Skip to Content
Security & privacy

Passwords ‘Admin’ and ‘Password’ are against the law in this state

Our love for “Internet of Things” (IoT) gadgets continues to grow. Smart thermostats, smart routers, smart coffee pots, smart appliances, smart lights, smart TVs and more smart gadgets are becoming more numerous and less expensive. They’re poised to take over the market and your home.

Connected smart appliances can definitely make life more convenient, but here’s the problem. Regular consumers typically assume that they are merely plug-and-play appliances.

Usually, we set them and forget them, not even bothering to check their interfaces nor change the default username and password.

And scarier still,  for many manufacturers, the security of these gadgets is still an afterthought.

However, massive cyberattacks, such as the Dyn DDoS attack that utilized a botnet of compromised connected gadgets to shut down huge portions of the internet, have changed the game for consumers and manufacturers alike. As more and more people are jumping into the smart home bandwagon, this is a serious security issue that needs to be addressed.

Thankfully, the government is starting to notice. One state, in particular, is taking a big step in ensuring that these connected devices are more secure than ever.

New California bill will outlaw default passwords

The state of California just passed a law that requires manufacturers of internet-connected consumer devices such as routers and smart appliances to have unique passwords out of the box. This means it will be illegal in the state to have pre-configured usernames and passwords such as “Admin” and “Password” in the near future.

Another option for manufacturers is to program their gadgets to have a security feature that requires the user to change the default username and password before they can use it for the first time.

The bill called Information Privacy: Connected Devices (SB-327) was passed to the State Senate on Aug. 28 and was approved into law by Governor Jerry Brown on Sept. 28.

The changes won’t happen overnight, though. The law will take effect in California on January 1, 2020. This will give manufacturers and vendors enough time to make the change.

What’s covered?

Bill SB-327 defines a “Connected device” as any “physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”

This means all smart appliances, webcams, routers, streaming gadgets, smartphones, and computers are covered — essentially anything that can be connected to a network or the web. Affected entities include manufacturers and contractors who sell their connected gadgets in California.

“The lack of basic security features on internet-connected devices undermines the privacy and security of California’s consumers, and allows hackers to turn everyday consumer electronics against us,” said Hannah-Beth Jackson, the bill’s lead author. “SB 327 ensures that technology serves the people of California, and that security is not an afterthought but rather a key component of the design process.”

Got a smart device? Be smart about it

Since 2020 is still more than a year away, here are ways to protect yourself against these types of connected appliance attacks.

Manage it – So do yourself a favor, if you own a smart baby monitor, security camera, thermostat or video doorbell, immediately check its manual if it has a web management interface. Most of the time, you can access this interface via a regular web browser, desktop software or an app.

Change password – Once in, please change the default password immediately with something strong and unique. This will immediately protect you from the simplest “scan and search” Internet-of-Things attacks out there. Note: If you don’t have the manual or the default password, do what many hackers do – Google it!

Connect to the internet only when needed – Another way to protect your smart gadget is by connecting it to the internet only when necessary. For example, baby monitors, thermostats and security cameras can still be used effectively within your home network, without exposing them to the public.

Avoid second-hand products – Also, beware of buying second-hand smart gadgets that may already have been compromised. If you do, reset it promptly to factory default then change its password.

Avoid unknown brands – And lastly, only buy from established and reputable brands. If a security camera is from an obscure Chinese company with no reputable online presence at all, please stay away from it. The prices of these off-brand gadgets may be relatively cheaper but most of the time, you do get what you pay for.

I’ve said before that a simple user password change prompt during the setup process of these appliances will be enough to prevent most of these attacks. I’m glad that lawmakers are finally doing something about it.

Click here to read the entire bill.

cryptocurrency e-book hero

New eBook: ‘Cryptocurrency 101’

Don't want to lose your dough to crypto? Check out my new eBook, "Cryptocurrency 101." I walk you through buying, selling, mining and more!

Check it out