The ******** ** ** ***
****** **** ***, ******** ****** **** ******** **** **’* ********** Assembly ********* ****** ****, ** ******** ***** Brown ** ********* **, 2018, ********** *** ********* of “********** ******** ********” on ********* *******:
**** ****, ********* ** January *, ****, ************ * ************** * ********* ******, as ***** ***** *** defined,to ***** *** ****** **** * ********** ******** ******* ** ************ *** *********** ** the ****** *** ******** of *** ******, *********** to *** *********** ** may *******, *******, ** transmit, *** ******** ** protect *** ****** *** any *********** ********* ******* from ************ ******, ***********, use, ************, ** **********, as *********. (******** *****)
*** **** **** **** on ** *** **** if * ********* ****** can ** ******** ** a **** ********, **** the “********** ******** *******” requirement **** ** ********* by ******* ****** *** or *** ***** ** two ******** ************:
(*) ******* ** *** ** the ************ ** *********** (a), ** * ********* device ** ******** **** a ***** ***authentication ******* * ***** **** *******, ** ***** ** deemed *reasonable ******** ******* ***** *********** (*) ** ******** *** ********* ************ are ***:
(*) *** ************* ******** **unique ** **** ****** ************.
(*) *** ****** ******** * security ******* ****requires * **** ** ******** * *** ***** ** ************** ****** ****** ** ********* *** ****** *** the ***** ****. (******** added)
**** *********** ***** **** problems *** **** ****** manufacturers *** ** *** require * ***** ** who *** ******-****** ******* logins **** *****/***** **** don’t **** ** ** changed.**** *** * ********* of ******* **************** **** *****.
Proposed ***** ** *** ***
**** *********** ******* ******-**** Jackson *** ********* ** 327. ** **** *****, the ****-****** **** ** ****** *********** ****. *******, **** it ***** ** ************* and *************** **** *** ***** Botnet ******, ********** ********* **** there *** ** ****** room *** ******* *** buyer ******. ********* ** the *******, *** **** was ** ***** ************** on ************* ** ********* devices:
* ***** ** **** to ***** ******** ***** security ** * *********** element **** ** ****** these ********* *******. *** bill ************ **** **'* the ************ *** *** the ************** ** ******. It's ****** *** ************ who ** ** *** hook.
***********, ******* ******* **** drafters ** *** **** were ******* **** ** came **** ** ******* the *********** ****:
**** **** ********** ***, unless ****** *********, ** becomes *********** *** ** effect ******* * ** the ********* ****, ** 2019. *** ******* ** recognize ****, *****, * lot ** ********* *****’* done ******** **** ********, we ******* **** **** until ******* *, ****, to ****** ***** ******** so **** **** ****** with *** ***.
Grandfathered ******** / ********** **** *******
******* ******* **** **** devices **** ****** *** implementation **** ** ******* 1, ****, ***** ** grandfathered. *******, **** ******* 1, **** ***** ****** anything ************ ****** **** date ***** *** ** sold ** ********** ** it *** ***** ** be ***-*********.
Out ** ********** ***** ***** ******
**** ** * ****** is ******* ** **********, any ****** **** ** offered (*.*., ******) ** sold ** ******* ** California, ***** ***** **** to ******, ********* ** Senator *******:
**'* ***** *** ** comply. ** **'* **** in ** ******* *** sale ** **********, **** it's ******* ** *** state **** *** ****** wouldn't ****** ***** ** was ************ ** ******** or ******* ****. ** would ***** **** **** California ****.
Penalties ** ******** *** *** - ************* ********
*********** ** *** *** itself ***** ********* **** ******* *********-***** attorneys ** ********** *** bring ***** ****** ** a ******** ******* *** non-compliance:
*** ******** *******, * city ********, * ****** counsel, ** * ******** attorney ***** **** *** exclusive ********* ** ******* this *****.
*** **** *** ****** up ** ****'* ********* with ******* ******* *** said **** *** ********* manufacturers *** ***-**********:
** ************* ***'* ******, there's *** ********* **** they're ** ********* ** California’s **** ********* *** and ******** **** **** deal **** ***** *** don't ****** **** *** laws *** ****** ** unfair *********** ***********. ** manufacturers ** **** *** put *** ******** ************** at **** ** ***** attack, * ***** ******* that ****'* ******* ** on *** ***** *** of ** *********** ****** from ****** *** ********** Attorney ******* ** *** other ********* ****** ***********.
******:
******* *******'* ****** ********* us ** *** ** know **** *** ******** of ********* *** ***-********** was * ********* *** since ** ****'* **** done ***. **** *** say **** ********* ***** run *** ***** ** anything *** ******** ******* has ** *** ********:
**’* **** ** ***. It ***** ** **** dependent ** **** *** circumstances ****. ** *** put *** ********* ** non-compliant ******* *** ** caused * ******* *******, then ** ***** ** a ****** ***** *******. Anything **** * **** to * ***************.
US ******** ******
******* **** *********** ***** this ***** *** ************* law ** *** ****** it ** ***** ** have ** *** **** of *** ****** ******. Senator ******* **** *** point ******* ***** ****** IPVM's *********:
**** **** ******* ** connected ******* **** *** sold ** **********, *** given *** ****** ****** share *** *** ********* in *** **** ******, we ***** *** ****** of **** **** **** likely ** **** ****** our *******. **** **** and *** ******** ** a ******* ** ******. Automobiles, *** *******. *** that’s **** **’* **** to ***. **’* **** to ***, ***** *** a ******** ********, *** we’d **** ** *** companies ***** ****** *** issue ** ******* *** security *********. *** **** really *****’* ** ** now. *** ******* ********** is **** * **** marketplace, ** ** ********** companies ****** ‘***’* ****** in **** ***** ******** item ********** ** ***** we **** *** *******.’ And * ***** ***** states ******** **** ****** suit ******. ****’* ********* we **** ***** * bit. ** ***** ** in ********** *** **** other ****** **** ** up *** **** ** becomes *** **** ... ** think **** ***** *** state’s ******** **********, *** product ******** *** *** United ****** ****** ** going ** ****** **** these ********** ******** ************.
**** ** ******* ********, California ** *** **** populous ***** ** *** U.S. **** *****, ** would *** **** ********* sense *** *** ************ to ******* * **********-**** compliant ******* ****. ***** that, *** *******'* ****** that *** ********* ******* sold ** *** *.*. will ***** ** **** the ******* ********* ********** in *** *** ********** law ***** *****.
******, ** ***** ****** many ************* ** **** this ******** ******** ******* the **** *** *********** of *********** ******** **** of ******** ******** ***** be *********.
Compliant ** ***-********* *************
**** ** *** ******* IP ****** ************* *** already *********, *.*., ****, Bosch, *****, ******, *********. However, ******'* ******* ******** ********* shows, **** ** *** smaller ************* *** ***. Three ** *** ****** ones *** ********* ******* Arecont, ******** *** **.
Non-Compliant *********, *******, ********, **, **** **********
***** ************* *** *** not ********* ********* **** us **** **** ** be ** ****** ****.
******** **** **** *** well ** ***** *** to **********:
** **** * ****** of ******* ***** **** either ***** * *** password ** ***** *** the ***** **** ** have * ****** ********. This ** ********* ******** is ********** ** ****** throughout *** *********.
******* ********, ***** **** used *** ******* "*****/*****" combination, ****** ********'* **********:
*********, *** ** ******* and ***** ***** ****** encourage ***** ** ****** the ******* ********* ** our *********, ******* *** other ********* ******* ** a ****** ********. ** a ********** ************, *** new *** ****** *** responsibility ** ***** **** best ******** ** ******* a ****** ******** **** the *** **** ** the ************. ** **** make ** ** **** as ******** *** * user ** ****** * unique ******** ** ******* setup (** **** ** it ** ** ****** a ******** ** *** time **** *** ********), and **** **** ********* security ******* ********* ****** the *********** ******** ** January *, ****.
*******, ******* ******, ***** cameras ** *** **** a *******-****** ******* ******** in *****, **** **** also **** ** ** compliant ** *** ********:
******* ****** ******* ** not ********* ****** **** this ***, ***** **** not **** **** ****** until ****. ********* *** cameras ****** *** **** to *** * ******** on *** ****** *** we ** *** ******* them ** ** **. We ** **** ** comply **** **** *** law ***** ** *** implementation ** **** **** a ******** ****** ** all ** *** ******* generation *******.
** ***** ****** *** companies **** **** ** authorized ** ************ ** become ********* ** ****. However, **** ********* **** only **** *** ****** or **** *** ***, as * **** ** US ******** ******** ***** minimize ***** ****, ****** such *********' ****** ****** *** quite ***.
Firmware ******** ** ****** *********
************, ** ****** ** straightforward *** **** ************* to ****** ********* **** on ******* ******* ***** as * ******** ******* can ******* *** ******* password *** ****** **********. However, ***** **** ** support **********.
The ******** ** ********** - *******
*** ** *** ******* of ******* ********* ** that ** ******* *** number ** ***** *** forget ***** ********* *****, even ** **** '******', they *** ****** *** the ******* ******** (***** many ***** ******) *** get **** **. ** course, **** ************** ********* the **** ** ******** breaches.
*******, **** * ************ customer ******* **********, *********** default ********* ************* ********* support ***** *** **********. One ******** ************* **** taken ** ****** ***** problems ** ** ********* effectively * **** **** that ****** *** ************ to ***** *** ***** password. **** *** *** own *****, *.*.,********* ******** ***** **** cracked * *** ***** ago.
Critics ********
**** ****** ***** ******* *** ***** **'* * good ***** ** ******** weak ** **** ** actually ******. *** *** Cybersecurity *** *** **** has *** *******.
******** ******* ****** ****** ** ****** ************* ** *** **** on *** ********** *** **** *********** *** ** backward—instead ** ******* ************* to *** ********, **** should ** ******* ************* ** remove ********:

****** ** ****** **** ****** these ******** ******** ** a ******* ******* ************* should ** ******** ******** features, *******. *******, * better ****** ***** ** to ** ****. ********** manufacturers ****** ****** ****** and *** *** ***** unused ******* ******** ** they *** *** **** because **** *** ********** potential **********. *** ***** is ******* *** **** could **** ** *********** default ********* *** ******* strong *********.
****** ******** **** **** law *** ***** **** that *** ****** *** reactionary *** ********* *********:

***********, ***** ******* ******** of *** *** ***** that *** ******** *****'* specify ******* ****** **** the ***** "********** ******** feature" *****. **** *** example*** ******* **** ********, ***** ********* ******* litigation:

** *** ********, ** least **** **** *********** ("requires * **** ** generate * *** ***** of ************** ****** ****** is *******") ** ***** clear.
************** **** ** *** Access ************* ********** ** *** punitive ******* *** **** the ****** ** *** punitive ******** ***'* ********* in *** ******** ** the ***:

** ****** **** **** and ** *** ***** attempting ** ********* **** the ******** ******* ******** of.
OEMs ********?
*******, ************** **** *** **** Arnold & ****** ****** there *** ** * loophole*** *****-******* *******:

*** ******** ********* ** this *********** ** ***** in ******* ****.**.**, ********** (*):
(*) “************” ***** *** ****** who ************, ** ********* with ******* ****** ** manufacture ** *** ******’* behalf, ********* ******* **** are **** ** ******* for **** ** **********. For *** ******** ** this ***********, * ******** with ******* ****** ** manufacture ** *** ******’* behalfdoes *** ******* * ************ ** ******** * connected ******, **only ** ******** *** ***** * ********* ******. (******** *****)
******:
**** *** ****** **** the *******'* ****** ***** this ********* ********. **** explained **** ** *** a ******** ***** *** original ********* ************ ** still ** *** **** to ****** ****** *** device ** ***** *******. The *****-******** ******* ***** not **** *********, *** the ******** ********* ************ would.
Poll / ****

Comments (32)
Ross Vander Klok
It is a shame that this HAD to even become a law. However, getting a solution to this issue is long overdue.
Create New Topic
Undisclosed Manufacturer #1
There is no way CA will be able to track all the different manufacturers and OEMs out there. If Joe's Camera from CA wants to import 100 IP domes from Alibaba with default passwords and then sell them in the residential market, how is anyone going to track that? Even if said person or committee catches Joe's Camera after hundreds or thousands of cameras are already installed, what is anyone to do about removing those cameras?
Shame on Avigilon (USA manufactured with state and local government focus) for not having forced passwords years ago, but it will be easy for them to change it. However, being DW and Arecont are OEM, we will see how that goes. Does DW have enough influence over TVT to mandate them to change, or is DW's sales of TVT cameras insignificant compared to global sales of TVT from other OEMs?
If this law goes national, it will cost millions to put a committee together to track and test everything. There needs to be a standard created with a logo, like UL, posted on all boxes, etc. Then there needs to be advertising of this standard so the country knows what it means.
Create New Topic
Stephen Schulz
This is where the Government needs to butt out and mind their own business.
They have enough of their own security problems to tend to rather getting involved in business.
Create New Topic
Undisclosed Integrator #2
California needs to mind their own business and keep their hands off. NOT every state wants to be the granola/cereal state (Fruits, Nuts, & Flakes).
Create New Topic
Carl Lindgren
More $$$ in the pockets of password manager companies. But then, "quis custodiet ipsos custodes"?
Create New Topic
Matthew Davis
I'm sorry but anything California does or law it enacts is just another step toward a socialists government. There is very little that state does that makes any sense.
Create New Topic
Undisclosed #3
if you are a Support Manager for a company that manufactures IP cameras, you are planning now for the additional resources that will be required once this law is implemented.
If you've ever wondered why companies have used default passwords on devices when - from jump - this is not very secure.... the answer is actually quite simple:
Humans are dumb.
For every one level of complexity in day-to-day use that is introduced into any system, you can expect a significant rise in support calls.
Training is only part of the solution, as 'forgetting passwords' falls, at least mostly, outside of what can be mitigated with training.
Create New Topic
Joseph Marotta
Welcome to Commie-fornia... "Use a default password, go to jail."
Create New Topic
Undisclosed #5
the heat is on...
Create New Topic
Undisclosed Manufacturer #1
Political opinions aside, the billion+ IoT devices that will go on the Internet in the next 5-10 years will allow for unprecedented attacks if not secure. Consumers' awareness of cybersecurity of their home network, security and smart home devices is infinitesimal. There is a major problem looming and I'm not saying government intervention is the best way to prevent possible massive loss of assets and life from a cyber attack on a transportation\utility\or GPS system, but something needs to happen.
Create New Topic
Jonathan de Chateau
This password rule is part of GPDR. It's common sense.
[IPVM Note: The password rule is part of Netherlands law, not the GDPR, see further discussion below]
Create New Topic
Dan Gelinas
UPDATES:
Please note, we've added some updates inline above re: potential penalties and also the possible loophole for white-labeled devices.
Create New Topic
Carl Kristoffersen
The manufacturer will be liable if an OEM decides to sell the product in California, with out it's knowledge?
As with this whole law, if the manufacturer does not have a physical presence in California, there's not much California can do. If there was, most states would be collecting sales tax from out of state sales.
Create New Topic
Jon Dillabaugh
10/15/18 03:33pm
Wasn't the industry already well on it's way to this anyways? Why would people vote No?
Create New Topic
Undisclosed Distributor #6
lets just wait and see how many manufacturers put in their terms of service, not for sale in CA
Create New Topic
Undisclosed #7
tired of admin admin.
Create New Topic