60 comments

[ 3.4 ms ] story [ 108 ms ] thread
LOL, how does California think they're going to enforce this? They could possibly ban the sale of devices that don't comply within the state of California? This doesn't make any sense to me.
This is a really misleading headline...but it did get my attention, I guess.
Agreed. According to the summary text of the bill:

    This bill, beginning on January 1, 2020, would require a manufacturer of a 
    connected device, as those terms are defined, to equip the device with a 
    reasonable security feature or features that are appropriate to the nature 
    and function of the device, appropriate to the information it may collect, 
    contain, or transmit, and designed to protect the device and any information 
    contained therein from unauthorized access, destruction, use, modification, 
    or disclosure, as specified.
A better title would be "California to ban weak default passwords on devices." Edit: or "California to require more security features on internet-connected devices."
That portion is pretty much toothless without any concrete definition of "reasonable". The password provisions have some merit though:

    Subject to all of the requirements of subdivision (a),
    if a connected device is equipped with a means for 
    authentication outside a local area network, it shall be 
    deemed a reasonable security feature under subdivision (a)
    if either of the following requirements are met:

    (1) The preprogrammed password is unique to each device manufactured.

    (2) The device contains a security feature that requires 
        a user to generate a new means of authentication 
        before access is granted to the device for the first time.
Even this can be weaseled out of for most consumer IoT products as they aren't typically intended for direct access from outside the LAN.
>The password provisions have some merit though

Does it? The problem is that they defined a very specific solution to the problem they are trying to solve as comprising of either approach (1) or (2) ... what if there is some innovative third option that neither people here nor the regulators was creative enough to think of? Now you've killed a potential innovative market from developing.

>Even this can be weaseled out of

That's not 'weaseling out'. That's a real world example of an approach that is perfectly secure and would be hurt by this if a regulator interpreted the law as applying to the device in question.

Your browser does not know the difference between your lan and the internet so any website you visit can instruct it to interact with websites on your lan. It’s nowhere near ‘perfectly secure’ to have weak security on the lan.

Besides, having weak security on a network means one compromise leads to a lot more. That isn’t very ‘perfectly secure’ either.

> IoT products as they aren't typically intended for direct access from outside the LAN

For "cloud-only IoT devices" this ban is clearly in effect.

Cloud only devices that push to a server are not covered.
>This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.

Quoted text are hard to read on HN. It's impossible to read without multiple horizontal scrolling both on PC an mobile. Just use the ">" symbol instead.

Yep, I've found that the carrot + " * " marks attached before the first letter and after the last period to italicize it are a good multi-platform solution for quoting:

> This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.

This symbol ^ is a "caret" (or a "circumflex accent"). This symbol > is a "greater-than sign" or a "right angle bracket".

EDIT: added Unicode name for ^.

(comment deleted)
> A better title

California requires manufacturers use better password security measures.

But that is boring... so

California bans manufacturers from setting weak passwords

(this title creation job is hard enough for a technical person to do. journalists will have a more difficult time.)

OK, we'll use that. Thanks!
Maybe it's just my imagination, but I've noticed a real decline in journalistic standards at the BBC in the past few years. It's front page reads more like a clickbait tabloid than a serious news site nowadays. I guess even the big news outlets need to resort to clickbait to stay afloat.
It's not just the BBC, it's a race to the bottom out there.
Agreed. I expect them to be above clickbaiting, but, they're really not.
These kinds of laws are 'feel good' measures. The ideas behind them make sense (easy default passwords are 'bad' ... sometimes. Sensible security precautions should be taken into account when designing IoT devices). But those same precautions completely fail when used as part of a one-size fits all regulatory framework. The regulatory, enforcement and licensing mechanisms that such laws entail are either going to be ignored, in which case the entire exercise was a waste of time, or they will be needlessly onerous and create undue burden with negligible benefits ... and be ignored by many manufacturers anyway (because how are you going to police on order for some IoT widget from China).

Also, it is not a good idea for lawmakers and regulators to mandate an implementation within a law (and that's exactly what mandating that per-device password needs to be unique is). Maybe my IoT device has a simple default password but has other security measures that the regulator didn't even envision that makes the solution secure. On the other end, maybe my network stack has a critical vulnerability that a unique password does nothing to mitigate.

I'm not a Libertarian as I do believe in sensible government oversight and regulation but lawmakers and regulators have to be cognizant that every single regulation they put out has a cost and that cost needs to be balanced with benefits. As it stands this is a poorly thought out law, and will do nothing for security, will punish local manufacturers by increasing overhead, and will make local manufacturers less competitive against external ones that simply ignore these directives. Typical California stupidness.

Lawmakers and regulators are already cognizant that regulations have costs; they hear that from everybody already. Often they are, surprise, legally required to consider it.

I agree it would be better if industry self-regulated. But they didn't. e.g.: https://www.bleepingcomputer.com/news/security/router-crapfe...

If this were a problem where only the device owners were harmed, I wouldn't care a lot. Market mechanisms would take care of it. But here bad vendor security is imposing large negative externalities on the rest of the world. If government is for anything at all, it's for making people experience the consequences of their own actions instead of inflicting harm on others. This is not a perfect regulation, but it's better than nothing. Hopefully device-makers will take this as a warning shot a and get their acts together.

>Often they are, surprise, legally required to consider it.

Well. They don't. This law is an example.

>but it's better than nothing.

No. It's worse than nothing, and that's the point. It will do nothing to improve security and but leave the associated burden that wasn't there before.

I've seen more devices do this recently. Most ISPs will not ship a router with an "admin" or any other default password. Instead there's a sticker on the side of the device with a password that got generated and assigned to it on the way out.

It may slow down the production process, but it's a step in the right direction for security. All this bill means is that manufactures who don't have that process in place can't sell their devices in California. It will probably mean more devices with random passwords for the whole country.

> Instead there's a sticker on the side of the device with a password that got generated and assigned to it on the way out.

This has been a thing for a while for WLAN routers. But I still don't really trust those, for all I know these passwords could be seeded on something very predictable, like the devices serial number.

of course, but its still better to make someone waste their cpu time and slow down the attack, instead of beeing just able to enter admin/admin
I'm just saying for this to be even better I'd like some transparency from manufacturers about their password generating process.

If they do it properly then there should be no problem with surfacing their methodology and I'd have less hassle by actually being able to trust those complex individual passwords the device comes with out of the box.

I don't think anyone should be trusting any password generated by anyone but themselves. To me, the only viable option is the second option in the California bill: the device requires the user to generate a new password before it can be accessed for the first time.
If the serial number is not widely known, then that's at least nearly as good as a secret password, no? And it can be changed immediately on installation...
No.

Serial numbers generally have really low entropy. They're often a fixed format assigned sequentially or in batches, which makes attacking them substantially easier.

Hence the name serial numbers. Often times they are actually assigned 1, 2, 3, 4, ...
Of course. But nobody knows which one you have. So you have time to change it.

I shipped firmware for an IoT device, had the initial password == the serial number. The client said "Nah, just make it open, our installers don't want to fool with passwords". Sigh.

Youd simply buy one and try a bunch up and down the sequence. Serial numbers of captured German tank parts were actually used to estimate how many there are. That story was an application of Bayesian inference, and is used to explain that. However, I didn't understand the argument.
If you followed articles in the news, some ISP were seeding passwords based on the MAC address.
Cradlepoint 4G modem/routers (several models) use the last/first 8 MAC address digits as the default password.
I don't trust them either, but I muuuuch prefer this practice over the old "admin:admin" standard. Someone going through the trouble of cracking a Pseudo-Random Number Generator, even if that's a weakness, is a heck of a lot more effort than typing the model number into Google along with "default password" and clicking the first result.
At least the "admin:admin" can be googled by a novice who has lost the sticker. Otherwise, the device becomes unusable.
It can be reset just not by some asshole connected via wifi to an open network.
Don't remove the sticker. Most people will have the router simply rot in a corner so it's unlikely to get lost.
This has happened actually. I can't remember the details, but for some routers you could guess the wpa password based off of the mac.
> Instead there's a sticker on the side of the device with a password that got generated and assigned to it on the way out.

And sometimes this sticker is left on the router and can be plainly seen by anyone nearby, even through a glass window.

It's a step in the right direction. The effort required to look through every window in one city is a lot more than scanning every router owned by an ISP globally.
All ISP's routers in the UK for maybe the last 10 years haven't had weak default password and I've never once seen them print it in an easily visible place. It is always on the bottom, and a few years ago the started adding cards with it on.
The threat model of someone looking through your window is significantly different than the threat model of someone googling "default password for XXXXXXX".

You are correct, but we shouldn't let perfect be the enemy of good.

If anyone who will be within plain sight of the router should not know the password, then obviously you should not use the default password that's printed on the router. You should set a new password yourself.
> It may slow down the production process [...]

Generally device already have their MAC address and serial number both printed on the outside and burned into an EPROM in the device, so printing a password really won’t make much of a difference.

> printing a password really won’t make much of a difference.

It's not just printing the password. There is also an overhead of configuring the device with a unique password.

Each device is flashed at production stage. It's not that difficult to put a password in. Firmware can be loaded from a server and it does not take much time, when done right.
Why do we need to wait for 2020? Why can't we do this immediately? For eg. from Jan 2019?
Because it takes businesses 2 years to requiring passwords that are 8-14 characters, include punctuation, capitalization, and numbers.

Ugh. :(

I expect most businesses have already made significant resource allocation decisions for work in 2019 so introducing previously unaccounted for work would be seen as "anti-business".
For the lazy among us: does it require per-device complex passwords, or is it enough to have a single “complex” password across all devices? If the latter that makes the bill even more dumb.
The law only appears to apply to factory default passwords.
It requires either a password that is unique to the device or a feature that forces the user to change the password at first login.
Sounds like Bloomberg’s soda ban. Where are the freedom advocates to fight against the govt ban? :)
How about penalties for anyone 'permanantly' connecting devices to the internet with default credentials?
Anyone manufacturing an internet-connected device in California will, from 2020

Is CA a major location for router manufacturing?

Nope. Well maybe a few startups. But nothing like more regulations right?
I'm trying and failing to think of other U.S. laws specifically regulating how consumer software is designed. Is this one of the first?