A New California Bill Would Require Better Passwords for Internet of Things Devices

A woman is silhouetted against a projection of a password login page.
A woman is silhouetted against a projection of a password login page.
Leon Neal/Getty Images

In 2016, the internet broke a little. Major sites like Twitter, Netflix, and Reddit went down after being hit with the Mirai botnet—malware that took advantage of routers and security cameras with poor security to cause distributed denial-of-service attacks. It was made possible because owners of the affected devices hadn’t updated the factory-default usernames and passwords.

In 2017, there were about 20 billion connected devices worldwide, according to Statista, which projects that that number will be more than 75 billion by 2025. More gadgets are inundating our living rooms, more internet of things device–based attacks are occurring; three times more such attacks have happened so far this year than in all of 2017, Channelnomics reported.

Now California is considering legislation that would institute stricter password security for the network of smart physical devices that collect and share data that they acquire from users and their surroundings.

This policy comes at a time when IoT is taking over every inch of our homes—on Thursday, Amazon introduced about 15 new Alexa-enabled products, including microwaves, clocks, and car gadgets. With it comes the increased risk of hackers abusing that collected data.

SB 327 addresses that flaw. It requires manufacturers of a connected device to equip it with a “reasonable security feature or features,” beginning from Jan. 1, 2020. The bill also mandates that manufacturers must provide default passwords that are unique to each device or prompt the user to generate a new password before using the product. The bill was approved by the California Assembly and Senate in August and is in its final stage, waiting for Gov. Jerry Brown’s final approval.

Milos Prvulovic, a professor at the Georgia Institute of Technology’s School of Computer Science, said the bill would improve security for most people. A surprisingly large number of people don’t change the default password when they buy a new device, like a router, Prvulovic points out. Most of these default passwords are easily searchable on Google. If manufacturers are mandated to create unique passcodes for each device, even if they are default ones, this will decrease the impact of large-scale, automated attacks by botnets. Prvulovic said that it would be even better if users were prompted to create their own passwords prior to using any smart device.

Of course, “it doesn’t stop users from making terrible passwords on their own,” said Jamie Winterton, director of strategy at Arizona State University’s Global Security Initiative. “But at least takes us away from a situation where we all have the same password.” (Disclosure: ASU is a partner with Slate and New America in Future Tense.)

But the bill still has some drawbacks.

“What I’m worried about is that this will lull people into a sense of false security,” said Prvulovic. “You should still change your password, and there are many reasons for it.” For example, the manufacturer will most likely have a database of all the unique passcodes for each device. This can eventually be hacked or leaked.

Moreover, the bill should have required encryption, said Winterton. If you encrypt the data collected by these devices, the information will make no sense to somebody who doesn’t have the decryption key.

Some cybersecurity experts, like Robert Graham of Errata Security, have pointed out that much of the bill is vague. For instance, a “reasonable security feature” could mean a lot of things. In his analysis of the bill, Graham says it is “impossible for any company to know what these words mean” and “impossible to know if they are compliant with the law.”

But perhaps that’s the point. “You need some freedom to innovate to be embedded in the law, so it dictates what kind of thing is needed without implementing how it should happen,” said Prvulovic.

Having a vague legislation is crucial also because of how fast technology changes. “If you customize [the legislation] to what we have today, it’s not gonna work for changes in technology, even next year or a couple of years down the road,” said Winterton.

If Gov. Brown signs the bill, it could have a big impact across the country.

“California is a large market—I’m pretty sure if this becomes the law [there], it’s gonna happen everywhere else anyway,” Prvulovic said. Home to several giant tech firms, California often leads the way in technology policy, particularly on protecting consumers. In March, for example, California introduced a bill to reinstate some of the net neutrality protections taken away by the Federal Communications Commission. The bill would stop internet providers from blocking or deterring certain websites and ban them from providing faster access to websites that pay more money. In March, April Glaser wrote:

California’s net neutrality law may have ramifications that stretch beyond the state’s borders, since applying rules within one state’s lines alone isn’t always feasible when it comes to the relatively borderless internet. This is what happened in 2003 with the passage of the California Online Privacy Protection Act, which required websites to publish privacy polices when they collect data about users.

Whether or not the bill passes, it’s imperative for you to change your passwords—and not to 123456, password, or qwerty.