If you’re one of the AV manufacturers that isn’t ramping up their development team to meet the known, immediate needs of 2020, let me be the first to say that there is no time to waste.
In 2018, manufacturers had to take on challenges in regards to how to manage data capture and privacy. Thankfully, this led to significant developments in how the audiovisual manufacturers support the deployment of network connected devices.
While the industry is still adapting to recent regulatory changes and still has the daily operations challenges of 2019, there’s a new challenge that’s awaiting once we hit 2020 – and it revolves around passwords.
What a California Law Means To The Whole Industry
Back in 2018, the California state legislature passed SB-327. In summary, the bill requires that the manufacturers of connected devices provide appropriate security measures for any connected device they make.
Per the law, a connected device is defined as “any device…that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.”
The pending law stipulates that if the devices are “equipment with a means for authentication outside a local area network,” that each device must have a unique preprogrammed password, or the device is required to have a feature forcing the “user to generate a new means of authentication before access is granted to the device for the first time.”
So what does this mean for AV manufacturers?
If you make a device that connects to a network and, either directly or indirectly, is able to connect to the Internet via IP or Bluetooth addresses, you will no longer be allowed to ship the device with preprogrammed passwords like “admin,” “password,” or “12345,” unless the firmware and software are updated so as to require the device to prompt the user or contractor to change the default password prior to configuring any settings on the device.
Alternatively, manufacturers could take the other secure option in the law by providing unique passwords for each device that’s shipped.
There are some consultants and integrators that have requested this kind of security feature and offered the solution of using a device’s MAC address as the default password.
The implications to large deployments is plain to see.
Simplicity for Integrators
By using a default password for all devices, set up becomes simpler for integrators. [related]
It’s a known entity and for simpler devices with no global management software suite, just about any level of installer can log on and set up the basic configuration of the devices while only needing to know that “admin” is the user name and password.
While the law is rather straight forward, there is nothing in the language that states that an integrator or end user cannot change the default password from something unique to something common, and potentially something that could easily be guessed.
Additionally, there is nothing in the law that talks about devices being accessed by a global management suite with a single common password. So, there are exceptions that have to be examined.
Ultimately, to do business in California in 2020, AV manufacturers should ensure that any device being specified, sold, or installed that can be connected to a network is compliant with this change in the law. It will be inconvenient for the installation of the devices, but compliance will be paramount to avoiding potential damages
