California has taken steps to increase the password security on new devices made after January 1 2020. Senate Bill No. 327 forces manufactures to create unique passwords for each device or force the user to create a new password on their first login.
This only applies to devices that are accessible outside the local network.
(1) The preprogrammed password is unique to each device manufactured.
(2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
Many websites provide the default credentials for devices and hackers use this same information to quickly authenticate to devices when the administrator leaves the default as-is. The hope is that this bill would eliminate this easy attack vector. I would expect this to help prevent default password from being used, however it may not be enough. Forcing a home user to change their password without guidance often results in weak passwords. If the manufacture creates good unique passwords for each device this would be better. But this still fails to use good security techniques. Having some form of 2-factor authentication (2FA) would be best. Implemented correctly, a weak password with 2FA would be far better than then a strong password without 2FA. There was no mention of using 2FA in the bill.
The bill also requires “appropriate” security of the device for the information that is collected. This is ambiguous with many definitions of what is “appropriate”. Hopefully the manufacturer will require strong passwords and good encryption. Also, educating to customer with good security practices would go a long way to keep customers safe.
The bill doesn’t cover firmware updates. If there is a easy exploit in the firmware this is just as bad as default passwords. Exploits in firmware are often slow to be patched because the time it takes to release the patch as well as the customer not being familiar with the device or updating the device. One-click firmware upgrades and update reminders on the device would help more devices to be updated quicker. Some firmware updates are hidden under multiple “advanced” options or the update requires multiple devices like a USB to update the firmware. This makes it difficult for the customer, delaying the patch.
The bill seems to be a response to the VPNFilter attack where over 500,000 home routers were compromised with malware through the use of default passwords and exploits. The bill may not prevent many attacks but with a bit of effort from the manufacture and customers, some attacks may be prevented.