IoT security: California prohibits standard passwords
In recent years, when the Internet of Things has blossomed, one thing in particular has been a recurring point of criticism: inadequate IoT security – especially for end devices.
With a new ordinance, the American state of California wants to oblige suppliers and manufacturers of IoT devices from 2020 to better protect their products.
Ever since the serious, costly Mirai attack on the website of an IoT security analyst (which led Akamai to temporarily remove the attacked servers from the net) in 2016 at the latest, manufacturers of potentially usable devices for such attacks should be expected to attribute greater importance to the security of their products.
In fact, however, the IoT security of such devices has not improved in recent years – especially for the most widespread products from Far Eastern mass production (despite manufacturer promises to the contrary).
Devices and their operating systems/software are still delivered without or only with standard passwords. Undocumented maintenance or test accesses exist on numerous devices – even update mechanisms are not protected by signature or other verification processes; malware can thus be smuggled in and installed on the devices.
California’s “SB-327 Information privacy: connected devices” law now forces manufacturers who want to continue selling their devices in the u.s. and Californian markets to increase the security of their devices.
In addition to the rather vague requirement to provide networked (IoT) devices with security functions that are appropriate for the function and the data processed by the device, the law clearly stipulates that devices may no longer be provided with a standard password in the future.
SB-327 Information privacy: connected devices
(a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:
- (1) Appropriate to the nature and function of the device.
- (2) Appropriate to the information it may collect, contain, or transmit.
- (3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
The devices must either be provided with a unique password – or be equipped with a mechanism that prompts the user to enter a password during commissioning of the device.
(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:
- (1) The preprogrammed password is unique to each device manufactured.
- (2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
It is to be hoped that the idea behind this law will also be perceived by the European Union. Sensible, clear guidelines and/or laws to strengthen IoT security are important framework conditions for a successful, productive Internet of Things.