Default Passwords Outlawed in California, US To Follow

Published Oct 09, 2018 14:37 PM

A new California bill aimed at improving security for connected devices has been signed into law. The law takes aim especially at passwords on connected devices and will have a significant impact on camera manufacturers, many of whom are not currently compliant.

IPVM interviewed State Senator Hannah-Beth Jackson, who sponsored the bill and she told IPVM the intent is to change requirements nationally:

We think that given our state’s economic importance, any product designed for the United States market is going to comply with these reasonable security requirements.

In this note, we:

  • Share detailed feedback from our interview with Senator Jackson
  • Examine the language of the law
  • Discuss the goals of the law
  • Look at what the impact on existing cameras deployed is
  • Examine why out of California sales are still liable
  • Discuss what penalties manufacturers face for non-compliance
  • Examine who is and is not compliant
  • Share feedback from companies that are not currently compliant including Arecont, Avigilon And DW 
  • Look at the downsides of compliance
  • Examine potential penalties of non-compliance
  • Discuss the national effect this law will have
  • Analyze criticisms of the law

The ******** ** ** ***

****** **** ***, ******** ****** **** ******** **** **’* ********** ******** ********* bill** ****, ** ******** ***** ***** ** September **, ****, ********** *** ********* of “********** ******** ********” ** ********* devices:

**** ****, ********* ** ******* *, 2020, ************ * ************** * ********* ******, ** ***** terms *** *******,to ***** *** ****** **** * ********** ******** ******* ** ************ *** *********** ** *** ****** and ******** ** *** ******, *********** to *** *********** ** *** *******, contain, ** ********, *** ******** ** protect *** ****** *** *** *********** contained ******* **** ************ ******, ***********, use, ************, ** **********, ** *********. (emphasis *****)

*** **** **** **** ** ** say **** ** * ********* ****** can ** ******** ** * **** remotely, **** *** “********** ******** *******” requirement **** ** ********* ** ******* either *** ** *** ***** ** two ******** ************:

(*) ******* ** *** ** *** ************ of *********** (*), ** * ********* device ** ******** **** * ***** forauthentication ******* * ***** **** *******, ** ***** ** ****** *reasonable ******** ******* ***** *********** (*) ** ******** *** ********* ************ *** ***:
(*) *** ************* ******** **unique ** **** ****** ************.
(*) *** ****** ******** * ******** ******* thatrequires * **** ** ******** * *** ***** ** ************** ****** ****** ** ********* *** ****** *** *** ***** time. (******** *****)

**** *********** ***** **** ******** *** some ****** ************* *** ** *** require * ***** ** *** *** easily-hacked ******* ****** **** *****/***** **** don’t **** ** ** *******.**** *** * ********* ** ******* passwords******* **** *****.

Proposed ***** ** *** ***

**** *********** ******* ******-**** ******* *** sponsored ** ***. ** **** *****, the ****-****** **** ** ****** *********** ****. *******, **** ** ***** to ************* *** *************** **** *** ***** ****** ******, ********** ********* **** ***** *** no ****** **** *** ******* *** buyer ******. ********* ** *** *******, the **** *** ** ***** ************** on ************* ** ********* *******:

* ***** ** **** ** ***** thinking ***** ******** ** * *********** element **** ** ****** ***** ********* devices. *** **** ************ **** **'* the ************ *** *** *** ************** to ******. **'* ****** *** ************ who ** ** *** ****.

***********, ******* ******* **** ******** ** the **** **** ******* **** ** came **** ** ******* *** *********** date:

**** **** ********** ***, ****** ****** otherwise, ** ******* *********** *** ** effect ******* * ** *** ********* year, ** ****. *** ******* ** recognize ****, *****, * *** ** companies *****’* **** ******** **** ********, we ******* **** **** ***** ******* 1, ****, ** ****** ***** ******** so **** **** ****** **** *** law.

Grandfathered ******** / ********** **** *******

******* ******* **** **** ******* **** before *** ************** **** ** ******* 1, ****, ***** ** *************. *******, once ******* *, **** ***** ****** anything ************ ****** **** **** ***** not ** **** ** ********** ** it *** ***** ** ** ***-*********.

Out ** ********** ***** ***** ******

**** ** * ****** ** ******* of **********, *** ****** **** ** offered (*.*., ******) ** **** ** someone ** **********, ***** ***** **** to ******, ********* ** ******* *******:

**'* ***** *** ** ******. ** it's **** ** ** ******* *** sale ** **********, **** **'* ******* to *** ***** **** *** ****** wouldn't ****** ***** ** *** ************ or ******** ** ******* ****. ** would ***** **** **** ********** ****.

Penalties ** ******** *** *** - ************* ********

*********** ** *** *** ****** ***** clear**** **** ******* *********-***** ********* ** California *** ***** ***** ****** ** a ******** ******* *** ***-**********:

*** ******** *******, * **** ********, a ****** *******, ** * ******** attorney ***** **** *** ********* ********* to ******* **** *****.

*** **** *** ****** ** ** IPVM's ********* **** ******* ******* *** said **** *** ********* ************* *** non-compliance:

** ************* ***'* ******, *****'* *** potential **** ****'** ** ********* ** California’s **** ********* *** *** ******** laws **** **** **** ***** *** don't ****** **** *** **** *** create ** ****** *********** ***********. ** manufacturers ** **** *** *** *** critical ************** ** **** ** ***** attack, * ***** ******* **** ****'* clearly ** ** *** ***** *** of ** *********** ****** **** ****** our ********** ******** ******* ** *** other ********* ****** ***********.

******:

******* *******'* ****** ********* ** ** let ** **** **** *** ******** of ********* *** ***-********** *** * difficult *** ***** ** ****'* **** done ***. **** *** *** **** penalties ***** *** *** ***** ** anything *** ******** ******* *** ** his ********:

**’* **** ** ***. ** ***** be **** ********* ** **** *** circumstances ****. ** *** *** *** thousands ** ***-********* ******* *** ** caused * ******* *******, **** ** could ** * ****** ***** *******. Anything **** * **** ** * civil**********.

US ******** ******

******* **** *********** ***** **** ***** IoT ************* *** ** *** ****** it ** ***** ** **** ** the **** ** *** ****** ******. Senator ******* **** *** ***** ******* times ****** ****'* *********:

**** **** ******* ** ********* ******* that *** **** ** **********, *** given *** ****** ****** ***** *** our ********* ** *** **** ******, we ***** *** ****** ** **** bill **** ****** ** **** ****** our *******. **** **** *** *** happened ** * ******* ** ******. Automobiles, *** *******. *** ****’* **** we’d **** ** ***. **’* **** to ***, ***** *** * ******** standard, *** **’* **** ** *** companies ***** ****** *** ***** ** privacy *** ******** *********. *** **** really *****’* ** ** ***. *** because ********** ** **** * **** marketplace, ** ** ********** ********* ****** ‘let’s ****** ** **** ***** ******** item ********** ** ***** ** **** the *******.’ *** * ***** ***** states ******** **** ****** **** ******. That’s ********* ** **** ***** * bit. ** ***** ** ** ********** and **** ***** ****** **** ** up *** **** ** ******* *** norm ... ** ***** **** ***** *** state’s ******** **********, *** ******* ******** for *** ****** ****** ****** ** going ** ****** **** ***** ********** security ************.

**** ** ******* ********, ********** ** the **** ******** ***** ** *** U.S. **** *****, ** ***** *** make ********* ***** *** *** ************ to ******* * **********-**** ********* ******* line. ***** ****, *** *******'* ****** that *** ********* ******* **** ** the *.*. **** ***** ** **** the ******* ********* ********** ** *** new ********** *** ***** *****.

******, ** ***** ****** **** ************* to **** **** ******** ******** ******* the **** *** *********** ** *********** multiple **** ** ******** ******** ***** be *********.

Compliant ** ***-********* *************

**** ** *** ******* ** ****** manufacturers *** ******* *********, *.*., ****, Bosch, *****, ******, *********. *******, ******'* ******* ******** ********* *****, **** ** *** ******* ************* are ***. ***** ** *** ****** ones *** ********* ******* *******, ******** and **.

Non-Compliant *********, *******, ********, **, **** **********

***** ************* *** *** *** ********* compliant **** ** **** **** ** be ** ****** ****.

******** **** **** *** **** ** their *** ** **********:

** **** * ****** ** ******* today **** ****** ***** * *** password ** ***** *** *** ***** time ** **** * ****** ********. This ** ********* ******** ** ********** to ****** ********** *** *********.

******* ********, ***** **** **** *** popular "*****/*****" ***********, ****** ********'* **********:

*********, *** ** ******* *** ***** start ****** ********* ***** ** ****** the ******* ********* ** *** *********, cameras *** ***** ********* ******* ** a ****** ********. ** * ********** manufacturer, *** *** *** ****** *** responsibility ** ***** **** **** ******** of ******* * ****** ******** **** the *** **** ** *** ************. DW **** **** ** ** **** as ******** *** * **** ** create * ****** ******** ** ******* setup (** **** ** ** ** to ****** * ******** ** *** time **** *** ********), *** **** this ********* ******** ******* ********* ****** the *********** ******** ** ******* *, 2020.

*******, ******* ******, ***** ******* ** not **** * *******-****** ******* ******** in *****, **** **** **** **** to ** ********* ** *** ********:

******* ****** ******* ** *** ********* comply **** **** ***, ***** **** not **** **** ****** ***** ****. Currently *** ******* ****** *** **** to *** * ******** ** *** camera *** ** ** *** ******* them ** ** **. ** ** plan ** ****** **** **** *** law ***** ** *** ************** ** 2020 **** * ******** ****** ** all ** *** ******* ********** *******.

** ***** ****** *** ********* **** sell ** ********** ** ************ ** become ********* ** ****. *******, **** companies **** **** **** *** ****** or **** *** ***, ** * lack ** ** ******** ******** ***** minimize ***** ****, ****** **** *********' market ****** *** ***** ***.

Firmware ******** ** ****** *********

************, ** ****** ** *************** *** most ************* ** ****** ********* **** on ******* ******* ***** ** * firmware ******* *** ******* *** ******* password *** ****** **********. *******, ***** will ** ******* **********.

The ******** ** ********** - *******

*** ** *** ******* ** ******* passwords ** **** ** ******* *** number ** ***** *** ****** ***** passwords *****, **** ** **** '******', they *** ****** *** *** ******* password (***** **** ***** ******) *** get **** **. ** ******, **** simultaneously ********* *** **** ** ******** breaches.

*******, **** * ************ ******** ******* standpoint, *********** ******* ********* ************* ********* support ***** *** **********. *** ******** manufacturers **** ***** ** ****** ***** problems ** ** ********* *********** * side **** **** ****** *** ************ to ***** *** ***** ********. **** has *** *** *****, *.*.,********* ******** ***** **** ******* * few ***** ***.

Critics ********

**** ****** ***** ******* *** ***** **'* * **** ***** if ******** **** ** **** ** actually ******. *** *** ************* *** Law **** *** *** *******.

******** ******* ****** ****** ** ****** ************* ** *** **** ** *** California *** **** *********** *** ** ********—******* ** forcing ************* ** *** ********, **** should ** ******* ************* ** ****** ********:

****** ** ****** **** ****** ***** ******** features ** * ******* ******* ************* should ** ******** ******** ********, *******. However, * ****** ****** ***** ** to ** ****. ********** ************* ****** remove ****** *** *** *** ***** unused ******* ******** ** **** *** not **** ******* **** *** ********** potential **********. *** ***** ** ******* bad **** ***** **** ** *********** default ********* *** ******* ****** *********.

****** ******** **** **** *** *** other **** **** *** ****** *** reactionary *** ********* *********:

***********, ***** ******* ******** ** *** law ***** **** *** ******** *****'* specify ******* ****** **** *** ***** "reasonable ******** *******" *****. **** *** example*** ******* **** ********, ***** ********* ******* **********:

** *** ********, ** ***** **** core *********** ("******** * **** ** generate * *** ***** ** ************** before ****** ** *******") ** ***** clear.

************** **** ** *** ****** ************* ********** ** *** ******** ******* and **** *** ****** ** *** punitive ******** ***'* ********* ** *** language ** *** ***:

** ****** **** **** *** ** are ***** ********** ** ********* **** the ******** ******* ******** **.

OEMs ********?

*******, ************** **** *** **** ****** & Porter ****** ***** *** ** * loophole*** *****-******* *******:

*** ******** ********* ** **** *********** is ***** ** ******* ****.**.**, ********** (*):

(*) “************” ***** *** ****** *** ************, or ********* **** ******* ****** ** manufacture ** *** ******’* ******, ********* devices **** *** **** ** ******* for **** ** **********. *** *** purposes ** **** ***********, * ******** with ******* ****** ** *********** ** the ******’* ******does *** ******* * ************ ** ******** * ********* ******, oronly ** ******** *** ***** * ********* ******. (******** *****)

******:

**** *** ****** **** *** *******'* office ***** **** ********* ********. **** explained **** ** *** * ******** since *** ******** ********* ************ ** still ** *** **** ** ****** before *** ****** ** ***** *******. The *****-******** ******* ***** *** **** penalties, *** *** ******** ********* ************ would.

Poll / ****

Comments (32)
Avatar
Ross Vander Klok
Oct 09, 2018
IPVMU Certified

It is a shame that this HAD to even become a law.  However, getting a solution to this issue is long overdue.

(6)
UM
Undisclosed Manufacturer #1
Oct 09, 2018

There is no way CA will be able to track all the different manufacturers and OEMs out there. If Joe's Camera from CA wants to import 100 IP domes from Alibaba with default passwords and then sell them in the residential market, how is anyone going to track that? Even if said person or committee catches Joe's Camera after hundreds or thousands of cameras are already installed, what is anyone to do about removing those cameras?

Shame on Avigilon (USA manufactured with state and local government focus) for not having forced passwords years ago, but it will be easy for them to change it. However, being DW and Arecont are OEM, we will see how that goes. Does DW have enough influence over TVT to mandate them to change, or is DW's sales of TVT cameras insignificant compared to global sales of TVT from other OEMs? 

If this law goes national, it will cost millions to put a committee together to track and test everything. There needs to be a standard created with a logo, like UL, posted on all boxes, etc. Then there needs to be advertising of this standard so the country knows what it means.

Avatar
Sean Nelson
Oct 09, 2018
Nelly's Security

Shame on Avigilon (USA manufactured with state and local government focus) for not having forced passwords years ago,

Avigilon needs to get with the cyber security program and become compliant like Hikvision.

(3)
(5)
(1)
(4)
(25)
JH
John Honovich
Oct 09, 2018
IPVM

Image result for you got served gif

(1)
(7)
Avatar
Corey Vavra
Oct 10, 2018

Obviously the solution to that is another $bureaucracy to track and register all CCTV installers, retailers, and even national distributors.  This will require a licence fee payable to the state of California, and might as well start a sub-bureaucracy for each municipality so they can get in on the action. ;)

Love how the senator puts the emphasis of the bill on forcing change nationally, rather than focusing on keeping her constituency safe from hackers.

 

On a serious note, yes its a great idea to have you create the admin password as soon as you connect to the unit. Just dont make me blow away all my data and configurations to reset it when the end user or previous tech lost it. (i.e by some method that is easy if you are physically at the unit but difficult for hackers remotely.)

Avatar
Ralph Azzi
Dec 02, 2019
IPVMU Certified

Password manager my friend!

Avatar
Ralph Azzi
Dec 02, 2019
IPVMU Certified

It is like drinking and driving, people are still doing it, but if you get caught, you will be penalized!

simplicity - let’s build first the plain vanilla version !

SS
Stephen Schulz
Oct 09, 2018
IPVMU Certified

This is where the Government needs to butt out and mind their own business.

They have enough of their own security problems to tend to rather getting involved in business.

(11)
(5)
(1)
(2)
UI
Undisclosed Integrator #2
Oct 09, 2018

California needs to mind their own business and keep their hands off. NOT every state wants to be the granola/cereal state (Fruits, Nuts, & Flakes).

(8)
(2)
(9)
(4)
Avatar
Carl Lindgren
Oct 09, 2018

More $$$ in the pockets of password manager companies. But then, "quis custodiet ipsos custodes"?

(1)
(2)
MD
Matthew Davis
Oct 09, 2018

I'm sorry but anything California does or law it enacts is just another step toward a socialists government. There is very little that state does that makes any sense.

(8)
(3)
(6)
(1)
U
Undisclosed #3
Oct 09, 2018

if you are a Support Manager for a company that manufactures IP cameras, you are planning now for the additional resources that will be required once this law is implemented.

If you've ever wondered why companies have used default passwords on devices when - from jump - this is not very secure.... the answer is actually quite simple:

Humans are dumb.

For every one level of complexity in day-to-day use that is introduced into any system, you can expect a significant rise in support calls.

Training is only part of the solution, as 'forgetting passwords' falls, at least mostly, outside of what can be mitigated with training. 

 

(4)
Avatar
Joseph Marotta
Oct 09, 2018
IPVMU Certified

Welcome to Commie-fornia... "Use a default password, go to jail."

(5)
(3)
(7)
(4)
U
Undisclosed #5
Oct 09, 2018
IPVMU Certified

the heat is on...

(17)
Avatar
Ross Vander Klok
Oct 09, 2018
IPVMU Certified

WAAAAYYYYY too much time on your hands.  Awesome, but WAY too much time on your hands....

(1)
(6)
UM
Undisclosed Manufacturer #1
Oct 09, 2018

Political opinions aside, the billion+ IoT devices that will go on the Internet in the next 5-10 years will allow for unprecedented attacks if not secure.  Consumers' awareness of cybersecurity of their home network, security and smart home devices is infinitesimal. There is a major problem looming and I'm not saying government intervention is the best way to prevent possible massive loss of assets and life from a cyber attack on a transportation\utility\or GPS system, but something needs to happen.

(6)
BP
Bas Poiesz
Oct 10, 2018

This password rule is part of GPDR. It's common sense.

[IPVM Note: The password rule is part of Netherlands law, not the GDPR, see further discussion below]

JH
John Honovich
Oct 10, 2018
IPVM

Jonathan, which part of GDPR specifically is it in? This is the first I heard of anyone claiming this so curious what section of GDPR specifies this.

BP
Bas Poiesz
Oct 10, 2018

You'll have to trust by Dutch/English skills on this.

Here is the document.

Page 25 shows 3 boxes, one named 'Voorbeeld Onvoldoende Beveiliging', in English: Example Insufficient Security. In this part it's stated that not changing the default password (standaardwachtwoord) is regarded as insufficient security.

This document is dated back to Januari 2016, it was already made back then.
As of May 25th it came into effect. GDPR is translated into AVG in Dutch.
We have dedicated part of our helpdesk to this subject: see it here.

 

(2)
Avatar
Charles Rollet
Oct 10, 2018

The GDPR itself doesn't mention passwords anywhere. However, it does mandate "data protection by design and default" (article 25) saying that "the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation." (article 24.)

But "appropriate technical and organisational measures" are never actually defined by the GDPR, aside from general references to "encryption" and "pseudonymisation." Those specifics are left up to the national-level data protection authorities (DPAs) like the AVG in the Netherlands.

So while the GDPR itself has no "password rule," Jonathan isn't wrong to point out that a national DPA is capable of interpreting the GDPR as meaning that default passwords are not allowed.

(2)
(3)
BP
Bas Poiesz
Oct 10, 2018

Thank you for clarying Charles. This is true.

Simularly, GDPR does not completely prohibit facial recognition, but Belgian rules dictate that facial recognition is prohibited.

Likewise, GDPR requires data minimalisation, but I am not sure a number of days is set. In Dutch rules there is a max of 28 days, and only incidents can be stored longer, but must be deleted once the incident is resolved.

 

 

(1)
Avatar
Dan Gelinas
Oct 10, 2018
IPVM

UPDATES:

Please note, we've added some updates inline above re: potential penalties and also the possible loophole for white-labeled devices.

Avatar
Dan Gelinas
Oct 11, 2018
IPVM

And just so you don't have to search for it, here are the updates from the story:

UPDATE:

Senator Jackson's office contacted us to let us know that the question of penalties for non-compliance was a difficult one since it hasn't been done yet. They did say that penalties could run the gamut of anything the Attorney General has at his disposal:

It’s hard to say. It would be very dependent on what the circumstances were. If you put out thousands of non-compliant devices and it caused a massive problem, then it could be a pretty harsh outcome. Anything from a fine to a civil injunction.

UPDATE:

IPVM has talked with the Senator's office about this potential loophole. They explained that is not a loophole since the original equipment manufacturer is still on the hook to comply before the device is white labeled. The white-labeling company would not face penalties, but the original equipment manufacturer would.

U
Undisclosed #5
Oct 11, 2018
IPVMU Certified

Anything from a fine to a civil injunction.

 Or worse yet, mandatory ASIS attendance, including breakouts, whenever in Anaheim.

(3)
CK
Carl Kristoffersen
Oct 12, 2018

The manufacturer will be liable if an OEM decides to sell the product in California, with out it's knowledge?  
As with this whole law, if the manufacturer does not have a physical presence in California, there's not much California can do.  If there was, most states would be collecting sales tax from out of state sales.

(1)
(1)
U
Undisclosed #3
Oct 12, 2018

this is exactly right.

...and as always, regardless of the purported altruistic goals of this Senator from California, SB 327 will be a gold mine for those that share her original choice of career:  other lawyers.

(1)
Avatar
Jon Dillabaugh
Oct 15, 2018
Pro Focus LLC

Wasn't the industry already well on it's way to this anyways? Why would people vote No?

(2)
(1)
BP
Bas Poiesz
Oct 15, 2018

I agree Jon. With alarm panels many companies have engineer access codes they use for all costumers. This makes it easy for the maintenance crew but is not safe. If one mechanic leaves or shares info, a hole database of installations is compromised.

I guess it takes regulation to make best practise standard practice.

UD
Undisclosed Distributor #6
Dec 02, 2019

lets just wait and see how many manufacturers put in their terms of service, not for sale in CA

UM
Undisclosed Manufacturer #8
Dec 02, 2019

The law isn't just for sale in California. If it is purchased in another state and brought into California, it is still violating the law.

The manufacturers need to comply if they want to sell in the US and risk being brought into California.

This really shouldn't be a big deal, if you have active firmware development, vs just reusing old code or lowest bidder outsourcing.

They also need to make sure they have a factory default button..

We will see what happens and if/how the state does enforcement and violations.

(1)
JH
John Honovich
Dec 02, 2019
IPVM

manufacturers put in their terms of service, not for sale in CA

California has a larger economy than the UK and, if independent, would be the world's 5th largest economy. I think most manufacturers would sooner eliminate default passwords than give up California.

Also, as #8 points out, the way the bill is structured, it's likely not sufficient to simply declare one's products not for sale in CA.

(1)
U
Undisclosed #7
Dec 02, 2019

tired of admin admin.