European Commission releases new IoT device security bill – interested parties have a week to comment

Infosec professionals and other tech-savvy people have just under a week to comment on EU plans to introduce new regulations forcing makers of consumer IoT devices to address issues. online security, data protection, privacy and fraud prevention issues.

Draft regulations applying to “internet-connected radio equipment and portable radio equipment” are open for public comment until August 27 – and the resulting laws will apply across the bloc from the end of this year, according to the European Commission.

Seen as contributing to the security of Internet of Things devices, the new regulations will apply to other Internet-connected gadgets currently in use today, including explicitly “certain laptop computers” as well as “baby monitors, devices smart cameras, and a number of other radio equipment.”, “dongles, alarm systems, home automation systems” and more.

“The main objective of this initiative is to contribute to strengthening the “trust ecosystem” which derives from the synergies of all EU legislation relating to the protection of networks, privacy and against fraud”, indicates the explanatory note on the draft EU regulation. , a summary of which can be downloaded via the link above.

“This initiative should then only allow sufficiently secure radio equipment on the EU market.”

The Dutch association FME has previously raised public concerns about the scope of the EU plans, referring in particular to the “feasibility of post-market cybersecurity liability”.

The trade association said: “If there is a low-risk exploitable vulnerability; at what level the manufacturer cannot release or delay a patch, and what documentation is required to demonstrate that this risk assessment has been conducted with this result of a very low risk vulnerability?”

While there are certainly holes that can be found in the proposed regulations, cheap and gay internet-connected devices pose a real risk to the wider internet due to the ease with which they can be hijacked. by criminals.

The regulations proposed by the EU are similar to those proposed in the UK to strengthen IoT security; rules that were also suddenly expanded to cover cellphones and tablets. Previously, the legislation had been sold as a way to secure otherwise painfully dangerous IoT devices; GCHQ, a subsidiary of the National Cyber ​​​​Security Center, one of the main sponsors of the Secured by Design initiative, may have thought of the Mirai botnet.

Jason Soroko, CTO of identity management company Sectigo, said The registerin an interview about botnets and router security, that the poor security of these devices stems from industry design choices intended to make deployment, use, and configuration easier: “If you and I right now, had to investigate the five main [routers], would we find a huge difference in the way they are constructed? Would we find open Telnet ports? I bet we would. Would we find weak credential form factor vulnerabilities for PHP web interface code?”

Soroko thought the answer was obvious. Some router manufacturers have learned the hard way that end-of-life equipment that contains insecurities can impact reputation as well as security. That said, it may be unreasonable to expect kit makers to continue to provide software fixes for years after they stop shipping a device. Consumers can’t rely on news outlets that shame manufacturers of Internet-connected goods into offering better security; new laws are the inevitable next step, and they are being pushed more and more on both sides of the Atlantic.

Manufacturers of devices banned from sale in the EU for security and data protection reasons are not new. In 2017, the German telecommunications regulator banned the sale of smartwatches for children that allowed users to secretly listen in on nearby conversations and later that year the French data protection agency issued a warning. remains to a company selling allegedly insecure Bluetooth-enabled toys – Genesis Toys’ My Friend Cayla doll and i-Que robot, as the doll could be misused to spy on children. Manufacturers are also required to comply with the GDPR. However, the new bill is proof that some loopholes may soon begin to close. ®

Aurora J. William