In California, It’ll Be Illegal to Make Routers With Weak Passwords

Internet-connected devices like routers and smart-home gadgets are typically low-hanging fruit for hackers. That’s because most have simplistic security, like all being outfitted with the same password when leaving the factory, or having no password at all.

A new California law would make it illegal to manufacture or sell internet-connected devices that aren’t equipped with a unique password, or a feature that forces the consumer to set a personal password when the device is first used. It will take effect on Jan. 1, 2020.

The range of devices that the law covers is incredibly broad: It’s any device that connects to the internet, directly or indirectly, and has an IP address or Bluetooth address.

The tactic that California is trying to employ could eventually lessen the severity of some of the most destructive cyberattacks. Unsecured routers and IoT devices are routinely accessed and controlled by hackers, who send millions of compromised devices to ping a certain server and overwhelm it. This is called a distributed denial of service, or DDoS attack, and has brought down services like Amazon, Twitter, and Netflix.

In May, the US departments of Homeland Security and Commerce concluded that a US attempt to tackle those coordinating these networks of bots, called botnets, wouldn’t be enough to solve the problem, since the hardware being controlled and those controlling it come from all over the world. But for California, home to much of the US’ technology sector, this could be a first step to patching a common flaw in the technology.