Blog: Internet Of Things
EU Cybersecurity Act IoT FAIL
The EU recently announced that its plans for a Cybersecurity Act had been backed by industry committee MEPs.
This was a significant opportunity for consumer IoT security to be regulated and resolve the current mess.
Sadly, they’ve stopped short and made the code voluntary for all but certain devices such as those involved in critical national infrastructure.
Yet again, regulators have missed the point. Nothing will change.
To quote @Stormwind_34C3:
Good news! From now on, cars manufacturers can voluntarily fit their newly delivered cars with seatbelts. Maybe. If the budget allows.
So what is the point?
IoT vendors don’t understand security. It doesn’t feature in their plans. If it does feature, it’s the first cost to be cut when product development gets behind schedule and budget.
All too often they believe that the Original Device Manufacturer (ODM) deals with security, or assume that their app developers or cloud service providers are dealing with it.
Our blog is littered with IoT product security fails, resulting in exposure of users personal data, exposure of children’s audio and video and much worse.
There is plenty of advice and guidance out there already for an IoT vendor that wants to do security (e.g. IoTSF, DCMS, GSMA etc). We don’t need the EU publishing yet more.
The issue is about forcing change, as the IoT industry is not improving security by itself.
Consumers do not know how to distinguish between secure and insecure IoT, so market forces will not drive the required change.
Regulation and/or certification is therefore the only solution.
What’s the worst that could happen?
These guidelines won’t prevent Mirai. They won’t prevent hijacking of smart thermostats or solar panel invertors and overloading of the power grid. They won’t prevent kids toys from leaking childrens data. They won’t prevent mass theft of data.
Only an enforced standard will drive change.
EU you’ve let us all down. Here’s some background reading for you, so you understand why regulation is so important: https://www.pentestpartners.com/security-blog/why-is-consumer-iot-insecure/