Connected devices are expected to soar to 20.4 billion units by 2020, and many come with a default password as standard. Despite the inevitably of these default passwords, users should understand that they pose a considerable threat vector. California is the first state to introduce legislation to make it harder for bots to take over connected devices. However, it doesn’t go far enough. This is because the law doesn’t mandate the need to have a strong password. The only requirement is that the password must be unique.
Both business and consumer IoT devices have traditionally come with default credentials that tend to be very easy to guess. Some manufacturers even post details on their websites to help users easily set up the devices. It might be hard to believe, but some devices ship without a password, which is like laying out a red carpet for hackers.
The new law, Senate Bill No. 326, goes into effect on January 1, 2020, and it is the first IoT cybersecurity regulation in the U.S. It will ensure that manufacturers of IoT devices equip their products with security features out of the box. The new law will also see the end of default passwords and, thankfully, password-free devices.
However, it is still not enough as there is no mandate around the strength of the password selected. For example, when users change their passwords, they are not forced to choose a strong one, or one that is uncompromised, which still makes the device an easy target for hackers. There is also no requirement to ensure the device comes with the latest security software pre-installed, which also increases the risk. Given the competitive market, IoT hardware manufacturers’ focus is currently on getting the newest device into the market as quickly as possible, and security is often a hastily bolted-on afterthought.
The California legislation is an essential first step as it removes the default password option. However, it fails to take into account the need for a strong password. With the extensive use of IoT devices both at home and at work, this regulation must be enhanced and rolled out across the US. As IoT continues to grow exponentially, the sheer scale provides a vast attack surface for nefarious actors to take advantage of. Future cybersecurity regulation must take a 360 view of the problem, or IoT devices will remain a growing threat vector ripe for exploitation.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.