Default Passwords Outlawed in California, US To Follow

By Dan Gelinas, Published Oct 09, 2018, 10:37am EDT

A new California bill aimed at improving security for connected devices has been signed into law. The law takes aim especially at passwords on connected devices and will have a significant impact on camera manufacturers, many of whom are not currently compliant.

IPVM interviewed State Senator Hannah-Beth Jackson, who sponsored the bill and she told IPVM the intent is to change requirements nationally:

We think that given our state’s economic importance, any product designed for the United States market is going to comply with these reasonable security requirements.

In this note, we:

  • Share detailed feedback from our interview with Senator Jackson
  • Examine the language of the law
  • Discuss the goals of the law
  • Look at what the impact on existing cameras deployed is
  • Examine why out of California sales are still liable
  • Discuss what penalties manufacturers face for non-compliance
  • Examine who is and is not compliant
  • Share feedback from companies that are not currently compliant including Arecont, Avigilon And DW 
  • Look at the downsides of compliance
  • Examine potential penalties of non-compliance
  • Discuss the national effect this law will have
  • Analyze criticisms of the law

The ******** ** ** ***

****** **** ***, ******** ****** **** ******** **** **’* ********** Assembly ********* ****** ****, ** ******** ***** Brown ** ********* **, 2018, ********** *** ********* of “********** ******** ********” on ********* *******:

**** ****, ********* ** January *, ****, ************ * ************** * ********* ******, as ***** ***** *** defined,to ***** *** ****** **** * ********** ******** ******* ** ************ *** *********** ** the ****** *** ******** of *** ******, *********** to *** *********** ** may *******, *******, ** transmit, *** ******** ** protect *** ****** *** any *********** ********* ******* from ************ ******, ***********, use, ************, ** **********, as *********. (******** *****)

*** **** **** **** on ** *** **** if * ********* ****** can ** ******** ** a **** ********, **** the “********** ******** *******” requirement **** ** ********* by ******* ****** *** or *** ***** ** two ******** ************:

(*) ******* ** *** ** the ************ ** *********** (a), ** * ********* device ** ******** **** a ***** ***authentication ******* * ***** **** *******, ** ***** ** deemed *reasonable ******** ******* ***** *********** (*) ** ******** *** ********* ************ are ***:
(*) *** ************* ******** **unique ** **** ****** ************.
(*) *** ****** ******** * security ******* ****requires * **** ** ******** * *** ***** ** ************** ****** ****** ** ********* *** ****** *** the ***** ****. (******** added)

**** *********** ***** **** problems *** **** ****** manufacturers *** ** *** require * ***** ** who *** ******-****** ******* logins **** *****/***** **** don’t **** ** ** changed.**** *** * ********* of ******* **************** **** *****.

Proposed ***** ** *** ***

**** *********** ******* ******-**** Jackson *** ********* ** 327. ** **** *****, the ****-****** **** ** ****** *********** ****. *******, **** it ***** ** ************* and *************** **** *** ***** Botnet ******, ********** ********* **** there *** ** ****** room *** ******* *** buyer ******. ********* ** the *******, *** **** was ** ***** ************** on ************* ** ********* devices:

* ***** ** **** to ***** ******** ***** security ** * *********** element **** ** ****** these ********* *******. *** bill ************ **** **'* the ************ *** *** the ************** ** ******. It's ****** *** ************ who ** ** *** hook.

***********, ******* ******* **** drafters ** *** **** were ******* **** ** came **** ** ******* the *********** ****:

**** **** ********** ***, unless ****** *********, ** becomes *********** *** ** effect ******* * ** the ********* ****, ** 2019. *** ******* ** recognize ****, *****, * lot ** ********* *****’* done ******** **** ********, we ******* **** **** until ******* *, ****, to ****** ***** ******** so **** **** ****** with *** ***.

Grandfathered ******** / ********** **** *******

******* ******* **** **** devices **** ****** *** implementation **** ** ******* 1, ****, ***** ** grandfathered. *******, **** ******* 1, **** ***** ****** anything ************ ****** **** date ***** *** ** sold ** ********** ** it *** ***** ** be ***-*********.

Out ** ********** ***** ***** ******

**** ** * ****** is ******* ** **********, any ****** **** ** offered (*.*., ******) ** sold ** ******* ** California, ***** ***** **** to ******, ********* ** Senator *******:

**'* ***** *** ** comply. ** **'* **** in ** ******* *** sale ** **********, **** it's ******* ** *** state **** *** ****** wouldn't ****** ***** ** was ************ ** ******** or ******* ****. ** would ***** **** **** California ****.

Penalties ** ******** *** *** - ************* ********

*********** ** *** *** itself ***** ********* **** ******* *********-***** attorneys ** ********** *** bring ***** ****** ** a ******** ******* *** non-compliance:

*** ******** *******, * city ********, * ****** counsel, ** * ******** attorney ***** **** *** exclusive ********* ** ******* this *****.

*** **** *** ****** up ** ****'* ********* with ******* ******* *** said **** *** ********* manufacturers *** ***-**********:

** ************* ***'* ******, there's *** ********* **** they're ** ********* ** California’s **** ********* *** and ******** **** **** deal **** ***** *** don't ****** **** *** laws *** ****** ** unfair *********** ***********. ** manufacturers ** **** *** put *** ******** ************** at **** ** ***** attack, * ***** ******* that ****'* ******* ** on *** ***** *** of ** *********** ****** from ****** *** ********** Attorney ******* ** *** other ********* ****** ***********.

******:

******* *******'* ****** ********* us ** *** ** know **** *** ******** of ********* *** ***-********** was * ********* *** since ** ****'* **** done ***. **** *** say **** ********* ***** run *** ***** ** anything *** ******** ******* has ** *** ********:

**’* **** ** ***. It ***** ** **** dependent ** **** *** circumstances ****. ** *** put *** ********* ** non-compliant ******* *** ** caused * ******* *******, then ** ***** ** a ****** ***** *******. Anything **** * **** to * ***************.

US ******** ******

******* **** *********** ***** this ***** *** ************* law ** *** ****** it ** ***** ** have ** *** **** of *** ****** ******. Senator ******* **** *** point ******* ***** ****** IPVM's *********:

**** **** ******* ** connected ******* **** *** sold ** **********, *** given *** ****** ****** share *** *** ********* in *** **** ******, we ***** *** ****** of **** **** **** likely ** **** ****** our *******. **** **** and *** ******** ** a ******* ** ******. Automobiles, *** *******. *** that’s **** **’* **** to ***. **’* **** to ***, ***** *** a ******** ********, *** we’d **** ** *** companies ***** ****** *** issue ** ******* *** security *********. *** **** really *****’* ** ** now. *** ******* ********** is **** * **** marketplace, ** ** ********** companies ****** ‘***’* ****** in **** ***** ******** item ********** ** ***** we **** *** *******.’ And * ***** ***** states ******** **** ****** suit ******. ****’* ********* we **** ***** * bit. ** ***** ** in ********** *** **** other ****** **** ** up *** **** ** becomes *** **** ... ** think **** ***** *** state’s ******** **********, *** product ******** *** *** United ****** ****** ** going ** ****** **** these ********** ******** ************.

**** ** ******* ********, California ** *** **** populous ***** ** *** U.S. **** *****, ** would *** **** ********* sense *** *** ************ to ******* * **********-**** compliant ******* ****. ***** that, *** *******'* ****** that *** ********* ******* sold ** *** *.*. will ***** ** **** the ******* ********* ********** in *** *** ********** law ***** *****.

******, ** ***** ****** many ************* ** **** this ******** ******** ******* the **** *** *********** of *********** ******** **** of ******** ******** ***** be *********.

Compliant ** ***-********* *************

**** ** *** ******* IP ****** ************* *** already *********, *.*., ****, Bosch, *****, ******, *********. However, ******'* ******* ******** ********* shows, **** ** *** smaller ************* *** ***. Three ** *** ****** ones *** ********* ******* Arecont, ******** *** **.

Non-Compliant *********, *******, ********, **, **** **********

***** ************* *** *** not ********* ********* **** us **** **** ** be ** ****** ****.

******** **** **** *** well ** ***** *** to **********:

** **** * ****** of ******* ***** **** either ***** * *** password ** ***** *** the ***** **** ** have * ****** ********. This ** ********* ******** is ********** ** ****** throughout *** *********.

******* ********, ***** **** used *** ******* "*****/*****" combination, ****** ********'* **********:

*********, *** ** ******* and ***** ***** ****** encourage ***** ** ****** the ******* ********* ** our *********, ******* *** other ********* ******* ** a ****** ********. ** a ********** ************, *** new *** ****** *** responsibility ** ***** **** best ******** ** ******* a ****** ******** **** the *** **** ** the ************. ** **** make ** ** **** as ******** *** * user ** ****** * unique ******** ** ******* setup (** **** ** it ** ** ****** a ******** ** *** time **** *** ********), and **** **** ********* security ******* ********* ****** the *********** ******** ** January *, ****.

*******, ******* ******, ***** cameras ** *** **** a *******-****** ******* ******** in *****, **** **** also **** ** ** compliant ** *** ********:

******* ****** ******* ** not ********* ****** **** this ***, ***** **** not **** **** ****** until ****. ********* *** cameras ****** *** **** to *** * ******** on *** ****** *** we ** *** ******* them ** ** **. We ** **** ** comply **** **** *** law ***** ** *** implementation ** **** **** a ******** ****** ** all ** *** ******* generation *******.

** ***** ****** *** companies **** **** ** authorized ** ************ ** become ********* ** ****. However, **** ********* **** only **** *** ****** or **** *** ***, as * **** ** US ******** ******** ***** minimize ***** ****, ****** such *********' ****** ****** *** quite ***.

Firmware ******** ** ****** *********

************, ** ****** ** straightforward *** **** ************* to ****** ********* **** on ******* ******* ***** as * ******** ******* can ******* *** ******* password *** ****** **********. However, ***** **** ** support **********.

The ******** ** ********** - *******

*** ** *** ******* of ******* ********* ** that ** ******* *** number ** ***** *** forget ***** ********* *****, even ** **** '******', they *** ****** *** the ******* ******** (***** many ***** ******) *** get **** **. ** course, **** ************** ********* the **** ** ******** breaches.

*******, **** * ************ customer ******* **********, *********** default ********* ************* ********* support ***** *** **********. One ******** ************* **** taken ** ****** ***** problems ** ** ********* effectively * **** **** that ****** *** ************ to ***** *** ***** password. **** *** *** own *****, *.*.,********* ******** ***** **** cracked * *** ***** ago.

Critics ********

**** ****** ***** ******* *** ***** **'* * good ***** ** ******** weak ** **** ** actually ******. *** *** Cybersecurity *** *** **** has *** *******.

******** ******* ****** ****** ** ****** ************* ** *** **** on *** ********** *** **** *********** *** ** backward—instead ** ******* ************* to *** ********, **** should ** ******* ************* ** remove ********:

****** ** ****** **** ****** these ******** ******** ** a ******* ******* ************* should ** ******** ******** features, *******. *******, * better ****** ***** ** to ** ****. ********** manufacturers ****** ****** ****** and *** *** ***** unused ******* ******** ** they *** *** **** because **** *** ********** potential **********. *** ***** is ******* *** **** could **** ** *********** default ********* *** ******* strong *********.

****** ******** **** **** law *** ***** **** that *** ****** *** reactionary *** ********* *********:

***********, ***** ******* ******** of *** *** ***** that *** ******** *****'* specify ******* ****** **** the ***** "********** ******** feature" *****. **** *** example*** ******* **** ********, ***** ********* ******* litigation:

** *** ********, ** least **** **** *********** ("requires * **** ** generate * *** ***** of ************** ****** ****** is *******") ** ***** clear.

************** **** ** *** Access ************* ********** ** *** punitive ******* *** **** the ****** ** *** punitive ******** ***'* ********* in *** ******** ** the ***:

** ****** **** **** and ** *** ***** attempting ** ********* **** the ******** ******* ******** of.

OEMs ********?

*******, ************** **** *** **** Arnold & ****** ****** there *** ** * loophole*** *****-******* *******:

*** ******** ********* ** this *********** ** ***** in ******* ****.**.**, ********** (*):

(*) “************” ***** *** ****** who ************, ** ********* with ******* ****** ** manufacture ** *** ******’* behalf, ********* ******* **** are **** ** ******* for **** ** **********. For *** ******** ** this ***********, * ******** with ******* ****** ** manufacture ** *** ******’* behalfdoes *** ******* * ************ ** ******** * connected ******, **only ** ******** *** ***** * ********* ******. (******** *****)

******:

**** *** ****** **** the *******'* ****** ***** this ********* ********. **** explained **** ** *** a ******** ***** *** original ********* ************ ** still ** *** **** to ****** ****** *** device ** ***** *******. The *****-******** ******* ***** not **** *********, *** the ******** ********* ************ would.

Poll / ****

Comments (32)

Avatar

Ross Vander Klok

IPVMU Certified | 10/09/18 03:05pm

It is a shame that this HAD to even become a law.  However, getting a solution to this issue is long overdue.

Undisclosed Manufacturer #1

10/09/18 03:22pm

There is no way CA will be able to track all the different manufacturers and OEMs out there. If Joe's Camera from CA wants to import 100 IP domes from Alibaba with default passwords and then sell them in the residential market, how is anyone going to track that? Even if said person or committee catches Joe's Camera after hundreds or thousands of cameras are already installed, what is anyone to do about removing those cameras?

Shame on Avigilon (USA manufactured with state and local government focus) for not having forced passwords years ago, but it will be easy for them to change it. However, being DW and Arecont are OEM, we will see how that goes. Does DW have enough influence over TVT to mandate them to change, or is DW's sales of TVT cameras insignificant compared to global sales of TVT from other OEMs? 

If this law goes national, it will cost millions to put a committee together to track and test everything. There needs to be a standard created with a logo, like UL, posted on all boxes, etc. Then there needs to be advertising of this standard so the country knows what it means.

Avatar

Sean Nelson

Nelly's Security
In reply to Undisclosed Manufacturer #1 | 10/09/18 05:23pm

Shame on Avigilon (USA manufactured with state and local government focus) for not having forced passwords years ago,

Avigilon needs to get with the cyber security program and become compliant like Hikvision.

John Honovich

IPVM | In reply to Sean Nelson | 10/09/18 05:28pm

Image result for you got served gif

Avatar

Corey Vavra

In reply to Undisclosed Manufacturer #1 | 10/10/18 02:05pm

Obviously the solution to that is another $bureaucracy to track and register all CCTV installers, retailers, and even national distributors.  This will require a licence fee payable to the state of California, and might as well start a sub-bureaucracy for each municipality so they can get in on the action. ;)

Love how the senator puts the emphasis of the bill on forcing change nationally, rather than focusing on keeping her constituency safe from hackers.

 

On a serious note, yes its a great idea to have you create the admin password as soon as you connect to the unit. Just dont make me blow away all my data and configurations to reset it when the end user or previous tech lost it. (i.e by some method that is easy if you are physically at the unit but difficult for hackers remotely.)

Avatar

Ralph Azzi

IPVMU Certified | In reply to Corey Vavra | 12/02/19 12:28am

Password manager my friend!

Avatar

Ralph Azzi

IPVMU Certified | In reply to Undisclosed Manufacturer #1 | 12/02/19 12:27am

It is like drinking and driving, people are still doing it, but if you get caught, you will be penalized!

simplicity - let’s build first the plain vanilla version !

Stephen Schulz

IPVMU Certified | 10/09/18 03:44pm

This is where the Government needs to butt out and mind their own business.

They have enough of their own security problems to tend to rather getting involved in business.

Undisclosed Integrator #2

10/09/18 04:14pm

California needs to mind their own business and keep their hands off. NOT every state wants to be the granola/cereal state (Fruits, Nuts, & Flakes).

Avatar

Carl Lindgren

10/09/18 04:25pm

More $$$ in the pockets of password manager companies. But then, "quis custodiet ipsos custodes"?

Matthew Davis

10/09/18 04:32pm

I'm sorry but anything California does or law it enacts is just another step toward a socialists government. There is very little that state does that makes any sense.

Undisclosed #3

10/09/18 05:18pm

if you are a Support Manager for a company that manufactures IP cameras, you are planning now for the additional resources that will be required once this law is implemented.

If you've ever wondered why companies have used default passwords on devices when - from jump - this is not very secure.... the answer is actually quite simple:

Humans are dumb.

For every one level of complexity in day-to-day use that is introduced into any system, you can expect a significant rise in support calls.

Training is only part of the solution, as 'forgetting passwords' falls, at least mostly, outside of what can be mitigated with training. 

 

Avatar

Joseph Marotta

IPVMU Certified | 10/09/18 05:45pm

Welcome to Commie-fornia... "Use a default password, go to jail."

Undisclosed #5

IPVMU Certified | 10/09/18 05:51pm

the heat is on...

Avatar

Ross Vander Klok

IPVMU Certified | In reply to Undisclosed #5 | 10/09/18 06:55pm

WAAAAYYYYY too much time on your hands.  Awesome, but WAY too much time on your hands....

Undisclosed Manufacturer #1

10/09/18 08:44pm

Political opinions aside, the billion+ IoT devices that will go on the Internet in the next 5-10 years will allow for unprecedented attacks if not secure.  Consumers' awareness of cybersecurity of their home network, security and smart home devices is infinitesimal. There is a major problem looming and I'm not saying government intervention is the best way to prevent possible massive loss of assets and life from a cyber attack on a transportation\utility\or GPS system, but something needs to happen.

Avatar

Jonathan de Chateau

10/10/18 10:59am

This password rule is part of GPDR. It's common sense.

[IPVM Note: The password rule is part of Netherlands law, not the GDPR, see further discussion below]

John Honovich

IPVM | In reply to Jonathan de Chateau | 10/10/18 11:23am

Jonathan, which part of GDPR specifically is it in? This is the first I heard of anyone claiming this so curious what section of GDPR specifies this.

Avatar

Jonathan de Chateau

In reply to John Honovich | 10/10/18 11:33am

You'll have to trust by Dutch/English skills on this.

Here is the document.

Page 25 shows 3 boxes, one named 'Voorbeeld Onvoldoende Beveiliging', in English: Example Insufficient Security. In this part it's stated that not changing the default password (standaardwachtwoord) is regarded as insufficient security.

This document is dated back to Januari 2016, it was already made back then.
As of May 25th it came into effect. GDPR is translated into AVG in Dutch.
We have dedicated part of our helpdesk to this subject: see it here.

 

Avatar

Charles Rollet

In reply to Jonathan de Chateau | 10/10/18 12:03pm

The GDPR itself doesn't mention passwords anywhere. However, it does mandate "data protection by design and default" (article 25) saying that "the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation." (article 24.)

But "appropriate technical and organisational measures" are never actually defined by the GDPR, aside from general references to "encryption" and "pseudonymisation." Those specifics are left up to the national-level data protection authorities (DPAs) like the AVG in the Netherlands.

So while the GDPR itself has no "password rule," Jonathan isn't wrong to point out that a national DPA is capable of interpreting the GDPR as meaning that default passwords are not allowed.

Avatar

Jonathan de Chateau

In reply to Charles Rollet | 10/10/18 12:08pm

Thank you for clarying Charles. This is true.

Simularly, GDPR does not completely prohibit facial recognition, but Belgian rules dictate that facial recognition is prohibited.

Likewise, GDPR requires data minimalisation, but I am not sure a number of days is set. In Dutch rules there is a max of 28 days, and only incidents can be stored longer, but must be deleted once the incident is resolved.

 

 

Avatar

Dan Gelinas

IPVM | 10/10/18 07:16pm

UPDATES:

Please note, we've added some updates inline above re: potential penalties and also the possible loophole for white-labeled devices.

Avatar

Dan Gelinas

IPVM | In reply to Dan Gelinas | 10/11/18 12:51am

And just so you don't have to search for it, here are the updates from the story:

UPDATE:

Senator Jackson's office contacted us to let us know that the question of penalties for non-compliance was a difficult one since it hasn't been done yet. They did say that penalties could run the gamut of anything the Attorney General has at his disposal:

It’s hard to say. It would be very dependent on what the circumstances were. If you put out thousands of non-compliant devices and it caused a massive problem, then it could be a pretty harsh outcome. Anything from a fine to a civil injunction.

UPDATE:

IPVM has talked with the Senator's office about this potential loophole. They explained that is not a loophole since the original equipment manufacturer is still on the hook to comply before the device is white labeled. The white-labeling company would not face penalties, but the original equipment manufacturer would.

Undisclosed #5

IPVMU Certified | In reply to Dan Gelinas | 10/11/18 01:04am

Anything from a fine to a civil injunction.

 Or worse yet, mandatory ASIS attendance, including breakouts, whenever in Anaheim.

Carl Kristoffersen

10/12/18 01:29am

The manufacturer will be liable if an OEM decides to sell the product in California, with out it's knowledge?  
As with this whole law, if the manufacturer does not have a physical presence in California, there's not much California can do.  If there was, most states would be collecting sales tax from out of state sales.

Undisclosed #3

In reply to Carl Kristoffersen | 10/12/18 01:40am

this is exactly right.

...and as always, regardless of the purported altruistic goals of this Senator from California, SB 327 will be a gold mine for those that share her original choice of career:  other lawyers.

Avatar

Jon Dillabaugh

Pro Focus LLC
10/15/18 03:33pm

Wasn't the industry already well on it's way to this anyways? Why would people vote No?

Avatar

Jonathan de Chateau

In reply to Jon Dillabaugh | 10/15/18 03:54pm

I agree Jon. With alarm panels many companies have engineer access codes they use for all costumers. This makes it easy for the maintenance crew but is not safe. If one mechanic leaves or shares info, a hole database of installations is compromised.

I guess it takes regulation to make best practise standard practice.

Undisclosed Distributor #6

12/02/19 02:29am

lets just wait and see how many manufacturers put in their terms of service, not for sale in CA

Undisclosed Manufacturer #8

In reply to Undisclosed Distributor #6 | 12/02/19 11:52am

The law isn't just for sale in California. If it is purchased in another state and brought into California, it is still violating the law.

The manufacturers need to comply if they want to sell in the US and risk being brought into California.

This really shouldn't be a big deal, if you have active firmware development, vs just reusing old code or lowest bidder outsourcing.

They also need to make sure they have a factory default button..

We will see what happens and if/how the state does enforcement and violations.

John Honovich

IPVM | In reply to Undisclosed Distributor #6 | 12/02/19 12:45pm

manufacturers put in their terms of service, not for sale in CA

California has a larger economy than the UK and, if independent, would be the world's 5th largest economy. I think most manufacturers would sooner eliminate default passwords than give up California.

Also, as #8 points out, the way the bill is structured, it's likely not sufficient to simply declare one's products not for sale in CA.

Undisclosed #7

12/02/19 02:54am

tired of admin admin.

Read this IPVM report for free.

This article is part of IPVM's 6,735 reports, 909 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports