SB 327 May Require Stronger Passwords on IoT Devices
You may recall in October 2016 when the Mirai botnet disrupted the internet. The DDoS attack made major Internet platforms and services unavailable to large swathes of users in Europe and North America. The botnet was able to have this control by taking advantage of connected devices that were protected by factory-default usernames and passwords making them easy targets for hackers.
Even after the attack, experts say a surprisingly large number of people still don’t change the default password when they buy a new device. It may come as a surprise to these folks that default passwords can easily be found via a quick search on Google.
And, with a growing number of connected devices (as of 2017, we were already at 20 billion), one state is taking steps to secure connected devices the best way the can — through legislation.
Starting in August, California has been considering legislation that enforces stricter password security for physical devices that collect and share data they acquire from users and their surroundings. The specific piece of legislation, dubbed SB 327, is nearing its final stages just as Amazon introduced a handful of new Alexa-enabled products like microwaves, clocks, and car gadgets, making the bill timelier than ever.
SB 327 aims to require manufacturers of connected devices to equip it with a “reasonable security feature or features,” beginning in January 2020. As part of the bill, manufacturers will be responsible for providing unique default passwords for each device, or at the very least prompt the user to generate a new password before using the product.
The bill was approved by the California Assembly and Senate and now awaits Gov. Jerry Brown’s final approval.
As with any bill, there are limitations. For one, there is no regulation on an individual user’s password practice, which is ultimately the first line of defense. Additionally, the bill doesn’t currently touch on encryption standards, which would add another layer of security and protection. Furthermore, it’s unclear what the real definition of “reasonable security features” is, which can make it difficult for businesses to tell whether they are compliant or not easily.
However, proponents of the bill suggest that tightening the language may not account for fast-moving technology. In other words, what makes sense now may not hold up long-term.
Still, the regulation takes us away from a situation where we all have the same password which will decrease the power botnets have to make widespread attacks, which for all intents and purposes is a step in the right direction.
Whether more states hop on board (or federal action will ever become implemented) is yet to be seen. But, whether California’s bill passes, or not, it’s imperative for all users to practice healthy password habits. (Like not using 123456, password, or qwerty.)