By Peter F. Johnson, Superior Court of Pennsylvania
California Governor Jerry Brown signed legislation mandating a longtime cybersecurity best practice—changing default passwords. The use of weak default passwords is endemic to the consumer devices world, but is just as common in the world of enterprise computer equipment, on which corporate and customer data may be stored. The new law appears aimed towards Internet of Things (IoT) devices like home security cameras, smart thermostats, or connected doorbells, and specifically those which collect, store, or transmit information about individuals. Nevertheless, the law’s scope in this respect is ambiguous, and may be read to concern any physical device capable of connecting to the internet, including computer servers destined to store corporate and customer data.
The California law specifically applies to “connected devices,” that is, “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” Cal. Civ. Code § 1798.91.05(b). It obligates manufacturers to use “reasonable security features” in the design of the devices. Under the statute’s safe-harbor provision, manufacturers provide a reasonable security feature if they employ unique pre-programmed passwords for each manufactured device or require a user to generate a new means of authentication upon first use. Cal. Civ. Code § 1798.91.04(b).
Manufacturers of computer systems have long utilized default passwords, widely-known and consistent across a brand’s devices. The United States Computer Emergency Readiness Team explains: “Default passwords are intended for initial testing, installation, and configuration operations, and many vendors recommend changing the default password before deploying the system in a production environment.” Still, there are efforts to improve security from the start. The current generation of Dell EMC servers available for configuration on the company’s website, for example, now “ship with a unique, randomly-generated [management] password.” Nevertheless, a purchaser may still opt to have their server delivered with the company’s “legacy password.” (“Calvin,” if you are curious).
The exploitation of unchanged default passwords in IoT devices poses a threat to the public in large part because it is a mainstay of botnet recruitment. Discovered in 2016, the Mirai botnet is among the most significant in scale so far. The subsequent public release of Mirai’s source code showed the primary means of proliferating to new devices was by employing a list of more than sixty common, default, username/password combinations. In theory, such an attack would not be possible with devices compliant with the unique pre-programmed password provision of the California law.
But the exploitation of unchanged passwords in other contexts leaves open even more concerning threats. The United States Government Accountability Office (GAO) recently revealed that American weapons systems are at risk of exploitation by way of default passwords. In its report, the GAO identified failures to change default passwords on commercial or freely-licensed software as extant vulnerabilities to those systems:
Poor password management was a common problem in the test reports we reviewed. One test report indicated that the test team was able to guess an administrator password in nine seconds. Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the Internet and gain administrator privileges for that software. (Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities at 22).
California’s new connected devices statute expands good cybersecurity and data privacy practices into the realm of legal compliance. Although this statue’s scope may well be limited to manufacturers of consumer devices, the specific threat it seeks to address is far broader. Attorneys charged with managing and mitigating an entity’s risks generally would do well to consider an entity’s own security against these same vulnerabilities, to consider the threats posed to personal information of individuals stored by the entity, and to consider the entity’s readiness to comply with increasingly technologically sophisticated legislatures, who appear ready to codify enhancements to cybersecurity generally.
Peter F. Johnson, Esq. is the director of technology at the Superior Court of Pennsylvania