Slashdot Mirror
California Bans Default Passwords on Any Internet-Connected Device (engadget.com)
In less than two years, anything that can connect to the internet will come with a unique password -- that is, if it's produced or sold in California. From a report: The "Information Privacy: Connected Devices" bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate. The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a "physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address."
The big problem right now is that devices that DO come with "unique" passwords are far too often based on the device's MAC address. If you can already connect to the device to communicate with it, odds are you'd already have the information needed to "generate" the default password on the device. The bill should have a specific provision that the passwords are indeed truly random, and not based on hardware IDs.
I am sure that the IOT'mania crowd may not like this, but the internet is worth protecting.
https://www.youtube.com/c/BrendaEM
Most of the gun companies have abandoned California and refuse to sell to or service firearms from CA government agencies. The rest of every other industry must now follow suit and just refuse to do business in California. Those idiots couldn't feed themselves if they had to so just let them suffer and starve until they come crawling down off that high horse to rejoin society.
It would be funny if manufactures stopped sending their products to California.
Now manufacturers can make their IOT products for California with *NO* password! That should save time & money wasted on security testing.
Taking guns away from the 99% gives the 1% 100% of the power.
the default password will be part of the mac address of the device
part of the serial number of the device
production date for the device.
et voila, unique id. ... any other pretty obvious default password that is easy to remember like password. :-D
the users will have to change the default password on first use, and will change it to 12345 or secret or
caption -- milked
California bans internet-connected devices!
I wonder what the unintended consequences will be.
Yeah, I wish California the best of luck with that one. What are they going to do, have inspectors check every piece of IoT garbage that gets imported from China to make sure that it complies with their password policy?
Every time I pull an old router out of the closet, I do a reset to factory defaults, then look up the factory default password on the internet. Does the law now say I'm no longer allowed to do that? Are they going to ship every frickin' device with a different default password? That would send their return rate through the ceiling as customers couldn't login to configure their equipment.
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Nope, just companies who do business in California. In California, you are not required to register a foreign business with the state, but you do not have any rights to use the courts and if a suit is brought against you, the judge can choose not to hear your side of the case. So while the Chinese garbage will likely never be effected, anyone selling that chinese garbage will be and so, by proxy, this law will be implemented as sellers who don't wish to be liable, start selling chinese crap rather than chinese garbage.
IANAL, nor do I regularly read legislature bills. But, on my read of the bill, I don't see any teeth to the bill? What are the repercussions for a company for violating this law? Other than setting a more concrete bar for possible civil cases, are there any more repercussions?
If a bill don't have teeth, what's the point?
I don't have a password on my phone, because it doesn't have personal data (it's strictly a phone). And there's none on my desktop computer, because it never leaves the security of my house.
I truly HATE when politicians force citizens to do something against their will, when the only person being harmed is the citizen himself. (If someone steals my phone, I am the only one harmed. Leave me alone.)
Maybe politicians should start calling themselves Daddy Brown and Mommy Pelosi, if they insist upon treating us like children.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
What are they going to do, have inspectors check every piece of IoT garbage
The citizens can do that. The state just needs to have a website for reporting noncompliance.
This is something that costs manufacturers almost nothing. So why would they refuse to comply?
...but do they do, scan all your devices and fine you? It's one thing to make manufacturers *in* California to do this; I don't see how you can stop other manufacturers from motoring along as they are whether or not it's a good idea. I don't know how you make this happen short of using force.
Ferret
Sic gorgiamus allos subjectatos nunc
And queue the list of devices with the trusty old admin/password combo... Tada! Security!
If it's like most other laws, no. What you do is wait for someone to complain, then you investigate the complaint. You never need to go looking for trouble; the public will happily volunteer to bring it to you. (The public has various motivations to do this, and caring about the password issue might possibly even be one of them.)
"Believe me!" -- Donald Trump
I can see it now... the system boots and prompts
Please Enter Password> _
User enters: "password"
Confirm new Password> ********
Buck passed to user who has now entered a well known password. Problem solved !!!
This will effectively deprecate compatibility with really old Bluetooth devices ( prior to 2.1, c.a. 2007) because manufacturers likely will drop support for legacy pairing (the 4 digit code, which is almost always "0000").
Not so sure that is a bad thing.
No, those are not default passwords so they don't count. cisco has backdoor passwords.
EUI-64 is typically used for the link-local address in IPv6.
The link-local address is, as it's name implies, valid only on the local link. Routers will not route it.
So in order to be exposed to the EUI-64 link-local address, you'd have to be on the same switched Ethernet link - which means you'd also see the Ethernet frames and the Mac addresses in the Ethernet header.
The short version is - a company makes 20 million of something. If they can save four cents on each unit, they've still saved over $2 million. Every bit they can shave off of a large volume item makes a difference.
They'll save $800,000, but your point is still valid.
Please stand clear of the doors, por favor mantenganse alejado de las puertas
This is idiotic, can you imagine tech support ?
"Yeah i cant log in to my router with the password provided"
"Well, you need to reset it and try it again, if it doesn't work return it, cos there's not a thing to be done. Thanks for calling"
I didn't see anything in the wording of this article that provides exemptions for backdoor passwords. They could probably just put the serial number of the device in the backdoor password and then implement a password-less server that listens for specific requests on a common port and returns the serial number. That would get around the law while still allowing them to access our equipment without us knowing about it.
Non-citizens legally register to vote in San Francisco school elections
San Francisco began registering non-citizens, including undocumented immigrants, to register to vote Monday in the November election for the city school board, reported The San Francisco Chronicle.
https://www.sacbee.com/news/st...
When homeless are shitting in the streets everywhere stuff like this is bound to happen.
Oddly enough, this was my first thought. Raspbian is the only thing I have that is internet connected, and comes with a default username and password, and worse yet, it neither prompts you to change it at first boot, nor provides a menu option to do so in it's configuration.
Sure, I know how to change a username and password from the command line in raspbian, but I shouldn't need that level of knowledge to perform such a basic task on a device that ships insecure by default.
Unfortunately, I doubt this law will have any affect on the raspberry pi foundation.
It can be. As you mentioned, it's typically not.
When 1 one employee puts the wrong stickers on the wrong units identifying what each unique password is.
John
California is one of the most populated states in US. If default pw is banned here, it's banned everywhere. You wonder why?
Any company who wants to sell a product in CA will sell the same product everywhere else in the country. Abiding CA regulations alone will bring inheritance to other states. Bravo!!!
I think it has to be done in a production line fashion... you can't get a sticker until the code is burned into the device... and with a production line constantly moving, you can't really put one sticker on another machine by mistake.
Making an effort would be fining anybody found to have a default password set on a device they own. It shouldn't be the manufactures responsibility to make sure you are not an idiot.
Yeah, you have to wonder what's worse... setting a default longer password that's alphanumeric, or letting the customer set the password on an Internet facing device to "password" or "abc123".
I eagerly await California prohibiting "1234" as the combination on a lock.
Ken
"Costs almost...nothing"?
Generating unique passwords for every device they produce incurs a cost, assigning each device a default password costs almost nothing.
Ken
Really? Not every device has a serial number, and typically the serial number is on the outside of the box, which means find the box a unit came in, you've got the device password.
Learn the mfg uses serial number as default password, and if you can lay hands on the device, you can see serial number and voila you have the password.
If you ask a consumer to type in a random serial number in as their password, they'll likely not change the password, thinking it secure. Give them a device with a default password of "change_me" and they just might.
Ken
Yes, and...?
Many countries allow resident non-citizens to vote in local elections. (Feel free to check me on this, but I believe it's actually the norm in most of Europe.) I myself voted twice for local offices here in Sweden before becoming naturalised. The only difference for me in last month's election as opposed to the previous two is that I was able to vote for the Riksdag and the EU Parliament for the first time.
Il n'y a pas de Planet B.
Here's your answer: No, I won't take on liability if my device is used in the attack due to a poor design decision made by the manufacturer.
The manufacturer is especially liable if the flaw is a well-known and solved security issue that they chose to ignore, such as using hard-coded default passwords and backdoor accounts.
You want your cake and eat it. So typical - screaming for your individual rights, wilfully blind to any personal responsibility. Fuck you asshole, governments exist precisely to protect us from the dickheads like you.
Seriously, why do you think that a purchaser of a defective product be the one held liable and not the manufacturer?
You should consider that it is settled case law that the builder is responsible for hidden defects, not the purchaser, and this goes back to the Code Of Hammurabi.
And where do you suppose they'll print the default password if it doesn't match the serial number?
You sound like those ignorant out-of-state yokels always asking about the wild fires.
CA is enormous. Every societal problem found in the world is found in CA, simply due to its size.
Then yokels like you find a problem in one small neighborhood in the most populous state and you get an erection trying to pretend CA is a shithole.
We're fine dude.
This is probably a good concept. Execution may be a little bit difficult. How well have gun bans worked? How well has most of the rest of Sacramento's idiocies have worked - the carbon tax? the not a train to nowhere? the sky high taxes?
In addition it appears to me that this is effectively a barrier to interstate and international trade. The feds may object to the interstate trade barrier. And international barriers are the sole responsibility of the feds.
I predict large teams of lawyers are going to feed well at this trough that sack-o-tomatoes has created.
{^_^}
Then yokels like you find a problem in one small neighborhood in the most populous state and you get an erection trying to pretend CA is a shithole.
I don't think you understand. California is full of liberals. Probably SJW liberals at that. We know that thay're basically evil and break everything. Also they have laws and that's evil too because basically all government is bad[*]. Therefore it's logical that california has to be a shithole. I mean look at the argument; the logic is flawless.
People like that are not trying to pretend it's a shithole because of those things, they know in their heart that it must be a shithole (because of the liberals) so they jump all over those reasons to add proof to what they already know to be true.
We're fine dude.
Facts are irrelevant.
[*]I've probed extensively on this with some people here. Turns out that not all government is bad when you really push, what's "right" is to have presicely the amount to pretect them and no more.
SJW n. One who posts facts.
implement a list of top 1000 passwords or so that can not be set. force them to make something somewhat unique if youre going to do that. but i say let stupid people do stupid shit and fine them for it. that's why we have a bunch of other laws against doing stupid shit. isnt it?
Non-citizens legally register to vote in San Francisco school elections
San Francisco began registering non-citizens, including undocumented immigrants, to register to vote Monday in the November election for the city school board, reported The San Francisco Chronicle.
I had an issue with this at first (I'm fairly conservative). But, after doing a bit of research, I learned that this is not new. It's been done frequently over the entire lifespan of our nation. And no, not just in California. The states created from the original 13 colonies had these policies as well.
It has always been done in a very limited manner.. Usually a "representation for taxation" situation. Town councils, county boards, that type of situation.
I no longer have a problem with legal non-citizens voting in some limited elections IF they have a taxable stake in it. But, I do maintain my opposition to ANY illegal alien getting to vote for ANYTHING.
Come here legally and we can have a discussion on what you should, as a non-citizen, be able to vote for.. Sneak over the border and you can fuck off.
School board is a county level election.
No it's not. Not in California.. School board is a DISTRICT election.
Live outside the district, even in the same county, and you do not get to vote for the school board.
The citizens can do that. The state just needs to have a website for reporting noncompliance.
This is something that costs manufacturers almost nothing. So why would they refuse to comply?
That was my line of thought as well.. Some folks just don't have any ability to think a situation through..
Toss in a small financial reward for successful reporting (funded by penalties against the manufacturers), and you'd have an army of citizens examining everything.
When I was in the USAF, they instituted a program where the rank and file could identify cases of fraud/waste and get a 10% reward (with a monetary cap of $100K/year if memory serves). We had a SSgt who would spend a crap load of his free time pouring over invoices and purchase orders. He hit the cap one year.. Not bad for a base pay of around $30K/year.
It cost the USAF nothing for people to look, and when something was found, they still realized a savings of 90%.. Also not bad...
Really? Not every device has a serial number, and typically the serial number is on the outside of the box, which means find the box a unit came in, you've got the device password.
Learn the mfg uses serial number as default password, and if you can lay hands on the device, you can see serial number and voila you have the password.
At least this requires you to find the fucking box.. Right now default passwords are common knowledge. Every Linksys is admin/password (or at least was the last time I used one of those pieces-of-shit.).
Change can come in small steps, ya know. We don't have to go from totally open to Fort Knox in one step.
Will nothing ever make you people happy? Or do you just like to bitch to hear yourself talk?
Besides, finding the box and having the password is only valid if the owner doesn't change the password. So your situation of "find the box and have the password" isn't 100% either..
Generating unique passwords for every device they produce incurs a cost, assigning each device a default password costs almost nothing.
well, more and more routers are coming with unique (or semi-unique) passwords that are printed on a sticker on the bottom of the router, and have been for years.
If they can do it, so can other companies. Mandate it for everyone and it's a cost-of-business. It's a cost, yes, but a cost borne by all in the market so it doesn't give anyone an unfair advantage or put anyone else at a disadvantage.
Your way is cost inefficient. Each enforcement action would result in 1 device being "fixed". Mandating it on all devices, from the manufacturer, fixes ALL of the devices.
Maybe you disagree with this method, but your system cannot work.. Our courts could not handle millions of small cases like this.. Hell, the DA couldn't handle millions of small cases, even if they never go to court..
When you have two solutions, and one solution cannot possibly work......
Well, there used to be a time when people believed in personal responsibility. Now people want to believe that only the government can protect you from *stupid*. Then people turn around and want to bitch about the government invading their privacy when they ask for it with bills like this. Next step government is going to mandate you give them your personal passwords to be sure they're secure. because *hackers*. GLHF
Yeah. Personal responsibility... How about the manufacturers deliver a product that isn't hackable one second after connection to the internet? Ya know, the responsibility of delivering a non-defective product.
Personal responsibility is responsibility for MY actions. They need to be responsible for their actions, as well.. Loading up a billion devices with the same username/password is not responsible. Would you be happy if my key, to my front door, opened your front door as well? I doubt it....
Default usernames/passwords that are identical across millions of devices is a BAD IDEA.
How about the manufacturers deliver a product that isn't hackable one second after connection to the internet?
Why are shitty internet appliances internet facing? this is exactly what NAT is for. you have to TRY to make the device face the internet in the majority of the world.
Loading up a billion devices with the same username/password is not responsible
So you're not gonna bitch when they add $50 to each device because they have to create additional steps in the manufacturing process, instead of educating stupid people about the importance of changing default passwords you would rather have mommy Pelosi make the bad man do it for you?
Default usernames/passwords that are identical across millions of devices is a BAD IDEA
Having millions of devices with shitty security internet facing is a bad idea whether it be a microwave or a toaster or a camera or a fucking windows 10 pc.
You're angry at the wrong thing here. If you open ports in your NAT to access your IoT device and you're dumb enough to NOT CHANGE PASSWORDS!!! It is YOU that deserves to be fined, and to pay the damages resulting in your shitty device harming others.
Why are shitty internet appliances internet facing? this is exactly what NAT is for. you have to TRY to make the device face the internet in the majority of the world.
No it's not, that is NOT what NAT was made form. NAT was made because we ran out of fucking IP addresses. Some internet appliances HAVE to face the internet.. That's what they're made for... What the fuck good is a remote security camera that you cannot access from OUTSIDE?
So you're not gonna bitch when they add $50 to each device because they have to create additional steps in the manufacturing process, instead of educating stupid people about the importance of changing default passwords you would rather have mommy Pelosi make the bad man do it for you?
I can buy a router, today, that costs less than $50 that has a unique password on a sticker on the bottom of the device.
Having millions of devices with shitty security internet facing is a bad idea whether it be a microwave or a toaster or a camera or a fucking windows 10 pc.
You're angry at the wrong thing here. If you open ports in your NAT to access your IoT device and you're dumb enough to NOT CHANGE PASSWORDS!!! It is YOU that deserves to be fined, and to pay the damages resulting in your shitty device harming others.
You mouth breathing idiot.... When millions of people don't update their router, my network gets attacked by all those zombie pieces of shit. When a company ships a more secure device, by default, I don't... I favor the odds of one company fixing the problem THAT THEY FUCKING MADE, then asking 10,000,000 people to update their device and hoping every single one of them does. This is simple goddamn math.
You have a problem with seat belts too don't you?
DO NOT SHIP DEVICES THAT ARE DEFECTIVE OUT OF THE BOX.
I'm gonna go ahead and ignore you from here anyhow.. I'm not a liberal as your Pelosi quip is trying to imply. I'm very conservative... I think that the company that makes the problem (a lock with a key everyone can look up on the internet) should fix the fucking problem. I can also do basic math.. It is more efficient for one company to fix their problem than ask, potentially, millions of customers to fix the problem that they DID NOT MAKE.
That clear enough for you, asshole?
I can buy a router, today, that costs less than $50 that has a unique password on a sticker on the bottom of the device.
For the wifi password, which uses the mac address and some known string before or after it. Which is most likely a firstrun script that runs the first time they plug it in to test at the factory. As for the rest I'm not the one showing my ignorance.
Oh I see.. So, because it's possible to do one... It's not possible to do the other? Are you fucking kidding me?
It has a unique password for the wifi... Yeah, ok technically you're right.. The login/password is the same out of the box as the others, but if you can make one unique you sure as hell can make the other unique. I suspect suddenly it'll get real easy with the law taking effect....
And no, it's not the goddamn mac address... I see passwords like YellowBanana or GentleBreeze (yes, those are two real examples)
How the hell is that based on the MAC?
Show me that on a $50 router please. I've seen it on $100-150 routers you know those spider looking things. I'm not saying they shouldn't do it. I'm basically saying if you're going to fine one fine both. A stupidity tax or whatever you want to call it.