“Password123” isn’t an easy password option anymore. At least, it isn’t in California.
The Golden State’s governor just signed a law barring companies from selling Internet-connected devices with preprogrammed passwords that are easy to guess or crack and leave them vulnerable to malicious hackers. Starting in 2020, all Internet of Things devices made or sold in California — whether they’re refrigerators, thermostats or cars — must come equipped with unique passwords, or a feature that requires the user to set their own unique password.
The law makes California the first state in the country to set cybersecurity standards for the rapidly proliferating IoT business. It’s a step toward defending against cyberattacks such as the massive Mirai botnet that harnessed the power of hijacked devices to disable major websites in 2016.
But eliminating weak default passwords is an elementary move that only offers a basic safeguard against a sliver of digital threats. The fact that it’s only California that’s taking action — and is considered a trailblazer for such a simple step that many security experts think should already be a best practice — underscores the challenges facing policymakers and manufacturers when it comes to improving the notoriously poor security of connected devices.
“Hooray for doing something, but it’s a small piece of a very large problem,” said Bruce Schneier, a security technologist at the Harvard Kennedy School and author of a new book on IoT security. “If I have a house with 50 unlocked windows, you just secured the one in the second bedroom.”
By and large, IoT devices make easy targets for hackers, and poor password security is part of the problem. Many IoT devices come out of the box with fixed passwords, some of them as basic as “admin” or “1234.” Even when given the option of changing a device’s default password, users often don’t take action. Hackers can crack these weak passwords with malicious software — or even good guesswork. That could allow them to break into an individual network — or even to turn large masses of connected devices into disruptive botnets. It happened on a huge scale in the Mirai attack, in which hackers seized control of hundreds of thousands of webcams and other devices and used them to flood the networking company Dyn with fake traffic. As a result, sites such as Twitter, PayPal and Netflix were knocked out for hours.
California’s law seeks to address the problem by requiring that all connected devices in the state come with a “preprogrammed password is unique to each device manufactured,” or allow the user “generate a new means of authentication before access is granted to the device for the first time.”
But even simple measures like this add costs for manufacturers, meaning further protections lawmakers seek to impose could be met with resistance from the industry.
And passwords aren’t the only way in to devices for more sophisticated attackers, as TechCrunch’s Zack Whittaker notes. Instead, they exploit bugs in their software. California’s law doesn’t do anything to mandate that companies patch these types of vulnerabilities or offer users ways to make security updates themselves. Beyond banning default passwords, the law only requires manufacturers to equip devices with “a reasonable security feature or features,” without defining what those features should be.
It’s not even clear that barring default passwords like this would have staved off the Mirai attack, according to security researcher Robert Graham, a prominent critic of the California law. “A device doesn’t have a single password, but many things that may or may not be called passwords” that could have allowed attackers another way in, he wrote on the blog Errata Security. And any of these other authentication systems could have an issue. “Most of the devices vulnerable to Mirai did the right thing on the web interfaces (meeting the language of this law) requiring the user to create new passwords before operating. They just did the wrong thing elsewhere.”
Graham insisted that the law is backwards looking, and offered a different suggestion: Preventing connected devices from interacting or potentially infecting each other. “Forward looking, by far the most important thing that will protect IoT in the future is ‘isolation’ mode on the WiFi access-point that prevents devices from talking to each other (or infecting each other). This prevents ‘cross site’ attacks in the home. It prevents infected laptops/desktops (which are much more under threat than IoT) from spreading to IoT.” But he’s skeptical lawmakers will actually take action. Lawmakers, he said, “don’t think in terms of what will lead to the most protection, they think in terms of who can be blamed. Blaming IoT devices for moral weakness of not doing ‘reasonable’ things is satisfying, regardless if it’s effective.”
Still, the rudimentary fix is likely to usher in changes across the IoT industry, Schneier said. “If you buy an Internet connected toaster, the model has to have a no-default password to be sold in California. The manufacturer won’t make another that has bad security to sell elsewhere,” he told me. “For software it’s ‘write once, sell everywhere.’ ”
The passage of the California law also represents another area of technology policy where the state is moving faster than the rest of the country — and Congress. In the wake of the Mirai attack, Sens. Mark R. Warner (D-Va.) and Cory Gardner (R-Colo.) floated legislation that would apply more rigorous standards to companies that supply connected devices to the federal government. Their bill, the Internet of Things Cybersecurity Improvement Act, includes a provision that would ban weak default passwords, as well as language that would require that their connected devices are patchable and are otherwise free of known security vulnerabilities. But after more than a year, the legislation hasn’t gained traction in the Senate.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED, PATCHED, PWNED
PINGED: Longtime Republican activist Peter W. Smith secretly raised at least $100,000 from donors in attempts to get a hold of emails he believed hackers stole from Hillary Clinton ahead of the 2016 presidential election, the Wall Street Journal’s Byron Tau, Dustin Volz and Shelby Holliday report.
Smith “sought and collected the funds from at least four wealthy donors as part of the plan to obtain Clinton’s stolen emails from hackers just weeks before election day in 2016,” they wrote, citing documents and people familiar with the matter. The donations were made to a “scholarship fund” for “Russian students,” but referenced in an email titled “Wire Instructions—Clinton Email Reconnaissance Initiative,” according to the Journal. Smith reportedly took great steps to keep the work secret, using encrypted hard drives and a dummy email account with the alias “Robert Tyler” to communicate with the donors. He was found dead in a Minnesota hotel room shortly after talking with the Journal in May 2017. Authorities said his death was a suicide.
Smith’s work has drawn “intense interest to federal investigators” from special counsel Robert S. Mueller III’s team, according to the Journal, which reported that his estate has given documents to Mueller’s team and that his associates have been interviewed by investigators or summoned before a grand jury as recently as this summer.
PATCHED: Defense Secretary Jim Mattis is considering tapping Chris Inglis, a widely respected intelligence professional, to lead the National Security Agency if he decides to separate its leadership from the Pentagon’s cyber forces, my colleague Ellen Nakashima reports.
But there’s still some tension over whether the NSA and U.S. Cyber Command should split. “The current head of both organizations, Gen. Paul Nakasone, has urged Mattis to keep the NSA and U.S. Cyber Command under one leader on the grounds that the nine-year-old military organization is not ready to stand on its own, these people said,” Ellen writes. “In recent weeks, Mattis was close to a decision to separate the leadership arrangement, but Nakasone’s counsel has caused him to reconsider, according to two U.S. officials.”
Inglis served as deputy NSA director from 2006 to 2014, and has held a series of leadership and operational posts in nearly three decades at the spy service. He also has fans among the top ranks of the intelligence and defense communities, Ellen reports. “If they’re going to civilianize the NSA director’s position, he would be my number-one choice,” Michael Hayden, who led the NSA from 1999 to 2005 as an Air Force general, told my colleague.
PWNED: The Department of Homeland Security and British cybersecurity authorities on Friday said they had “no reason to doubt” statements from Amazon and Apple rebuking last week’s explosive Bloomberg Businessweek story that reported China had installed surveillance chips in hardware used by the companies.
“We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple,” the U.K. National Cyber Security Centre said. “The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story,” read a statement from DHS headquarters.
Bloomberg’s story, which cited more than a dozen unnamed investigators and corporate sources, said Chinese spies implanted the chip in servers during the manufacturing process and that U.S. law enforcement had helped Apple and Amazon investigate the matter. Both companies vigorously denied the report, calling it “inaccurate,” “erroneous” and “untrue.”
— Cybersecurity experts are questioning White House claims that China is interfering in the upcoming midterms, Politico’s Christian Vasquez reports. “China watchers have not seen any effort from Beijing to execute a disinformation campaign or propaganda effort to tilt the midterm elections one way or the other,” Vasquez writes. “Plenty of evidence exists, of course, that Chinese hackers have infiltrated U.S. businesses and international human rights groups and are continuing to carry out operations to steal American intellectual property. But the cyber researchers say there’s no sign yet that its hackers have turned their attention on the U.S. political process in any kind of concerted campaign to undermine Trump.” Ron Bushar, chief technology officer of the cybersecurity firm FireEye, told Politico: “I’m not aware of anything credible that ties directly to any targeting from China to election influence.”
— “A top Homeland Security Investigations official has told a federal court that it remains the agency’s policy that officers can install a GPS tracking device on cars entering the United States ‘without a warrant or individualized suspicion’ for up to 48 hours,” Ars Technica’s Cyrus Farivar reports. “There is no such time limit, HSI Assistant Director Matthew C. Allen also told the court, for putting such trackers on ‘airplane, commercial vehicles, and semi-tractor trailers, which has a significantly reduced expectation of privacy in the location of their vehicles.’ ” Legal experts told Farivar that the assertion could clash with the Supreme Court’s 2012 ruling in United States v. Jones, in which the justices unanimously ruled that law enforcement officers typically need a warrant to track people using GPS devices.
— “Google chief executive Sundar Pichai quietly paid the Pentagon a visit during his trip to Washington last week, seeking to smooth over tensions roughly four months after employee outrage prompted the tech giant to sever a defense contract to analyze drone video, according to two people familiar with the meeting,” my colleagues Tony Romm and Drew Harwell report. “Google had worked with the Defense Department to develop Project Maven, which uses AI to automatically tag cars, buildings and other objects in videos recorded by drones flying over conflict zones. But in June, the tech giant said it would not renew its contract following an uprising from employees, who criticized the work as helping the military track and kill with greater efficiency.”
— “Apple’s top security officer told Congress on Sunday that it had found no sign of suspicious transmissions or other evidence that it had been penetrated in a sophisticated attack on its supply chain,” Joseph Menn of Reuters reports. “Apple Vice President for Information Security George Stathakopoulos wrote in a letter to the Senate and House commerce committees that the company had repeatedly investigated and found no evidence for the main points” in Bloomberg’s explosive story on the matter.
— More cybersecurity news from the private sector:
Amazon.com said it has terminated an employee responsible for an incident in which a third-party seller on the tech giant’s website got access to email addresses of some Amazon customers.
Wall Street Journal
THE NEW WILD WEST
— British defense chiefs “have war-gamed a massive cyber-strike to black out Moscow if Vladimir Putin launches a military attack on the West, after concluding that the only other way of hitting back would be to use nuclear weapons,” the Sunday Times reports. The exercise is part of an effort to develop a broader set of possible responses to Russian military aggression, according to the Times.
— More cybersecurity news from abroad:
Melania Trump: “I wish people would focus on what I do, not what I wear.”
Saturday Night Live goes inside the GOP’s locker room after Brett Kavanaugh’s confirmation:
Yes, this is a thing that actually happened:
2009: FBI director Robert Mueller disclosed that his wife banned him from banking online, after he nearly fell for an email phishing scam. pic.twitter.com/atDxM56BMD
— Today In Infosec (@todayininfosec) October 7, 2018