California has passed a law that bans default passwords for all Internet of Things (IoT) devices.
Beginning Jan. 1, 2020, the legislation (Senate Bill No. 327) requires manufacturers of a connected device to equip it with a “reasonable security feature or features.” The bill mandates that manufacturers must provide default passwords that are unique to each device or prompt the user to generate a new password before using the product.
Most physical security and life safety systems are now connected to the Internet, making them vulnerable to cybersecurity attacks. Video surveillance, security cameras, and fire systems all fall into these categories.
Chuck Davis, Hikvision’s director of cybersecurity says it is crucial to apply cybersecurity best practices or your systems could become quite vulnerable.
The bill aims to improve security for the vast number of consumers who do not change default passwords — such as “123,” “password” or “admin” — that come with new devices. In doing so, the legislation effectively bans pre-installed and hard-coded default passwords to any connected device, which is defined as a “physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”
Although the goal of the bill is to thwart hackers from installing malware and use infected devices as part of botnet attacks, the ban has left some cybersecurity professionals skeptical of its true efficacy.
“I think the law that the State of California is contemplating is a great first step, but it’s just a first step in a very long road to ensuring security around the globe,” Bill Evans, senior director at One Identity, told the Verdict.
Evans said a preferred approach would be one that doesn’t mandate specific action. “Rather, governments should use the levers at their disposal to incentivize enterprises to solve the problems in ways that meet their needs,” he said.
The bill was approved by the California Assembly and Senate in August and was signed into law by Gov. Jerry Brown on Sept. 28.
This article originally ran in Campus Safety’s sister publication, Security Sales & Integration.