Slashdot Mirror
California Bans Default Passwords on Any Internet-Connected Device (engadget.com)
In less than two years, anything that can connect to the internet will come with a unique password -- that is, if it's produced or sold in California. From a report: The "Information Privacy: Connected Devices" bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate. The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a "physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address."
The big problem right now is that devices that DO come with "unique" passwords are far too often based on the device's MAC address. If you can already connect to the device to communicate with it, odds are you'd already have the information needed to "generate" the default password on the device. The bill should have a specific provision that the passwords are indeed truly random, and not based on hardware IDs.
I am sure that the IOT'mania crowd may not like this, but the internet is worth protecting.
https://www.youtube.com/c/BrendaEM
the default password will be part of the mac address of the device
part of the serial number of the device
production date for the device.
et voila, unique id. ... any other pretty obvious default password that is easy to remember like password. :-D
the users will have to change the default password on first use, and will change it to 12345 or secret or
caption -- milked
Probably be a great investment to have large parcels of land right across the boarder with California zoned for manufacturing.
I read at +2. If your post doesn't reach that level I will not see or respond to it.
I wonder what the unintended consequences will be.
Nope, just companies who do business in California. In California, you are not required to register a foreign business with the state, but you do not have any rights to use the courts and if a suit is brought against you, the judge can choose not to hear your side of the case. So while the Chinese garbage will likely never be effected, anyone selling that chinese garbage will be and so, by proxy, this law will be implemented as sellers who don't wish to be liable, start selling chinese crap rather than chinese garbage.
So you are the champion of the flashing 12:00?
You want security cameras to be wide open?
Do you leave your house unlocked because keys are too hard to use?
Sigh...
Please try to understand that because someone is against a particular idea does not automatically mean they are in favor of the polar opposite of it. This type of thinking is extremist thinking and ruins any chance at useful dialog where both parties can try to understand each other.
I am in favor of companies stopping this "default password" crap. However, the idea of a government entity mandating it makes me uncomfortable. In choosing the lesser of evils, I would be against such a mandate and depend upon customers pressuring their vendors to change their behavior using the most effective tool known: their wallets.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
Nah. In the 1990s when California invented Car Exhaust standards that only applied to California, the manufacturers still sent cars (designated CARB-compliant or 49-state-compliant). California is too big an economy to ignore.
TRIVIA: My 49-state-compliant 2003 Honda Civic had "lean burn" for higher MPG. The CARB-compliant Civic had lean burn disabled, because it made too much NOx (and failed the California standard).
- More trivia: Volkswagen stopped selling Year 2005 and 2006 diesel-powered Jetta/Golfs/Beetles in California, for essentially the same reason (too much NOx made them fail Cali's strict emissions). The other 49 states still got the diesel models.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
They can ship a default password, as long as it requires you to change it when you log on.
Cheap storage VM.
It's the mandate or nothing. Companies have had DECADES to understand that default passwords are a terrible idea. Do you figure they were somehow within seconds of the light bulb going on when the bill was signed?
If the corporations themselves were the only ones to suffer, that would be fine. If their customers might suffer as well, I could almost buy in to the idea that they should have done more research. But neither is the case. The unsecured devices get rooted and then attack 3rd parties that had no input into the terrible decision to have default passwords. In some cases (looking at you Cisco) the customer had no knowledge of or input into the default password either (nor the ability to remove it if they ever do find out about it).
When their bad dogs stop crapping in my yard, they can be free to do as they will.
Stupid government requiring businesses and consumers to avoid unnecessarily hazardous practices.
I too an uncomfortable with mandates to use GFCIs in the kitchen and bathroom, carry gasoline in approved containers, not leave my keys in a running car when I go to the store, and all the rest.
You should merely be in favor of me doing so, and trust that I wish for you to avoid electrocution, conflagration, and general mayhem.
Oh, you were serious. *snicker* All 0.01% of you that might use that as a pre-purchasing criterion will surely justify the expense.
If California (or the EPA) wants to do something useful, they should ban the automatic toilets. Every time I use them, they flush 3 times... when I walk in, when I stand up, when I walk out.
These are known as "phantom flushes" because it flushes when the user does Not want it to flush. Complete waste of water.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Your stuff being being hijacked because of a default password is not just harming you, it's being used to attack me and thousands of others. Since you can't be responsible enough to prevent that harm, a regulation is needed to prevent you being irresponsible in the first place.
In choosing the lesser of evils, I would be against such a mandate and depend upon customers pressuring their vendors to change their behavior using the most effective tool known: their wallets.
Oooohhhhh ok. What a brillinat idea. Well, I'm sure Joe and Jane public will get riiiiiight on top of that, intelligently voting with their dollars for the product that has an effective default password policy.
That's the lesser of the "evils" of "big government" just saying "if you want to sell a product, it should be secure out of the box".
It's honestly like you people woke up one day in 1990 and said "derp it's great the world has always been this way".
Every time I pull an old router out of the closet, I do a reset to factory defaults, then look up the factory default password on the internet.
The text of the law is publicly available and easily readable. The text relavent to your concern is "The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time." This does not necessarily preclude factory default passwords.
No, those are not default passwords so they don't count. cisco has backdoor passwords.
I too an uncomfortable with mandates to use GFCIs in the kitchen and bathroom, carry gasoline in approved containers, not leave my keys in a running car when I go to the store, and all the rest
I just honestly don't know how an of us can even live our lives with all this oppressive big government evil hanging over you at all times. This password policy is just another stop on the inevitable march to tyranny.
> You can still choose to set no password.
That's not what the Summary says: "REQUIRE the user to create one when they interact with the device for the first time." So in other words going without a password is no longer an option.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Entirely different regulation by different people with a different dynamic. Not all regulations are good or well considered. Not all regulations are bad or poorly thought out. More thinking, less knee jerking.
The short version is - a company makes 20 million of something. If they can save four cents on each unit, they've still saved over $2 million. Every bit they can shave off of a large volume item makes a difference.
> Compromised devices are used to harm others
Why do the thieves need a "compromised" device to harm others? They can do exactly the same with uncompromised devices that they bought themselves. You made an invalid comment.
Erm, no, they can't.
They can compromise millions of devices (which would be a bit much to buy), and use them (with their millions of separate connections) to launch denial of service or brute force password attacks. These are called "botnets". You may have heard of them :)
The attacks are coming from all different IP addresses so that intrusion detection systems can't block excessive attempts. And obviously tracing them is a bit more difficult.
You can't just do that with uncompromised devices that you bought yourself.
Fine. Pretend that those are not regulations that you are already subject to right now, that government has no business regulating commerce to forbid unreasonable hazards, and that IoT botnets have not proven that devices with generally-applicable default passwords are unreasonable hazards.
IoT botnets are totally ficitonal, like babies juggling electrified knives.
They'll save $800,000, but your point is still valid.
Please stand clear of the doors, por favor mantenganse alejado de las puertas
So who do I sue when their customer leaves the default password set and the device is used to DDOS me?
'Cause me suing someone is the only recourse you are leaving me for recovering those damages. So is it the customer who failed to secure their device who's liable, or the manufacturer negligent for not setting per-device passwords?
Oh, I'm sorry, this is delusion-land where third parties are never harmed by the actions of others.
> will you take on the liability if your device is used to attack a 3rd party?
I'm not liable if someone steals my car & runs over some children..... why would I be liable if someone steals my phone & uses it to make/distribute child porn? Your question was poorly thought out. Citizens are never liable for the actions of others, even if that other person used that citizen's car or phone.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
That saves me from wasting water, but does nothing to stop the thousands of others wasting water. (And in dry California, we cannot afford to waste any of it.)
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
> It actually was 1972, acting on a law passed in 1967.
I'm talking about the ULEV and SULEV and ZEV designations, which did not exist until the mid-1990s (with PZEV added in 2001).
>10 other states passed their own laws to follow California's standards.
Yes but not until after 2007 (approximately). Prior to that year, only California followed CARB while the other 49 states followed EPA emissions. Therefore there were "CARB" and "49 state" models. If you don't believe me, look up 2003 Civic Hybrid in fueleconomy.gov's historical records. It's there.
Even the MPG was different between the two models.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Yeah swimming pools and watering of lawns was technically illegal during drought season (2016-17) but the Hollywood producers JJ Abrahms and stars like Oprah thought they were above the law, and did it anyway. (They should have been prosecuted.)
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall