Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Privacy

California Bans Default Passwords on Any Internet-Connected Device (engadget.com) 240

In less than two years, anything that can connect to the internet will come with a unique password -- that is, if it's produced or sold in California. From a report: The "Information Privacy: Connected Devices" bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate. The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a "physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address."
This discussion has been archived. No new comments can be posted.

California Bans Default Passwords on Any Internet-Connected Device

Comments Filter:
  • by darkain ( 749283 ) on Friday October 05, 2018 @01:20PM (#57432934) Homepage

    The big problem right now is that devices that DO come with "unique" passwords are far too often based on the device's MAC address. If you can already connect to the device to communicate with it, odds are you'd already have the information needed to "generate" the default password on the device. The bill should have a specific provision that the passwords are indeed truly random, and not based on hardware IDs.

    • by sjames ( 1099 )

      Only if you're on the same LAN segment. If you're just scanning random IPs from afar, you won't have the MAC.

      • Only if you're on the same LAN segment. If you're just scanning random IPs from afar, you won't have the MAC.

        Unless you're using IPv6.

        • by sjames ( 1099 )

          And not NATing or using IP privacy.

        • Only if you're on the same LAN segment. If you're just scanning random IPs from afar, you won't have the MAC.

          Unless you're using IPv6.

          In which case you would need to be intercepting traffic, to somehow get the device to connect to a server you control, or to scan the /48 to find the device. None of those are impossible, but they're significantly more difficult than just trying a bunch of IPv4 addresses.

        • EUI-64 is typically used for the link-local address in IPv6.
          The link-local address is, as it's name implies, valid only on the local link. Routers will not route it.

          So in order to be exposed to the EUI-64 link-local address, you'd have to be on the same switched Ethernet link - which means you'd also see the Ethernet frames and the Mac addresses in the Ethernet header.

        • can't wifi capture MAC addresses, not all devices are stationary
          • by sjames ( 1099 )

            Again, only if you're on the same LAN segment.

            • Actually aircrack-ng I believe allows you to see client mac addresses when not connected to a network. its all part of wifi hacking. its rather simple to clone a 802.11 device mac address. Hope this helps.

    • by pnutjam ( 523990 )
      Perfect is the enemy of better. This is a step in the right direction.
  • by BrendaEM ( 871664 ) on Friday October 05, 2018 @01:22PM (#57432942) Homepage
    I am sure that the IOT'mania crowd may not like this, but the internet is worth protecting.
    • I am sure that the IOT'mania crowd may not like this ...

      As an IoT fanboi, I am all for this. If you scroll and read all the posts, you will see that most objections are from IoT naysayers ... because this will remove one of their talking points. Which just shows that whiners will whine, even if they get what they said they wanted.

      • I say the internet uses VLAN tagging and all IOT devices go on a private lan that you have to actually think and work to communicate with. would stop IdiOT ddos.

    • by tlhIngan ( 30335 )

      I am sure that the IOT'mania crowd may not like this, but the internet is worth protecting.

      Why? The IoT crowd may want it too, to avoid having incidents like security cameras being available to be viewed by all.

      https://www.cbc.ca/marketplace... [www.cbc.ca]

      If a journalist on TV can view these security camera streams, imagine what a more determined person can do. In fact, they monitored the streams for several weeks until they could positively identify the house and confront the homeowner.

      They then hired a pentesting com

  • It would be funny if manufactures stopped sending their products to California.

    • by jwhyche ( 6192 )

      Probably be a great investment to have large parcels of land right across the boarder with California zoned for manufacturing.

      • Probably be a great investment to have large parcels of land right across the boarder with California zoned for manufacturing.

        The requirement applies to any device SOLD in California, not just MADE there.

        Anyway, good luck recruiting factory workers in Primm, or getting a water hookup.

        • The requirement applies to any device SOLD in California, not just MADE there.

          Hmm, State Line IoT Sales Store, anyone?

          Also, if I mailorder something from a business in Vermont, is that a "sale in California", or a "sale in Vermont"?

          • Hmm, State Line IoT Sales Store, anyone?

            Primm is 3 hours from Los Angeles, so a 6 hour round trip. How many people are going to do that just to get a device with worse security?

            Also, if I mailorder something from a business in Vermont, is that a "sale in California", or a "sale in Vermont"?

            It depends on who you order it from. If they have a presence in California, as Amazon does, then they have to comply with California law.

            Since the cost of complying with this law is negligible, I don't think these work arounds will be worth it.

    • by sjames ( 1099 )

      And even funnier when anyone anywhere with more than 1 functioning neuron in their head realizes that the phrase "Not for sale in the State of California" on any IOT device means it's hopelessly insecure and refuses to buy it.

    • Nah. In the 1990s when California invented Car Exhaust standards that only applied to California, the manufacturers still sent cars (designated CARB-compliant or 49-state-compliant). California is too big an economy to ignore.

      TRIVIA: My 49-state-compliant 2003 Honda Civic had "lean burn" for higher MPG. The CARB-compliant Civic had lean burn disabled, because it made too much NOx (and failed the California standard).

      - More trivia: Volkswagen stopped selling Year 2005 and 2006 diesel-powered Jetta/Golfs/B

      • Nah. In the 1990s when California invented Car Exhaust standards that only applied to California

        It actually was 1972, acting on a law passed in 1967.

        Also, 10 other states passed their own laws to follow California's standards. So no, there isn't a "CA model" and an "other 49 states" model.

        • > It actually was 1972, acting on a law passed in 1967.

          I'm talking about the ULEV and SULEV and ZEV designations, which did not exist until the mid-1990s (with PZEV added in 2001).

          >10 other states passed their own laws to follow California's standards.

          Yes but not until after 2007 (approximately). Prior to that year, only California followed CARB while the other 49 states followed EPA emissions. Therefore there were "CARB" and "49 state" models. If you don't believe me, look up 2003 Civic Hybrid in

  • Now manufacturers can make their IOT products for California with *NO* password! That should save time & money wasted on security testing.
  • Default Password (Score:2, Interesting)

    by Anonymous Coward

    the default password will be part of the mac address of the device
    part of the serial number of the device
    production date for the device.

    et voila, unique id.
    the users will have to change the default password on first use, and will change it to 12345 or secret or ... any other pretty obvious default password that is easy to remember like password. :-D

    caption -- milked

  • California bans internet-connected devices!
  • by mark_reh ( 2015546 ) on Friday October 05, 2018 @01:49PM (#57433170) Journal

    I wonder what the unintended consequences will be.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      People getting locked out of their stuff because they forgot the password and cant reset to default.

      • People getting locked out of their stuff because they forgot the password and cant reset to default.

        How exactly are either of those things related to what the manufacturer can use for default passwords?

      • by green1 ( 322787 )

        This is a solved problem, devices like this usually have the password on the device for resetting. And before you talk about that being an attack vector for people with physical access, when you're talking home devices anyone having physical access to the device is a far larger problem than that.

    • The manufacturers' support phone lines are clogged the next day with calls Help, I forgot my password! and they are asked when their birthday was, in reply. Or the name of their first pet.

  • Every time I pull an old router out of the closet, I do a reset to factory defaults, then look up the factory default password on the internet. Does the law now say I'm no longer allowed to do that? Are they going to ship every frickin' device with a different default password? That would send their return rate through the ceiling as customers couldn't login to configure their equipment.
    • Your use case is not most consumers' use case.

    • by pnutjam ( 523990 )
      They can ship a default password, as long as it requires you to change it when you log on.
    • Every time I pull an old router out of the closet, I do a reset to factory defaults, then look up the factory default password on the internet.

      The text of the law [ca.gov] is publicly available and easily readable. The text relavent to your concern is "The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time." This does not necessarily preclude factory default passwords.

    • Does the law now say I'm no longer allowed to do that?

      No, and that's a rather dumb question. You aren't selling a new device in California.

      Are they going to ship every frickin' device with a different default password?

      Yes. And several manufacturers already do.

      That would send their return rate through the ceiling as customers couldn't login to configure their equipment.

      They put a sticker on the device with the default password, MAC address, serial number and any other unique-to-this-device information. Sometimes it's physically printed on the case of the device instead of a sticker.

      Alternatively, they put in a default password or other authentication and the device requires you change it before the device connects to the Internet.

    • Puhleeese, my fios router came with a little sticker right on the device near the serial number with the default username and password unique to the device, this isn't rocket science. If the manufacturer wants to make it a nightmare for their own customer support, that's on them.
  • IANAL, nor do I regularly read legislature bills. But, on my read of the bill, I don't see any teeth to the bill? What are the repercussions for a company for violating this law? Other than setting a more concrete bar for possible civil cases, are there any more repercussions?

    If a bill don't have teeth, what's the point?

    • They passed universal background checks for all gun purchases in Washington. There are no real teeth to that bill, but it's still law. Even law enforcement refused to enforce it during an open resistance at the state Capitol. The law itself accomplishes absolutely nothing.

      Sometimes a law exists, I think, merely as a stepping stone to more restrictive legislation.

    • by clovis ( 4684 )

      IANAL, nor do I regularly read legislature bills. But, on my read of the bill, I don't see any teeth to the bill? What are the repercussions for a company for violating this law? Other than setting a more concrete bar for possible civil cases, are there any more repercussions?

      If a bill don't have teeth, what's the point?

      Without the law if you buy an IoT device that gets hacked and captures enough information that lets your bank accounts get compromised, that's your tough luck.

      With the law, if people have their devices hacked through a fixed password and financial losses occur, then there's a basis for a lawsuit: "You broke the law and thus it is your fault this bad thing happened". And it can even be a class-action suit and make some law firm partners even richer.

  • I don't have a password on my phone, because it doesn't have personal data (it's strictly a phone). And there's none on my desktop computer, because it never leaves the security of my house.

    I truly HATE when politicians force citizens to do something against their will, when the only person being harmed is the citizen himself. (If someone steals my phone, I am the only one harmed. Leave me alone.)

    Maybe politicians should start calling themselves Daddy Brown and Mommy Pelosi, if they insist upon treating

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Your stuff being being hijacked because of a default password is not just harming you, it's being used to attack me and thousands of others. Since you can't be responsible enough to prevent that harm, a regulation is needed to prevent you being irresponsible in the first place.

    • I truly HATE when politicians force citizens to do something against their will, when the only person being harmed is the citizen himself.

      Compromised devices are used to harm others. Instead of requiring manufacturers to follow this law, how about we make you personally liable when your device is compromised and used in a DDoS attack?

      • > Compromised devices are used to harm others

        Why do the thieves need a "compromised" device to harm others? They can do exactly the same with uncompromised devices that they bought themselves. You made an invalid comment.

        - Back to Topic: Yes if a thief steals your phone, and you didn't password-protect it, they might goto your amazon account and buy a bunch of stuff with your money. BUT that harms nobody else except yourself.

        • by cascadingstylesheet ( 140919 ) on Friday October 05, 2018 @02:56PM (#57433744) Journal

          > Compromised devices are used to harm others

          Why do the thieves need a "compromised" device to harm others? They can do exactly the same with uncompromised devices that they bought themselves. You made an invalid comment.

          Erm, no, they can't.

          They can compromise millions of devices (which would be a bit much to buy), and use them (with their millions of separate connections) to launch denial of service or brute force password attacks. These are called "botnets". You may have heard of them :)

          The attacks are coming from all different IP addresses so that intrusion detection systems can't block excessive attempts. And obviously tracing them is a bit more difficult.

          You can't just do that with uncompromised devices that you bought yourself.

          • > They can compromise millions of devices (which would be a bit much to buy), and use them to launch denial of service

            And how does a password on our phones stop them from doing this? They could just wipe the phones & use them passwordless.

        • Why do the thieves need a "compromised" device to harm others? They can do exactly the same with uncompromised devices that they bought themselves.

          Thieves use compromised devices because they are harder to trace back to the thief and offer large amounts of free, aggregated, distributed processing and network power. This makes it cheaper for the evildoer and makes their attacks harder to block since they're highly distributed.

        • by G00F ( 241765 )

          Why do the thieves need a "compromised" device to harm others? They can do exactly the same with uncompromised devices that they bought themselves. You made an invalid comment.

          Umm, this is where I disagree. If I'm going to DDoS someone, I'm not going to use anything I paid for, or can be traced back to me. More so if I am going to crack into a business, your neighbor, the DoD, etc.

          Other common uses it becomes part of a botnet, or maybe it just uploads files in IRC, or seeds a torrent.(which can really really hurt you w/ lawsuits from RIAA/MPAA)

          Your route, phone, smart thermostat, even fish tank water heater, can all be owned and used to hurt more than just you.

          And yes, there are

    • by Jahoda ( 2715225 )
      I truly HATE when politicians force citizens to do something against their will, when the only person being harmed is the citizen himself.

      Dude. We are talking about sane password policies on devices connected to the internet we all share. You need to get a fucking grip on yourself. I think it's wonderful you can sit in your house and be free without a password there, Grandpa. But I think you need to try actually living in a fucking police state before you start crying your pampered snowflake ass
  • And queue the list of devices with the trusty old admin/password combo... Tada! Security!

  • I can see it now... the system boots and prompts

    Please Enter Password> _
            User enters: "password"
    Confirm new Password> ********

    Buck passed to user who has now entered a well known password. Problem solved !!!

  • This will effectively deprecate compatibility with really old Bluetooth devices ( prior to 2.1, c.a. 2007) because manufacturers likely will drop support for legacy pairing (the 4 digit code, which is almost always "0000").

    Not so sure that is a bad thing.

    • The law wouldn't apply to headsets/earpieces (the most common case here) because while they have a Bluetooth address they aren't connected to the Internet either directly or indirectly (section 1798.91.05(b)).

  • This is idiotic, can you imagine tech support ?
    "Yeah i cant log in to my router with the password provided"
    "Well, you need to reset it and try it again, if it doesn't work return it, cos there's not a thing to be done. Thanks for calling"
    • by green1 ( 322787 )

      How stupid would a manufacturer have to be to provide the wrong password on the device? Just because they have to provide a non default password doesn't mean they need to write the wrong thing on the device. This is a solved problem by many, many, many, manufacturers already, they simply write a different password on every device they ship out. In this case the government isn't requiring anything that isn't already common practice. They're simply enforcing it on those who have lagged behind what is currentl

  • California is one of the most populated states in US. If default pw is banned here, it's banned everywhere. You wonder why?

    Any company who wants to sell a product in CA will sell the same product everywhere else in the country. Abiding CA regulations alone will bring inheritance to other states. Bravo!!!

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...