Sometimes you just think: “Well, duh!” (or perhaps only if you are a caricature of a Californian surf dude…). It is though the Californians we have to thank for taking one of those obvious but simple steps which will lead to such an exclamation in IT offices throughout the world.
The State Legislature has passed a law that will in a stroke improve security on millions of internet-connected devices.
From 2020 they are going to demand that each gadget either made or sold in their state has a unique password or forces the user to set their own password on first use.
This will instantly do away with the still standard practice of distributing devices with an easy to guess default – usually ‘password’!
We’ve been forced to talk about this on many occasions, not least when our own local authority became a victim of an IoT hack.
Because users often fail to change that default, attackers can take over huge numbers of cameras, switches, door bells, fridges, you name it. When they have that control they might use it to get into the networks they are connected to or use the device as part of a swarm to launch bigger attacks on other networks.
While it would be easy to think this is just one state, it also happens to be the world’s fifth largest economy in its own right. California on its own ranks one place ahead of the UK!
It’s also a tech haven, with an advanced consumer and business market, so any manufacturer wanting to sell there will need to comply.
Not the whole answer
It’s still crucial to choose a strong password and a unique one every time. They’re impossible to remember, but that’s why we always recommend a password manager. There are plenty of user-friendly options out there, or we can provide the one we use ourselves for a very small cost.
What California has done here is important and long overdue and something industry should have done without waiting for legislation.
Importantly, it’s not a solution for the entire issue. That goes much deeper, into the need for vendors to ensure their code and protocols are robust from a security point of view, along with any networks they provide to connect to the devices or store user data. That’s still a huge weak spot, especially with the flood of cheap Chinese devices onto the market.
This is a necessary step in the right direction though and it puts the issue firmly on everyone’s radar, so for that it must be welcomed.
A few more “well, duh!” moments in the global approach to systems and network security, where common sense comes before vested interests, would be extremely welcome – but we’ll take this one for now.