EU Cyber Resilience Act: will the Hackable Home finally be secured?
The European Commission has finally released its proposal for a Cyber Resilience Act aimed at securing the vast system of internet connected products including consumer IoT.
Euroconsumers, together with BEUC, have repeatedly called for urgent action to close the security gap and mitigate security risks consumers are exposed to on a daily basis through their internet-connected devices, most of which lack even the most rudimentary security features.
Hackable Homes: lack of digital security revealed in consumer IoT
Euroconsumers’ Hackable Home project has shown the scale of the security challenge consumers face in their homes. Ethical hackers identified no less than 54 vulnerabilities across 16 connected devices like doorbells, locks, baby monitors, robo-vacuum cleaners, WiFi routers and alarm systems. 62% even showed critical and highly severe security flaws.
Although often detected in inexpensive devices from unknown brands, well-known manufacturers are not off the hook - their devices were found to be just as vulnerable.
The testing found that these vulnerabilities could leave people open to the theft and abuse of personal data. They also found ways to link up multiple connected devices to carry out large scale, distributed attacks - showing the widespread tentacles of insecure IoT.
The Hackable Home project featured in the World Economic Forum’s work on cybersecurity, and earlier this year Euroconsumers lent its support to a joint global call from WEF and Consumers International for a worldwide commitment to basic security standards for consumer IoT.
The proposed standards in the EU Cyber Resilience Act will go much further than basic security measures and could set a high bar that will help raise standards across the world.
Will the Cyber Resilience Act see the end of the Hackable Home?
The goal of the long overdue Cyber Resilience Act is to secure the entire IoT ecosystem including consumer IoT against individual hacks and data loss and to stop products being a gateway to wider network disruption.
The Act will introduce mandatory cybersecurity requirements for consumer and industrial connected products throughout their lifecycle. Proposed measures include a framework for cybersecurity requirements that stretch right across the value chain of a connected device, from planning, design, development, maintenance and ongoing support of products. Companies will also be required to report a hacking incident to the European Cybersecurity Agency (ENISA) within 24 hours.
Tough cybersecurity rules for high-risk products
Rules and sanctions will depend on which categories the product falls under, based on what the Commission considers as high, medium or low risk. Around 10% of products are either classed as ‘critical’ or ‘most critical’.
Products such as VPNs or remote access software seen to pose a lower risk can use voluntary third-party assessment to show they meet requirements, or conformity declarations.
Products classed as ‘most critical’ such as routers and modems used in industrial settings will be subject to mandatory, external, third-party assessment. Non-compliance could lead to fines of up to €15 million or 2.5 percent of worldwide annual turnover (whichever is highest) for the more critical products.
The proposal also leaves open the option of withdrawing or recalling high risk products which fail to meet security standards from the EU.
Smart home IoT excluded from the most stringent rules
The remaining 90% of products are seen as a lower risk and will have to comply with basic mandatory security requirements to be cyber secure by design and by default. These criteria include things like encryption, software updates and strong authentication.
Almost all consumer IoT like printers, fridges and TVs will be in this category, and manufacturers will not be subject to external assessment but will be able to self-assess their compliance with these requirements.
The Act marks a significant move away from relying on consumers to adjust their settings or regularly reset passwords and shifts the focus of obligations towards manufacturers throughout the supply chain.
However, just like BEUC, Euroconsumers’ architect of the Hackable Home project, Maarten De Backer, sees ample room for improvement:
“The omission of certain consumer IoT systems from the high-risk categories means that, for example, a smart home security system or a smart watch for children which could be very harmful if hacked would not be subject to independent assessment.”
Consumer IoT should be secure for their real lifespan
Other gaps in the proposal come about because of a limited definition of the lifespan of a product. The Act proposes a ‘duty of care’ on manufacturers to monitor and address any vulnerabilities for the ‘expected product lifetime’ which they set at a maximum of five years.
“Consumers who invest in expensive smart home energy networks or security systems would expect to be using them for longer than five years, The duty of care should reflect this reality, and software updates should be available all through the real lifespan. Without this, consumers risk being left with unsupported and insecure devices”, says Euroconsumers’ Maarten De Backer.
Finally, as ever, getting proper redress and compensation for consumers who are harmed because of a product not meeting cybersecurity requirements should be made much easier.
We know that enforcement of digital rules can be tough. Enabling easy and more effective redress mechanisms will help securing both the IoT system and the trust of consumers.
Cyber Resilience Act: a strong proposal for an insecure system
Overall, the opening proposal is a welcome and vital step in securing the network and securing consumer trust in digital connected products. However, the proposal needs to be improved to ensure a high level of security of all connected consumer products. Euroconsumers is ready to channel its expertise in security testing and consumer knowledge from our national organizations to support the development of world-leading cyber legislation.
We’d also want to see the highest standards followed by manufacturers wherever they are in the world, and for other parts of the consumer marketplace to play their part, for example, online marketplace platforms taking responsibility for detecting and monitoring insecure and dangerous devices.
All these things will provide important incentives to deliver the innovative, long term device security which consumers deserve.