Comments

schwit January 9, 2026 9:50 AM

Doesn’t this say that Palo Alto has a much bigger problem? They don’t audit their systems.

Clive Robinson January 9, 2026 9:58 AM

Hi Tech frat attack?

It’s an interesting attack method, but the messages left suggest it was “fratish political behaviour”.

From a security aspect “yes the passwords were not changed” but less obvious was the fact that the signals were mixed mode, with the majority being older and centrally controlled/updated with these new signals being locally updated by common Bluetooth.

It’s this sort of change that causes a lot of security vulnerabilities to be exploitable in “new” where as it was not possible in “old”.

Some might call this “Crack by feature creep” where a supplier changes functionality significantly because a “new SoC chip” they’ve moved to allows “Marketing creep”.

Rontea January 9, 2026 12:39 PM

This incident is a textbook example of the risks inherent in leaving default passwords unchanged. When manufacturers ship devices with factory-set credentials, they create a single point of failure across every installation. Attackers know this and routinely scan for such systems, exploiting them with minimal effort. Security through obscurity—assuming no one will notice or care—isn’t security at all. The fact that critical infrastructure like crosswalk signals was compromised shows how our digital vulnerabilities can manifest in the physical world. Strong, unique passwords and regular audits must be the baseline, not an afterthought.

Ray Dillinger January 11, 2026 1:14 PM

(Disclaimer: Don’t mistake me for a lawyer, nor mistake this for legal advice; I’m just somebody who has an opinion about what the law probably means and what issues would probably come up in fights about it.

Claimer: It’s a pretty strong opinion from somebody who’s worked with several companies while they were having legal fights about their own security-affecting issues, so I’m pretty confident about it. )

The California law bans default passwords in devices that are sold or offered for sale in California. Which is realistically the maximum they can require for individuals and private businesses operated in California.

The problem is that it is not clear that these particular devices were sold or offered for sale in California. Polara, who sold them, is a company headquartered in Greenville, TX, and California cannot make a law that bans default passwords in devices sold or offered for sale in Texas.

They could fight about it and claim that the devices were sold or offered for sale in California, but unless Polara actually initiated the interaction, Polara could fall back on the Interstate Commerce Clause as a strong defense.

California might be able to make a law banning the installation of such devices in any “infrastructure” context meaning any context that violates the safety of California citizens, but then they’d have to fight about it in court every time. Suppliers can claim that’s not what they sold it for, installers can claim it wasn’t an “infrastructure” context, and as soon as the state lost even one case they’d be in another fight about overreach and undue restrictions on interstate commerce and whether the state is even allowed to keep such a law on the books.

What California could do, and IMO should, would be to specifically prohibit any department or subdivision of state, county, or municipal government within California from buying or operating such devices, and obligating them to require explicit contractual obligations to that effect from any and all suppliers and subcontractors selling to or working for them.

Because that would be a “regulation” meaning the government regulating how it does its own business, and not a “law” meaning the government placing requirements on how private entities do their business, I’m pretty sure that amended law would hold up in court where a more general ban probably would not.

Menlo Park is apparently big mad about this whole deal because the crosswalks were owned and operated by the California DOT and the DOT’s security failure impacts Menlo Park’s public image. They are quick to point out that crosswalk signals actually operated by the city have never (yet) been hacked.

The fact that they are even claiming to give a damn is, IMO, some evidence of progress. They understand that something bad happened, that it is blameworthy, and that they might be blamed. That may be the only effect of the anti-default-password law on this situation.

Sometimes the only weapon you have in a fight for progress is a blamethrower.

stubble January 11, 2026 4:31 PM

Dark Helmet: So the combination is… one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! That’s the kind of thing an idiot would have on his luggage!

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.