything else. Every manual is the same and printed the same way, it's just the consumer that has to change the password on setup and not forget it. Then curse and snarl six months later when he forgot it and needs to to force a reset on his IoT thingy.

  31. Charles 9 Silver badge

    Re: No need for a unique password

    Which means companies get complaints and lose customers because You Can't Fix Stupid.

  32. Doctor Syntax Silver badge

    Re: No need for a unique password

    "Then curse and snarl six months later when he forgot it and needs to to force a reset on his IoT thingy."

    Experience is a dear teacher but there are those who will learn at no other.

  33. Doctor Syntax Silver badge

    Re: No need for a unique password

    "companies get complaints and lose customers"

    If the playing field is level the only place for a customer to go is someone selling something that behaves the same way. See my comment about some not learning except by experience.

  34. Charles 9 Silver badge

    Re: No need for a unique password

    And what of those who won't learn even BY experience?

  35. Whitter
    Meh

    Broken updates

    Who's going to take the chance that their house's power system goes down after a borked security patch to the "smart meter"? Could Joe-punter rectify the situation if it did happen? In general, no. How big are the test teams working on IoT updates? Ermm.. about as big as the team making them; likely zero.

  36. DropBear Silver badge

    Re: Broken updates

    Which is why I flat out would not buy any device that _forces_ me to apply updates by whatever means. That is not to say I would never want to apply an update to a device, but the thing is a lack of updates may or may not have actual consequences for my specific device depending on its specific circumstances (it more likely won't though) whereas any update may or may not break functionality I depend on (and it more likely will - most updates I applied to a device did break _something_). And at this point, I'm done dealing with things breaking - if I can't rely on it to work untouched 5-10 years, I don't want it. Life is literally too short to keep dealing with the endless amount of stuff that wants to be maintained each time the direction of the wind changes.

  37. Charles 9 Silver badge

    Re: Broken updates

    "And at this point, I'm done dealing with things breaking - if I can't rely on it to work untouched 5-10 years, I don't want it."

    So what if the ONLY things available ONLY last that long? Do you throw your arms and say, "Stop the Internet! I wanna get off!"?

  38. David M

    Not in anyone's interest

    Part of the problem is that if, say, all your lightbulbs get recruited into a botnet, the manufacturer doesn't care as they've still sold some lightbulbs, and the owner doesn't care as the bulbs continue to work. So there's very little incentive to do anything about this. Plus many people have had the experience of a device getting worse or completely broken by a software update, so may be reluctant to do it unless there's an obvious benefit. Any solution will have to make the cost of being hacked significantly higher than the cost of security, for both manufacturer and owner.

  39. Charles 9 Silver badge

    Re: Not in anyone's interest

    Well, you can forget holding the manufacturers to blame because (1) they'll probably be protected by hostile sovereignty, and (2) if push came to shove, they'll do a fly-by-night and disappear, or (3) find a way to lawyer their way out of it.

    As for consumers, security = PITA, so unless you can come up with something worse than a PITA that can survive a court challenge for unreasonable expectations, search, or seizure, any attempt will generate serious pushback.

  40. Doctor Syntax Silver badge

    Re: Not in anyone's interest

    "the owner doesn't care as the bulbs continue to work"

    The owner will care if the law obliges the ISP to cut them off from the net. Next time they'll buy better light bulbs. Even if, by that time, the original vendor is making better light bulbs they'll find they have lost reputation.

  41. Doctor Syntax Silver badge

    Re: Not in anyone's interest

    "security = PITA, so unless you can come up with something worse than a PITA"

    Make insecurity a bigger PITA.

  42. Charles 9 Silver badge

    Re: Not in anyone's interest

    But INsecurity = convenience. It's QUICK, it's EASY, it lets people get on with their G.D. day! That's gonna be hard to beat.

  43. Anonymous Coward
    Anonymous Coward

    Where's the master list of passwords kept ?

    because how else can you know - and prove - they're "unique" ?

  44. Spoonsinger

    Re: Where's the master list of passwords kept ?

    Flimsy Backdoor Industries will keep the list. You know they can be trusted.

  45. vtcodger Silver badge

    Re: Where's the master list of passwords kept ?

    Password is the same as the serial number.

    Bet on it.

  46. Anonymous IV
    Thumb Down

    Re: Where's the master list of passwords kept ?

    Presumably all these passwords have to be submitted to some Californian Registry Body, so that they can be assessed for strength.

    (And, of course, for no other reason...)

  47. Prst. V.Jeltz Silver badge

    Well ive seen a whole lot of bitching and moaning up above about percieved issues with this iniative.

    Cant say I agree with any of them , its an easy and simple improvement to make* with no security implications beyond ones that are always there for all things.

    *especially if going the "set yer own pwd at start" route

  48. Charles 9 Silver badge

    Unless there are too many instances of customers complaining about setting their passwords and then forgetting them. Last thing any company wants is a bunch of "This trash is broken! I want a refund!" complaints.

  49. DougS Silver badge

    What a stupid bill

    So they randomly generate a password and print it on the back of the device - like they already do on many wifi routers for the default SSID/password. Meaning that if the label is damaged then you're screwed if you have to reset the device to default. You're also screwed if you don't have easy physical access to it or it is too small to have a "label" on which to print the password - which will be the case with many IoT devices.

    What does it mean for phones, is Apple going to have to ship iPhones with a unique default password instead of like they do now where they are totally open when you unbox them? Is Apple supposed to print that default password on the back of the phone, or put it in the box? Good luck buying a used iPhone without the original box I guess! If it is on the back of the phone, better hope it isn't one of the newer ones with a glass back, and that the glass back didn't break and get replaced!

    All they need to say is that you need to be forced to reset the password from the default in order to use the device. i.e. if you sell a wireless router with default admin/password login, until you actually login to the GUI and reset that password, it will only allow one device to connect to the router and it'll force it to a page where you have to change the password.

  50. Doctor Syntax Silver badge

    Re: What a stupid bill

    "All they need to say is that you need to be forced to reset the password from the default in order to use the device."

    Great idea. That's why the bill makes exactly that provision.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018