The new California password law demonstrates lawmakers’ misunderstanding of how connected devices work, how the internet works, and even how passwords work.
California is all done with weak passwords.
Well, not right now, but it says it will be done with them for internet-connected devices in another 14 months—starting Jan. 1, 2020.
From then on, the Information Privacy: Connected Devices bill, signed earlier this month by Gov. Jerry Brown, will require each such device to have a unique password.
The intent is laudable—to make it more difficult to hack those devices. But the unfortunate reality is that if you listen in the corners of the dark web and wherever else malicious hackers reside, you’re likely to hear them snickering.
Because however well-intentioned, the new California password law is, in the world of internet security, about as cutting-edge as requiring locks on screen doors.
Yes, weak passwords do make it simple—beyond simple—for malicious hackers to compromise everything from “smart” devices to the routers that connect people and organizations to the World Wide Web. And better passwords will make that marginally more difficult.
The law will require manufacturers to include either “a preprogrammed password unique to each device manufactured” or “a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”
In other words, you won’t be able to use your new device if you don’t create a password, which is no more difficult than creating a username and password for your other online activities—everything from social media sites to paying your bills.
But even the best passwords—long strings of random letters, characters, and numbers used only for one device or one site and changed every 90 days—aren’t much of a barrier for today’s threats.
As Phil Dunkelberger, CEO of Nok Nok Labs, put it nearly two years ago, “The username and password paradigm is fundamentally broken. It was never designed for, and is inherently incapable of addressing, the use cases of modern society.”
Or as Amit Sethi, senior principal consultant at Synopsys, put it just this past week, the California password law is “unlikely to make connected devices more secure.”
“An obvious problem is that uniqueness does not imply ‘difficult to guess.’ For example, using device serial numbers as passwords would likely be in compliance with the law, but would result in poor security,” he said.
Nabil Hannan, managing principal at Synopsys, said the law would make things like dictionary attacks or common password attacks more difficult, but not something like an attacker stealing a user’s password through a vulnerability like SQL injection, or through a phishing attack. In those cases, “the attacker could use the complex password and still get into the user’s account,” he said.
And Tim Mackey, technical evangelist at Synopsys, said the language of the law shows that legislators don’t even understand how the internet, or passwords, work.
The law, he noted, defines a connected device as “any device, or other physical object that is capable of connecting to the Internet and is assigned an IP or Bluetooth address.”
“This definition doesn’t take into account modules, which form building blocks for products, nor does it allow for the potential of non-IP or Bluetooth based devices like Zigbee,” he said.
Mackey noted several other flaws, among them that one section of the California password law defines access controls granted by a consumer, while another permits access to law enforcement, subject to a court order or other applicable law. But that would mean law enforcement would have the power to bypass user authentication.
“That would mean malicious entities could use these same access points to gain access to the device,” he said.
Beyond that, Mackey noted that the legislation contains no specific guidance for password length or complexity. “The net result is that a device could accept a blank password and be compliant,” he said.
None of that means passwords are going away anytime soon. The nonprofit FIDO (Fast Identity Online) Alliance came into being in 2012 with a goal of supplanting passwords with what it called “an open, scalable, interoperable set of mechanisms” for secure authentication.
But Brett McDowell, its executive director, has said from the beginning of that effort that passwords will “have a long tail”—a tail that remains today.
So applying basic security hygiene to them will certainly help, won’t it?
Yes and no, according to experts. Yes, in that, as Sethi noted, the California password law will force manufacturers of devices to stop putting devices on the market with default passwords. But he also pointed out that passwords are just one of many attack vectors, so improving them does very little to improve overall security.
The law, he said, appears to apply only to connected devices that are “equipped with a means for authentication outside a local area network.”
“This assumes that connected devices are deployed in completely trusted local area networks; this is rarely the case in real life,” he said.
Dunkelberger also said the law is “better than nothing from a security point of view.” But he added immediately that “perceived security is sometimes worse than being aware of the lack of security.”
And Kieren McCarthy, writing in The Register, made the same point—that the California password law could even make things worse, since it “may even give lawmakers their own false sense of security that they have fixed the problem.”
“They have not,” he wrote, adding, “While default passwords are a particular problem, a bigger one is the failure to update software. … Even when a manufacturer does go to the trouble to update their software to deal with the latest security threats, it often falls to the consumer to run updates on their system to install it. And if consumers can’t be bothered to change a default password, they almost certainly can’t be bothered to periodically update their devices’ software.”
Randy Vanderhoof, executive director of the Secure Technology Alliance, said the law has some value in putting the industry on notice that “if they aren’t going to address IoT security, the government is going to step in and force it.”
“Industry needs a greater sense of urgency in setting best practices around security or more laws will emerge that ultimately make manufacturing more difficult,” he said.
But he said the California password law is only a “prudent first step.” And he agreed with Mackey that the language of the law demonstrates that California legislators don’t have “a very good understanding of what level of security is required for connected devices.”
“Passwords have been proven to be a weak defense against organized and persistent attacks, so attempting to strengthen passwords instead of moving beyond them isn’t an effective solution to an increasingly complex problem,” he said.
“We need to focus on a real solution, which is embedded hardware security and applying cryptography for connected devices.”
In short, this is a law that is almost sure to fall far short of its intent.
“In the end, this legislation serves mostly to increase the complexity of applications in connected devices,” Mackey said.
“Legislators likely are not aware that, like most embedded systems, connected devices are powered by simple processors with very limited computing resources. Adding any security measures should be designed in, and not imposed through regulation.”
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.