Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Businesses Government Privacy Software United States

California May Ban Terrible Default Passwords On Connected Devices (engadget.com) 155

According to Engadget, the California Senate has sent Governor Jerry Brown draft legislation that would require manufacturers to either have to use unique preprogrammed passwords or make you change the credentials the first time you use it. "Companies will also have to 'equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device,'" reports Engadget. From the report: If Brown signs the bill into law, it will take effect at the beginning of 2020. But critics claim the wording is vague and doesn't go far enough in ensuring manufacturers don't include unsecured features. "It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips," Robert Graham of Errata Security said in a blog post. "The key to dieting is not eating more but eating less." Given the huge number of connected devices available, it's also not clear how the state plans to enforce and regulate the rules.
This discussion has been archived. No new comments can be posted.

California May Ban Terrible Default Passwords On Connected Devices

Comments Filter:
  • by Anonymous Coward

    About time, its a good start. But devices should also have a 'BACKDOOR INSTALLED" sticker if that is the case.
    And another sticker 'Device will be unsupported after 1 2 or n years. This way consumers will discriminate against throw away trash
    And a fine if string length overflows happen because of lazy coding and lazy compiles.
    You would have thought the FCC or similar would have demanded this decades ago, or a list where you can scan your device and find out if defective with no firmware upgrades available.

    • Re:About Time (Score:5, Insightful)

      by AvitarX ( 172628 ) <me AT brandywinehundred DOT org> on Thursday September 20, 2018 @07:14AM (#57347192) Journal

      I like easy default passwords.

      I want to be able to hard reset my device and get it setup without a reference. I don't want losing the paper where I wrote it's default password to brick the device on a hard reset.

      It's more challenging better to have am easy default, and force a change of password during the setup.

      • They mold in serial numbers, surely they can mold in the default password or do a resin impregnated label that ought to last as long as the device.
      • What might be the best thing is an e-Ink display or a cheap LCD display. When the device is hard reset, the display will show a random 10-20 digit code on it, which will be the temporary password for the device. Then, once the device is logged into, it will force a password change.

        • I like that idea of it showing up on the device. I'd go further though. If the random password is suitably random, then don't let the user change the password. Instead have a button that creates a new password and displays that.

          The snag though, is that now you have to have the actual text of the password stored in the device, which can mean that there's a way to get ahold of that password remotely. And manufacturers aren't going to voluntarily add a complicated secure module when they can just print a s

      • by AmiMoJo ( 196126 )

        Many devices come with a strong default password printed on the case. Can't lose it because it's on the device permanently. It's a good enough password for the user to keep using without changing it, and the physical security of it being in your house is adequate for stuff like WiFi and Bluetooth pairing codes.

        • by AvitarX ( 172628 )

          I've had a few travel routers, and they all have this wear off pretty quick. Not to say a device could do it in a way that it won't wear off, but they tended to in my experience.

          It looks like the law allows for the simple default plus forced change though (that's what I get for not reading TFS).

      • My home Verizon router is both. It has a unique default password printed on a sticker on the device. If you reset it to the defaults that becomes the password.

        And the first thing you do to the device when you set it up is to reset it to the defaults with a button on the device.

        Now, when I forget the password that I put into it, I can simply reset the device and use the password on the sticker.

      • by Agripa ( 139780 )

        I want to be able to hard reset my device and get it setup without a reference. I don't want losing the paper where I wrote it's default password to brick the device on a hard reset.

        But think of the sales opportunities!

  • aren't most of these account compromises due to stuff like an incompetent company leaving its database in plaintext or some kid phishing it from or fooling an employee somehow instead of some master hacker bruteforcing individual passwords that don't follow silly rules like having upper case and symbols?
    • Re: (Score:3, Insightful)

      Comment removed based on user account deletion
    • Well that's the sort of thing you hear about, but... well, first, in order to see that the database is in plaintext, you have to get access first. It's not uncommon for people to get into the systems because of password reuse or weak passwords or default passwords.

      Also, you don't hear much about the compromises that are due to default passwords because it's not a big scary unexpected security flaw. It's written off as, "Yeah, that guy's dumb for leaving the default password." But I think when you're des

    • by Junta ( 36770 )

      Well, in this case the consequence of well known default passwords are the various botnets of embedded devices, which happen very often.

  • by mentil ( 1748130 ) on Thursday September 20, 2018 @05:26AM (#57346916)

    Now instead of a default router password, users will be prompted to change it, thus setting it to 'Password1'.
    Progress!

    • by Anonymous Coward

      They just need to make a law against that too. Duh

    • C'mon, that isn't secure... try "Password1!"

      Installed OpenHAB to look at it for home automation, and I just kept cringing at how miserable the security model is and just how hard they have made it to put it in a non-routeable VLAN. While this bill doesn't address everything by any means, the "reasonable minimum protections" concept needs to be enshrined somewhere.

  • by Anonymous Coward

    Go figure a somewhat reasonable default is replaced by a consumer who decides they cannot remember the password so they change it to 12345.

  • sure, as with any law it will be incomplete, contain loopholes and be vague in certain areas, but at least it is better then nothing.
    default passwords are a big part of security issues of IoT devices, so if we can already scrap that of the list of things to worry about, that can only be a good thing.

  • by account_deleted ( 4530225 ) on Thursday September 20, 2018 @05:46AM (#57346964)
    Comment removed based on user account deletion
    • Indeed, let's wait for the free market in California to resolve this problem on their own!

      Please let me know when that happens.

    • by Agripa ( 139780 )

      I've also heard there are new laws in the planning that will require everyone in California be happy and rich.

      Can't wait to see how those are enforced.

      Everybody will be required to discard needles and feces in the streets. When everybody is special, nobody is.

  • by vtcodger ( 957785 ) on Thursday September 20, 2018 @05:58AM (#57346978)

    OK. I drop my toothbrush and it breaks. So I go to the store and find all six of the toothbrushes I can choose from are internet connected. I pick one, go home, plug it in. Now I enter a new password. How do I do that? It's a toothbrush.

    ------

    My (conceptual and imaginary) grandmother buys a new "smart" TV. (Seriously, "They" apparently don't make dumb TVs any more). She plugs it in getting many of the connections right. It asks (in colloquial Latvian because it's a bit confused about where it is) for a new password. She at least has an input device-- the remote. She pushes random buttons until the weird prompt(s) go away. Congratulations grandma, you've set an unknown password and effectively bricked your new TV. Who is going to unbrick it? How?

    -----

    I'm not sure the world needs politicians "solving" problems nobody understands. Quite likely a case of "Now you have two Problems"

    • by AmiMoJo ( 196126 )

      Manufacturers will avoid those problems because they don't want a huge number of returns. They will set a decent default password, as many already do.

      When thinking about these consumer laws you have to remember that manufactures always want to avoid customers having problems with their products, at least until the warranty expires, because most places make it their problem to fix it.

      • by darkain ( 749283 )

        The problem with "decent default passwords", is that it turns out that far too often its literally just something like HASH(MAC_ADDRESS) - so it is easy to figure out just from connecting to the device itself. They practically TELL you their default password. This has been done to keep the firmware flashing process "easy", since it is the same for all devices, instead of programmatically generating that one little string on a per-flash basis.

    • Comment removed based on user account deletion
    • She pushes random buttons until the weird prompt(s) go away. Congratulations grandma, you've set an unknown password and effectively bricked your new TV. Who is going to unbrick it? How?

      First, devices often have some method to reset the password. They hold a button a 'reset' button while they reboot the device, and the password gets reset. So the TV doesn't need to be bricked.

      Second, when talking about the various dangers of internet connected devices, it's this kind of unknowing user that make this default password such a big problem. A lot of grandmothers (and other people), instead of pressing random buttons to get past the prompts, will just leave all the default settings, leaving

  • by Anonymous Coward

    Does everyone in the tech industry have to use vegan references in an analogy that is completely preposterous?

    The better analogy would be like classifying all driver's licenses as aviation licenses. Then you'll have millions of untrained, and uneducated pilots flying airplanes.

    The moral of the story; A vast majority of people who use a network, should probably not be allowed to use the network or internet without a personal administrator. If you are going to allow all people to use the internet without I

  • White boxes (Score:5, Interesting)

    by The Cynical Critic ( 1294574 ) on Thursday September 20, 2018 @06:35AM (#57347084)
    I'm not sure this is going to cause anything other than a bunch of insecure devices disappearing off store shelves in California specifically. Don't get me wrong, this is progress, but it's not the kind of really fast progress that is actually needed seeing how really badly secured devices being sold today are going to be causing us issues decades from now.

    The fundamental issue is that most IOT gear is really just really cheaply made and designed white box devices from obscure Chinese vendors consumers have never heard of and which the companies under whose name the devices are sold to consumers just order them from the vendor with their name and logos slapped on at the vendor's factory. Until you can force the white box vendors to properly secure their cheaply made and designed hardware, we're just not going to be able to make a dent in the problem.
    • I'm not sure this is going to cause anything other than a bunch of insecure devices disappearing off store shelves in California specifically.

      California is a huge segment of the US market - and not one that a seller can ignore and remain competitive.

      Until you can force the white box vendors to properly secure their cheaply made and designed hardware, we're just not going to be able to make a dent in the problem.

      The easiest way to do that is to make their buyers care about security specs. The easies

  • typical non-thinking government. create abstract rules/laws, that actually do nothing or more harm
  • You can't "law" stupid away. Some things you just have to let them work themselves out. If you have a brand of devices that are constantly getting compromised. People will stop buying them. i
    • You can't "law" stupid away.

      No but you can make penalties for it for companies that do stupid things. Companies are supposed to be able to hire smart people to figure this stuff out and if they fail to do that there should be consequences with teeth.

      Some things you just have to let them work themselves out.

      Product liability isn't one of them. Neither is negligence.

      If you have a brand of devices that are constantly getting compromised. People will stop buying them.

      HAHAHAHAHAHAAAA!!!! I refer you to Microsoft Windows, Adobe Flash, and Microsoft Office. Not to mention countless shitty routers and IOT devices that get pnwned every day. People buy things all the time with vast security prob

    • When those security holes are exploited to create botnets that then attack a 3rd party it's not a personal freedom to be stupid issue. Antivaxxers threatening herd immunity is a rather direct analogy.

  • a unique password made by a password generator at the time of programming or when they load the software/firmware on it, and a label printed on a card or tag tied or taped on to the device included with that password during packaging
  • Is this the most pressing need? CA is a state full of idealists that "fix" things, then move on to the next shiny issue. Five years later, they fix the "fix" that never worked. All the while bleeding money.

  • California Government: I need to see your password in order to determine if it's secure. (facepalm)

  • by MobyDisk ( 75490 ) on Thursday September 20, 2018 @08:06AM (#57347346) Homepage

    In general, legislating one particular best practice does not fix an industry. And there are better ways than writing laws. Some ideas:

    • * Require that government entities only purchase products from companies that have not had certain categories of security lapses in the last 6 months
    • * Require that government entities only purchase products from companies that have a policy of fixing security bugs within X amount of time
    • * Provide funding to startup a commercial product security certification organization, similar to what underwriters laboratory (UL) [wikipedia.org] does for safety.
    • * Setup liability law so that any owner of a device that doesn't follow industry best practices can be sued by an owner of that product.

    Any of the above would mean that, for example, California government would no longer buy Western Digital hard drives. These suggestions intentionally do not state what the specific best practices is, and other than the last one they don't require laws, which are slow to change. The specific practices can be defined by some of the many organizations that already do that. Ex: OWASP top 10, static analysis, pen testing, etc. This is similar to what the FDA did with medical devices, to make manufacturers stop doing idiotic things like using unauthenticated Wifi on insulin pumps so hackers could remotely kill people.

    • Provide funding to startup a commercial product security certification organization, similar to what underwriters laboratory (UL) [wikipedia.org] does for safety.

      You know what underwriters do? They back insurance risks. Fires are very expensive. There is no financial incentive behind consumer electronics security like there is for insurance agencies to prevent fires.

      • by MobyDisk ( 75490 )

        You know what underwriters do? They back insurance risks. Fires are very expensive.

        That's what UL was for back in the 1800s. Things do a lot more than fire safety these days.

        There is no financial incentive behind consumer electronics security like there is for insurance agencies to prevent fires.

        That's why all of my options included making security a liability for those companies. My last bullet point was explicit financial liability. The other options involved liability of the form "This is a liability because a large organization won't buy my product."

      • * Require that government entities only purchase products from companies that have not had certain categories of security lapses in the last 6 months
      • * Require that government entities only purchase products from companies that have a policy of fixing security bugs within X amount of time

      Stuff like this sounds great in practice, and even makes a good amount of sense - why not use capitalism itself to promote desired behavior? But these kind of restrictions on government purchasing are why government pays twice as much to make what should be easy purchases. "Approved vendors", "preferred suppliers", and "government rates" because it takes so much paperwork. This also excludes small companies who don't have staff dedicated to filling out government paperwork.

      • by MobyDisk ( 75490 )

        ...pays twice as much...

        Yes, security costs money. And auditing companies to make sure they comply costs money. Today people demand the cheapest parts possible, so companies don't bother with proper security. If we want security, we have to pay for it. If I had the choice between a Western Digital Passport drive (regarding the story earlier today), and another vendor that had real security but cost twice as much, I would take the one with security. And if California wants secure devices, they should too. Hopefully, we can m

  • California is really becoming a nanny-state now. Laws shouldn't be passed to protect people from stupidity. The only protection against stupidity is education. People should take time to learn a thing or two.
    • In this case the idea is to stop people buying IoT from breaking the internet for everyone, so it is more like passing a law saying you can't sell tires that will tear up the roads.
    • Laws shouldn't be passed to protect people from stupidity.

      Nobody can be an expert on everything. Especially without awareness that there are important things that they need to know. You can't go out and learn what you don't know you need to know.

      There's really no reason or defense for the insane defaults we have now. Cars don't default to having the airbags disabled. Refrigerators don't default to temperatures outside of the food safety zone.

  • The governor and state legislature in California are doing their best to advance the nanny state to protect all of us. Just recently, they passed a state law that schools could not open before 8:30 am so that the students would get enough sleep. And, of course, the plastic bag and plastic straw bans are spreading across California like a fungus. Now they are passing a law to force us to lock up our wireless routers properly. Next will be a law prescribing a particular method of shoe-tying so that none o

  • It should require every device that has is connected to have a unique default password, and that password should be printed on a sticker that is afixed to the device in a location that is consumer-accessible, but does not affect functionality or aesthetic appeal (ie, on the bottom or back of the device) if possible, or if and only if the device has no such convenient location, on a similarly sized piece of paper that is packaged with the device.
  • This is how Idiocracy becomes real.

    By preventing the stupid from hurting themselves.

  • My cameras are on an isolated LAN that is air gapped. Since all IP cameras require credentials I use the same username and password for each one. That's only one thing to remember 18 months from now when I might need to mess with one. I don't want a different password that I have to keep track of for each camera. There are many layers to security and user credentials are only one. We don't need legislatures making things more complicated. KISS is the best security.
  • Because we want to be sure that we know what person the surveillance devices are watching.

    The real question is why we need so many miscelaneous devices connected to the internet with with anything more than a one-way data link.

  • by dkman ( 863999 )

    Just make the default password some ugly long gibberish and the users are likely to change it to their dog's name just because they don't want to type that monstrosity again.

  • Update from the future: The law passed [slashdot.org]

A Fortran compiler is the hobgoblin of little minis.

Working...