back to article EU puts smart device manufacturers on the hook for cyber security

The European Commission has revealed a Cyber Resilience Act that will require manufacturers of connected devices to secure them properly before shipping, disclose and fix flaws promptly, and guarantee fixes will flow for five years. "Computers, phones, household appliances, virtual assistance devices, cars, toys … each and …

  1. Anonymous Coward
    Anonymous Coward

    Does that include TeleScreens?

    The All4 app on my 'smart' TV stopped working because the All4 server's GeoLocation code doesn't believe my IP address is in the UK any more, and no-one is taking responsibility to fix it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Does that include TeleScreens?

      Should've bought a dumb screen. The channel 4 website runs in a browser as do lots of "Fake my location" plug-ins.

      This is why we have to have laws to enforce security, because otherwise people just buy any old shit.

      1. Anonymous Coward
        Anonymous Coward

        Re: Does that include TeleScreens?

        But at least you might reasonably expect it to work for a TV genuinely located in the UK?

        1. Charlie Clark Silver badge

          Re: Does that include TeleScreens?

          You might, but how do you do the locating?

      2. vtcodger Silver badge

        Re: Does that include TeleScreens?

        I don't know about the UK, but in the US, I don't think there are any dumb TVs available that just tune and display channels. Haven't been for many years. Neither, apparently can you roll-you-own using a monitor and a separate tuner with just a power button and a channel select switch. They don't seem to make the latter anymore.

        1. rcw88

          Re: Does that include TeleScreens?

          That would be called a set-top box, e.g. An Apple TV [or similar] or a Raspberry Pi equipped with TV headend and streaming over the network to a Kodi box. Both emit signals quite happily out of an HDMI port.

          The so-called smart TV Android functionality is bypassed by feeding everything into HDMI1, we haven't had a terrestrial TV aerial for six years, nor satellite.

      3. Alex Stuart

        Re: Does that include TeleScreens?

        In case you're not being sarcastic - it's impossible to buy a decent TV that isn't 'smart'.

        That said, power users can of course plug something decent in like a PC or console and not use any of the crappy apps. Mine isn't even on the LAN, and never will be.

    2. Richard Jones 1

      Re: Does that include TeleScreens?

      Sale of Goods act should apply, demand a replacement as not of sale quality and not fit for purpose.

      1. Andy The Hat Silver badge

        Re: Does that include TeleScreens?

        Is it the fault of the device or the app? I don't believe any smart tvs are guaranteed to run any particular catch-up or streaming service (except some specifics instances like Netflix). Broadcasters can change their specific "technology" at any time and that may break delivery on a device but it's not the fault of the manufacturer who could not predict that change.

        Welcome to the world of "not me guv'" and guaranteed obsolescence.

        1. Anonymous Coward
          Anonymous Coward

          Re: Does that include TeleScreens?

          One would reasonably expect the All4 server process to do a Geolookup based on the static IP address it has from the client's connection.

          So it looks like it's likely to be the Geolookup mechanism - whether the server is calling some external API to a 3rd party or else duff static locally cached Geo data (or both).

        2. tip pc Silver badge

          Re: Does that include TeleScreens?

          My 2012 Panasonic plasma still hasn’t had any updates for years yet YouTube and Netflix still works fine, it has iplayer too but I’ve not bothered checking that.

      2. jdiebdhidbsusbvwbsidnsoskebid Silver badge

        Re: Does that include TeleScreens?

        "Sale of Goods act should apply..."

        Replaced in 2015 by the Consumer Rights Act. Broadly similar in terms of your customer rights, but the question of quality and how long something should reasonably last for now also takes into account "many different factors like product type, brand reputation, price point and how it is advertised."

        Also "For example, bargain-bucket products won’t be held to as high standards as luxury goods."

        According to Which.

    3. Loyal Commenter Silver badge

      Re: Does that include TeleScreens?

      Just out of curiosity, you're not using a VPN are you? One with an endpoint in, say, not the UK?

    4. Sudosu Bronze badge

      Re: Does that include TeleScreens?

      So you will likely need to use a VPN to trick their servers to make them think that your Tv, which is in the UK, is in the UK.

      I

    5. Marty McFly Silver badge
      Flame

      Re: Does that include TeleScreens?

      Good Lord! Just display HDMI1. That is all I want. Get rid of the smart TV garbage spyware. I absolutely refuse to agree to a EULA just to watch HDMI1!!!!

      Do people even realize what is going on? Brand new TV. Excited to watch it. First power-on they blindly hit the 'OK' button when EULA pops up. Next they connect to their Wifi. Now their viewing habits are being slurped by Big Data. Forever. And they willingly agreed to it.

      Absolutely not. No 'Smart' TVs on my network. Mac Mini's drive all my TVs. No, not a perfect solution. But at least I have some measure of control over what is being reported.

  2. Potemkine! Silver badge

    Connected != Smart

    And it works also for Humans.

    == Bring us Dabbsy back! ==

  3. Andy 73 Silver badge

    I can understand...

    ..the desire to protect citizens, but who is going to want to launch a new tech product in Europe when the slightest mistake could result in a painful legal battle and fine?

    Startups will go to America where "move fast and break things" works. Products will be launched where early fixes and revisions are tolerated, and maybe taken to Europe a few years later. Maybe.

    1. Michael

      Re: I can understand...

      Mistakes are allowed. You just need to fix them and provide updates in a reasonable time period. No company that does this will have to worry. Those selling junk that is insecure and unmaintained will not be in business for long.

      Plenty of people will continue to launch and release products in Europe as it is a massive market that has money to spend. Equally of all the cheap and disposable junk stops being sold and nobody wants to ship new products to Europe then European businesses will launch their own products to fill the gaps. You do realise that plenty of products are designed and manufactured in Europe?

      1. Andy 73 Silver badge

        Re: I can understand...

        "Are designed and manufactured in Europe", or "Were designed and manufactured in Europe"?

        I jest, but when you're a startup, there is not much of a line between cheap and disposable junk, and the next great innovation. You launch a product hoping you can get through the next three months whilst you figure out what needs to change, not committing to supporting that exact first revision for five years.

        Clearly from your response you believe companies can magically afford to commit to a five year product support cycle when developing something new. I don't think that's true, and I suspect it's just going to cause more companies to close down early to avoid being dragged into legal battles. Or not launch in Europe in the first place.

        This is not about the good intentions or otherwise of product developers, this is about the financial and legal realities of developing new products, which in the current economic environment means making pragmatic decisions about what and where you launch.

        1. OhForF' Silver badge

          Startups need to sell alpha versions

          Startups depending on making money from a first version of their product that is likely defective will already have a hard time if they sell to consumers here.

          They are liable for defects for 3 years and can choose to either repair or replace with a working version at their cost and if unable to do either in a reasonable time they have to refund the full price.

        2. abetancort

          Re: I can understand...

          Many companies, in the smart devices startup arena, avoid this problem by recalling all the previous sales and substituting the old faulty version with an updated version.

      2. Phil O'Sophical Silver badge

        Re: I can understand...

        Those selling junk that is insecure and unmaintained will not be in business for long.

        Little in recent history suggests that is true. They'll just rebrand, hiding behind shell corporations, and continue to sell their tat directly via Alibaba and eBay.

      3. Dan 55 Silver badge

        Re: I can understand...

        Those selling junk that is insecure and unmaintained will not be in business for long.

        Why's Vizio such a big thing in the US then?

    2. Richard Jones 1

      Re: I can understand...

      It is rather better to have a limited quantity of quality, than a mess of total crap, as we have at the moment.

      1. Andy 73 Silver badge

        Re: I can understand...

        The problem is, you're trusting unseen bureaucrats to set the criteria for "quality products".

        As I say, I can understand people wanting someone in power to make everything safe and reliable. But it's ridiculous to believe they have the power to do so, and there won't be unforeseen consequences in an industry that relies on innovation and experimentation.

        1. OhForF' Silver badge

          Re: I can understand...

          The problem is, you're trusting unseen bureaucrats to set the criteria for "quality products"

          Not really, i don't expect them to define quality for all products in any meaningful way.

          I hope this latest initiative will lead to products that can and are used for longer than currently. I fully expect producers to compensate by increasing prices.This should lead to buyers taking more care of what they get and so the consumers will vote on "quality" with their wallet.

          Only bad if you always need to have the latest shiny to dispose of when the next hyped thing arrives.

          1. Anonymous Coward
            Anonymous Coward

            Re: I can understand...

            There will always be a way around it e.g. an incumbent in the UK:

            Power Line LAN - yes, we know it is an illegal transmitter, but you daredn't do anything about it.

            "Even more powerful signal" broadband wireless router - yes, we know the previous version was right on the limit of allowable transmitter power, but you daredn't do anything about it.

          2. LybsterRoy Silver badge

            Re: I can understand...

            They do such a good job - I remember just how brilliant their cookie permission policy was - 99% of computer users (those of us who hadn't installed I don't care about cookies) happily clicked ALL - great work there EU

        2. Charlie Clark Silver badge
          Stop

          Re: I can understand...

          Why is this any different say to car safety or fireproof regulations?

        3. Loyal Commenter Silver badge

          Re: I can understand...

          By "bureaucrats", you presumably mean elected politicians, and professional civil servants, whose job it is to know what they are doing, and by "unseen", you presumably mean amply debated, discussed, and publicly published?

          1. LybsterRoy Silver badge

            Re: I can understand...

            I have upvoted you on the basis that is gold standard sarcasm - it was wasn't it?

    3. abetancort

      Re: I can understand...

      It is aimed as a barrier of entry to stop the dumping into EU of shitty smart devices by cheap Chinese manufacturers, be it by direct export or repackaging the electronics with non value added importers in EU.

    4. Anonymous Coward
      Anonymous Coward

      Re: I can understand...

      who is going to want to launch a new tech product in Europe when the slightest mistake could result in a painful legal battle and fine?

      I hope we can tag Windows too as code attached to a device and fine the screaming cr*p out of Microsoft for providing code that other companies would not even dare release as alpha level dev test, but I know for a fact that especially in the country I live there is absolutely no chance of that.

    5. eldakka
      Happy

      Re: I can understand...

      ..the desire to protect citizens, but who is going to want to launch a new tech product in Europe when the slightest mistake could result in a painful legal battle and fine?
      Reducing the amount of IoTrash out there, reducing the ability to just release the next buggy, insecure, unsupported, thoughtlessly designed and implemented and just overall shitty piece of IoTrash is a feature, not a bug.

    6. Andy 73 Silver badge

      Re: I can understand...

      Noting the number of downvotes on my original post - as usual, the knee jerk reaction is to assume that any objection to regulation like this is an endorsement of shitty(er) products. It's not.

      Instead it's an observation that this sort of regulation (whilst much wanted etc. etc.) is not without consequence. Whilst the slightly parochial desire to stop Chinese importers from dumping goods in Europe may be well intentioned, the consequence is that the riskier end of the industry (which is where innovation happens) will tend to focus on other markets. That's not a judgement on whether this is good, bad or indifferent - just an observation that regulation is a cost on industry, not an enabler.

      We can all agree that better supported devices would be welcomed with open arms - but you have to disable every critical faculty you have to believe that this regulation will make much of a difference to products in this space. Companies will work around it, or avoid it altogether.

      1. Charlie Clark Silver badge
        FAIL

        Re: I can understand...

        just an observation that regulation is a cost on industry, not an enabler

        There are countless examples that demonstrate how it is precisely rules spur innovation. For example, if fanbois are to be believed, Apple's toys are popular because they're more secure.

        1. Anonymous Coward
          Anonymous Coward

          Re: I can understand...

          But in reality we know they're no more secure, just shinier and more expensive.

          1. Charlie Clark Silver badge

            Re: I can understand...

            Don't want to get into that particular discussion just highlight that Apple thinks there is money to be made in highlighting the security and privacy of their devices and software.

            Some examples of regulation having a beneficial effect for consumer products: max power draw in standby; max power for vacuum cleaners (turns out more power, didn't mean better cleaning); lower vehicle emissions.

            The argument that regulation is the enemy of innovation is just something that Silicon Valley likes to use to try and remove regulation because VCs love unregulated markets and the profits that can accrue to their monopolistic (monopsoditic) exploitation.

            1. LybsterRoy Silver badge

              Re: I can understand...

              -- max power for vacuum cleaners (turns out more power, didn't mean better cleaning); --

              There speaks someone who never owned a dog or cat!

              Also take into account the small fact that if the requirement had been in place BEFORE the rest of the technology caught up we'd probably still be with maid powered vacuum cleaners.

        2. LybsterRoy Silver badge

          Re: I can understand...

          So what you're saying is that if these regulations come about and everyone adheres to them people will have no real reason to buy Apple products - hmmmm

      2. Doctor Syntax Silver badge

        Re: I can understand...

        " Companies will work around it, or avoid it altogether."

        To be effective and prevent work-rounds it needs to make the entire marketing chain - yes, eBay, that means you - responsible.

        Avoiding a well regulated market if you want to ship shoddy goods is quite acceptable to the market. If the manufacturers have a problem with that there's no point coming to me for sympathy. Innovation is no excuse for cutting corners or making customers act as QA.

      3. LybsterRoy Silver badge

        Re: I can understand...

        You also have to disbelieve the law of unintended consequences

      4. eldakka
        Holmes

        Re: I can understand...

        > That's not a judgement on whether this is good, bad or indifferent - just an observation that regulation is a cost on industry, not an enabler.

        I'm sure slavers made the same arguments against the regulations that banned slavery.

    7. Doctor Syntax Silver badge

      Re: I can understand...

      "Products will be launched where early fixes and revisions are tolerated, and maybe taken to Europe a few years later."

      Excellent - up to a point. That means the EU gets good products and elsewhere gets the crap. Up to a point because here in the UK we no longer get that protection.

    8. Loyal Commenter Silver badge
      Holmes

      Re: I can understand...

      "Who is going to want to launch a new company selling boiled sweets in the UK, when the slightest accidental inclusion of arsenic in them would render them unsaleable. Why, we can't even use brightly coloured lead salts to make them attractive any more!"

      It's almost like there's some sort of reason why we have regulations to make sure people are getting what they pay for, and products aren't unsafe or falsely described.

      1. Andy 73 Silver badge

        Re: I can understand...

        Yes, because your toothbrush not getting a firmware update is *exactly* like a boiled sweet laced with poison.

        Typical of the discussions around these things.

        There are already rules about unsafe products and misleading or false marketing.

    9. jdiebdhidbsusbvwbsidnsoskebid Silver badge

      Re: I can understand...

      So someone else does our consumer field testing for us? Sounds good.

  4. really_adf

    "Expected product lifetime ... or five years"

    The fact sheet gives an obligation of the expected lifetime or five years. Who decides that lifetime?

    Also, it's "whichever is the shorter". It certainly seems ridiculous for a car manufacturer to have no requirement for what is in practice more than half the lifetime of a car.

    While a car is probably the most extreme example, similar can probably be said for many products.

    1. Michael

      Re: "Expected product lifetime ... or five years"

      Cars are excluded as they are regulated separately.

      This is a starting point. It will most likely be expanded over time. It is a good thing that suppliers will be expected to ensure products are secure for a reasonable time period.

    2. EVP
      Meh

      Re: "Expected product lifetime ... or five years"

      We can expect products whose cyber security warranty will be void when connected to the Internet. Like some smartphones advertised waterproof whose warranty will not cover water damage. So everybody don’t worry, cheap crap will continue to flow into EU.

      1. An_Old_Dog Silver badge
        Devil

        The Patches Must Flow

        Okay, so the law can demand that manufacturers provide security patches for device lifetime/5 years ... but they can't enforce the effectiveness of those patches.

        v1.0: "if ! strcmp( password, "letmein1234" ) rootmode = 1; ..."

        v1.1: "if ! strcmp( password, "correcthorsebatterystaple" ) rootmode = 1; ..."

        v1.2: "if ! strcmp( password, "theGPDRsuxors" ) rootmode = 1; ..."

        1. eldakka
          Coat

          Re: The Patches Must Flow

          > v1.0: "if ! strcmp( password, "letmein1234" ) rootmode = 1; ..."

          How'd you get my banking password?

    3. eldakka

      Re: "Expected product lifetime ... or five years"

      > The fact sheet gives an obligation of the expected lifetime or five years. Who decides that lifetime?

      Not the manufacturer.

      There is plenty of precedent for this sort of thing. For example, in Australia, products that don't have their own specific legislated warranty requirements (e.g. cars have their own acts around them) have general consumer act merchantability warranty requirements that say something like "must repair or replace the product if it becomes defective during its lifetime".

      This is usually based on a combination of:

      1) its purpose (e.g. a disposable single-use surgical face-mask vs an industrial fitted biological-rated filter-mask with replaceable filters);

      2) its price (a $2 plastic kinder surprise truck vs a $500 cast-metal tonka toy truck);

      3) any advertised or stated claims as to its quality and usage made by the manufacturer or their agent or the vendor of said product (such as an advert, specification sheet, blurb on the side of the box, a verbal claim made at a trade show or by a retailers/sales outlet staff member about the product);

      4) a reasonable person's (the legal standard of a 'reasonable person') expectation of such a product, usually based on a combination of the preceding elements.

      5) any established precedents based on previous relevant regulatory, tribunal, or court decisions.

      Basically, the expectation is that everyone (the manufacturer, vendor, consumer) is acting in good faith. If any of them aren't, then regulatory agencies and the courts step in.

      1. Doctor Syntax Silver badge

        Re: "Expected product lifetime ... or five years"

        If only marketing departments would start recruiting reasonable persons.

    4. abetancort

      Re: "Expected product lifetime ... or five years"

      It sets the minimum, 5 years. If you claim that your product last 20 years then you are obligated to cover those 20 years.

  5. steviebuk Silver badge

    Offline

    Should also be a rule that all devices should be either allowed to work offline so when they close the servers, all kit doesn't become useless. And would allow those who know to setup their own local or cloud based servers that they can point the device to.

    1. Andy 73 Silver badge

      Re: Offline

      Not sure that's technically or practically possible.

      If my Magic Doohickey synchronises with my Phone using some discoverable server in a vendor specific cloud, there is no easy answer when the discoverable server stops existing.

      "Sorry, we have failed as a company - here are the instructions for installing Couchbase, twenty microservices, an SMS relay and a proprietary speech to text tool we depend on. Also, here is the source code that we spent a million euros developing."

      1. OhForF' Silver badge

        Re: Offline

        IMHO it is possible but not likely to happen.

        Laws could force companies to put those instructions and the source code into escrow and allow public access if the company ceases to exist. Any liquidator should only be allowed to sell that IP if the buyer continues the service. It would stop companies from selling on the IP for a token price and then fold to get rid of liabilities.

      2. Doctor Syntax Silver badge

        Re: Offline

        "If my Magic Doohickey synchronises with my Phone using some discoverable server in a vendor specific cloud, there is no easy answer when the discoverable server stops existing."

        Here are a few:

        1. Require it to be able to synchronise with your iPhone over your WiFi. It means you can't contact it remotely unless you open your network for incoming connections from your phone. But it's a non-bricking fall-back.

        2. Have a manual mode as fall-back.

        3. Make it clear to purchasers before buying that you have not made any provision for ongoing operation of the service, that you cannot guarantee to keep operating the service and that if the service lapses the product is bricked. And see how many sales you get then.

        TL;DR design your device to fall-back sensibly or tell the customer very clearly they're about to buy a pig in a poke.

        1. LybsterRoy Silver badge

          Re: Offline

          You missed item 0

          Train the dumb users how to do these things you suggest

      3. Loyal Commenter Silver badge

        Re: Offline

        "Sorry, we have failed as a company - here are the instructions for installing Couchbase, twenty microservices, an SMS relay and a proprietary speech to text tool we depend on. Also, here is the source code that we spent a million euros developing."

        There's a thing called escrow. The organisation I work for has all of our source code in escrow, so that, if we go out of business for whatever reason, this is then made available to our customers who depend on it, so that they can make alternative arrangements to continue to support it. I doubt that this situation is unusual.

        1. Charlie Clark Silver badge

          Re: Offline

          I've often thought about that kind of technical "living will" and I think it has a lot going for it. I have almost no "smart" (ie. connected to someone else's computer) gadgets because I'm pretty sure I don't need them and don't want that kind of dependence having seen a few people buy into the dream only to have throw the kit away a few years later.

        2. Bitsminer Silver badge

          Re: Offline

          Escrow means very little if you can't get access to proprietary compilers or obscure build instructions or obsolete (Win95...) build platforms.

          1. John Brown (no body) Silver badge

            Re: Offline

            Not to mention that the full source could required to actually be useful may well include other 3rd party licenced IP, said licences which may have Ts&Cs which expire if the licence holder goes out of business and can't be transferred.

  6. John Smith 19 Gold badge
    Thumb Up

    It's a start, but of course it won't change smart meters

    Which are supposed (in the UK) to have a 15 yr life, as opposed to the 40 years of "dumb" meters (before they are re-certified and can be reused)

    OTOH the head of IT for a certain US energy company (in Congressional testimony) said they are computers, with a lifespan of about 7yrs before they need replacing.

    But these are UK smart meters, which will be a special order.

    Yeah. Right.

    Still good start for the rest. And I do like the "Offline mode required" so if (when) the company goes TITSUP the product has some usability.

  7. Anonymous Coward
    Anonymous Coward

    Enforcement?

    Quote #1: "The Act provides infosec requirements that must be met before products can reach Europe's markets, some covering their design, development and production."

    Quote #2: "....having already led the world with the General Data Protection Regulation (GDPR)...."

    Quote #2 first........The Royal Free Trust allowed Google/DeepMind to slurp 1.6 million personal medical records...not one single citizen was asked for their consent as required by GDPR. No penalties (yet) for the Royal Free or Google. So much for enforcement of GDPR.

    Quote #1.....Now we get this suggestion that someone (unnamed) will be certifying the business processes inside device manufacturing companies. Really?? ......there are thousands of such manufacturers, many (most) of them in China. Not possible!!

    Both laws have almost no possibility of enforcement. Both are simply government marketing of the sort -- "Someone is doing something". Like GDPR this latest suggestion is a joke.

  8. VoiceOfTruth

    I had some hope until this line

    -> Failure to comply could result in fines of up to $15 million

    In other words, a tap on the wrist for these companies. How about 50% of last year's earnings or up to $10bn?

  9. Arthur the cat Silver badge

    Exceptions?

    The proposed regulation does provide some exceptions for products such as medical devices, airplanes, and cars, as they are already subject to other regulations.

    Right, so the implanted insulin pumps and pacemakers that are known to be remotely hackable by wireless won't be covered because there are already regulations saying they must be made of bio-inert materials. Slightly missing the point I think.

  10. JammieDodger90

    The UK already has similar legalisation in the pipeline.

    We need this legalisation, I don't think many people really are aware of the true impact of poor cybersecurity but be rest assured, it is affecting us all greatly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like