Legislation prohibiting 'easy-to-guess' initial password' aims to enforce security improvement of IoT equipment


By Christoph Scholz

A new bill aimed at strengthening the security of the devices connected to the web was established in the State of California, USA, and it will come into effect in 2020. The new law prohibits electronic equipment makers from setting an initial password common to the devices, and it is obliged to set different passwords for each device, or the user must set their own password before use.

California just became the first state with an Internet of Things cybersecurity law - The Verge
https://www.theverge.com/2018/9/28/17874768/california-iot-smart-device-cybersecurity-bill-sb-327-signed-law

California's internet of things security bill.
https://slate.com/technology/2018/09/californias-internet-of-things-security-bill.html

The bill whose enforcement was decided " SB-327 " was submitted in 2017, passed through the Senate in August 2018, and signed by Governor Jerry Brown Province on January 1, 2020 It will come into force. After the actual enforcement, manufacturers of devices that connect directly or indirectly to the Internet are obliged to provide equipment that sells "rational" security functions to prevent unauthorized access, content changes, and information leakage Will occur.

As a result, manufacturers will not be able to uniformly set the initial password on the device. As a result, the manufacturer can not set the initial password to the device uniformly, either by setting a password unique to all the devices at the shipping stage of the product or before the actual user using the product You have an obligation to force you to set a password. According to this, it is aimed to avoid situations where malicious crackers use guessing passwords around the city.


By Mack Male

While many devices are connected to the Internet and IoT devices are expected to explode in the future, this law is an important one. However, there are people who show criticism that praising voices are taking place but "contents are vague". Robert Graham, a cyber security expert, is one of the most severe critics, focusing only on adding 'good' features instead of removing malicious intent, We are retreating the problem of the United States. "

Meanwhile, people such as Harvard's special researcher Bruce Schneier said about the bill "Although it may not be said to be sufficient, there is no reason not to let Congress pass," We evaluate it as an excellent first step.

Although this new law is limited to California state only to the end, products of manufacturers selling devices in the province spread to various places, gradually spreading its good influence to users in various places It is.


By Richard Parmiter

in Security, Posted by darkhorse_log