EU will force IoT and wireless device makers to improve security


The European Union is set to impose more requirements on manufacturers to design greater security in their wireless devices and the Internet of Things (IoT).

In a amendment to the 2014 EU Radio Equipment Directive (RED), the European Commission noted that as wireless devices, from cellphones to fitness trackers to smartwatches, are increasingly becoming part of the the daily life of consumers and businesses, they also become a greater security risk.

The aim of the amendment – called a ‘delegated act’ – is to ensure that all wireless devices are safe before they are sold in the EU. Manufacturers will be required to adhere to new cybersecurity measures when designing and producing these products. In addition, the amendment will also ensure greater confidentiality of personal data, prevent financial fraud and improve the resilience of European communications networks, according to EU officials.

“Cyber ​​threats are evolving rapidly,” said Thierry Breton, Internal Market Commissioner, in a statement. “They are more and more complex and adaptable. With the requirements that we are introducing today, we will significantly improve the security of a wide range of products and strengthen our resilience against cyber threats, in line with our digital ambitions in Europe.

The United States has made progress on IoT security at the federal level; it remains to be seen whether the EU’s initiative will spur the US to do more or result in an overall improvement in device safety.

Common EU security standards

It is also part of a larger EU effort to create a comprehensive set of common cybersecurity standards for products and services entering the European market, Breton said.

That said, it will take some time for the market to see the results of the amendment, which was announced in late October. It will need to be approved by the European Council and the European Parliament, and then subject to a two-month review and review period. Once in place, manufacturers will have 30 months to start complying with the new legal requirements, giving them until mid-2024 to bring devices into compliance.

The amendment responds to lingering security concerns at a time when the use of wireless devices and the IoT market continue to grow strongly. According to market research firm IoT Analytics, global business spending on IoT – which includes tens of billions of smart and connected devices, from small sensors to large factory systems – is expected to reach $ 159.8 billion this year, an increase of 24% year-on-year. In the coming years, it will increase by more than 26% per year, analysts say.

Growth of the IoT market

Additionally, IDC analysts wrote in July that second-quarter smartphone shipments increased by 13.2 percent over the same period in 2020, with 313.2 million devices shipped.

The adoption of 5G will bring new capabilities to mobile and IoT devices, further driving device growth and raising new security concerns (see 5G Cyber ​​Security Risks – And How To Control Them).

Neglected IoT security

Many security experts worry that device makers are more concerned with device functionality than security. EU officials noted in a statement that the COVID-19 pandemic has increased the use of wireless devices for work and personal use, and that European Commission studies have found “a growing number of ‘wireless devices that pose cybersecurity risks. Such studies have, for example, pointed out the risk of toys which spy on children’s actions or conversations; unencrypted personal data stored on our devices, including payment-related data, easily accessible; and even equipment that can abuse network resources and thus reduce their capacity.

None of this surprises John Bambenek, senior threat hunter at cybersecurity provider Netenrich.

“Many IoT device manufacturers don’t have IT or systems hardening backgrounds,” Bambenek said. ESecurity planet. “The result has been devices with insignificant vulnerabilities or flaws that have been fixed for a decade or more in mainstream computing. This problem is compounded by the fact that these devices act in the physical world, so the risks may be deeper. “

Also read: IoT devices are a huge risk for businesses

Device maintenance still required

Bud Broomhead, CEO of IoT security provider Viakoo, said ESecurity planet that while the EU initiative will ensure improvements in the initial security of a device, users will need to continue to maintain systems over time.

“It’s never over,” Broomhead said. “New vulnerabilities are created by cybercriminals every day, leading to the installation of many IoT devices with outdated firmware and other exploitable vulnerabilities.”

He pointed to a FireEye study showing that exploits overtook phishing attacks as the number one threat to organizations. In view of this, it is increasingly important to design improved resiliency in devices, Broomhead said.

Manufacturers should see requirements like the EU’s RED Amendment as an opportunity – rather than a burden – to incorporate more cybersecurity features. Bambenek agreed.

“Security has always been a cost for any product or technology,” he said. “Decades ago we accepted the economic concept of outsourcing – dumping costs onto third parties to maximize profits – and now we have to accept risk outsourcing. Hacking these devices will not cause any harm to the manufacturer, although they are in the best position to fix it. “

The EU amendment applies to many devices

The new requirements in Europe will affect a wide range of wireless devices, including cell phones, tablets and other products that communicate over the Internet, such as baby monitors and portable equipment such as smart watches and smartphones. fitness trackers. The devices will need to include features to ensure the protection of communication networks and to ensure that the devices cannot be used to disrupt websites or similar services.

In addition, device manufacturers will need to ensure that features are built in to protect personal data, and protecting children’s rights will be a key part of the legislation. Other features that will need to be implemented should minimize the risk of fraud related to electronic payments, such as better control of authentication.

The amendment dovetails with the EU Cyber ​​Resilience Act, which was recently announced by European Commission President Ursula von der Leyen, which would cover more products.

Bambenek and Broomhead both said that the device’s fast, automated firmware update should be required and that default or easy-to-guess passwords should be eliminated. Bambenek also said that insecure remote access should not be allowed and that there should be highly controlled restrictions on third-party applications. Access to user data must also be controlled and audited. Broomhead said devices should be part of a zero trust model and that a means of deploying and managing certificates should be used to authenticate the identity of the device.

He also said that cyberthreats and the use of IoT devices are global issues and that global collaboration and best practice sharing is needed to defend against bad actors. Bambenek added that the United States would do well to learn from what European lawmakers are doing.

“The EU has always had a stronger view of privacy than the US,” he said. “Many of our technology leaders have openly stated that there should be no right to privacy. The United States needs to relearn the economic lessons of 100 years ago when it came to letting companies pass their costs onto society. “

Further reading: Mobile malware: threats and solutions

Leave A Reply

Your email address will not be published.