New IoT legislation bans shared default passwords

In an attempt to make it harder for bots to take over the myriad of connected devices sold in California, the state legislators have pushed through and California Governor Jerry Brown signed into law SB-327.

The new law

The bill is to be enacted on January 1, 2020, and applies to device manufacturers, whether they do it themselves or contract with another person to manufacture the device on their behalf.

It requires manufacturers of internet-connected devices sold in California to “equip the device with a reasonable security feature or features” that are:

• Appropriate to its nature and function
• Appropriate to the information it may collect, contain, or transmit
• Designed to protect the device and any information it contains from unauthorized access, destruction, use, modification, or disclosure.

“…If a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature (…) if either of the following requirements are met: the preprogrammed password is unique to each device manufactured, or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,” the bill lays out.

It also says that private persons can’t mount a civil lawsuit if a manufacturer does not follow the law. “The Attorney General, a city attorney, a county counsel, or a district attorney shall have the exclusive authority to enforce this title,” it says.

Something good, something bad

I’ve asked Ken Munro of UK-based Pen Test Partners, for whom the security of IoT devices is near and dear to the heart, what he thought about the new legislation.

(He has previously noted that there are some good standards for IoT manufacturers to follow if they want to get security right, but that adequate regulation and legislation is still lacking.)

“I was really pleased to see that the work of us and others on My Friend Cayla had been a catalyst to creating the bill,” he says.

“The bill is vague, but I think that’s actually a good thing as the consumer smart stuff market covers many categories of product. However, it will require much testing in law.”

But he points out the lack of definition of what constitutes “‘appropriate security” and the fact that a device may be “designed to protect,” but that so often the design doesn’t consider the unexpected hack.

“We’ve dined out on exactly this issue in IoT products for years,” he says.

“There are other issues: there’s nothing to specify that a pre-programmed password should be strong, just that it’s unique. Another issue is around randomness or entropy sources: [the legislation] talks about a new means of authentication before first time access, but doesn’t state that it should be random or unpredictable.”

He also noted that the law does no provide any indication about remedies for affected consumers with offending products.

“There’s no discussion of recall, replacement or compensation. Also, does the law apply retrospectively once implemented? That’s not clear either, so could vendors be incentivised to stuff the retail channel with a year or more’s worth of stock in order to sidestep the bill?” he adds.

“My view is that this is a great start towards IoT regulation – one of the very first to be seen. But it is only a start.”

The Register’s Kieren McCarthy also noted that the law falls short when it comes to another security measure that is vital for improving the long-term security of IoT devices: they must be able to be updated to keep in step with the discovery of vulnerabilities, and the action should be easy for users to perform.