European Commission airs out new IoT device security draft law – interested parties have a week to weigh in Infosec pros and other technically minded folk have just under a week left to comment on EU plans to introduce new regulations obligating consumer IoT device makers to address online security issues, data protection, privacy and fraud prevention. Draft regulations applying to "internet-connected radio equipment and wearable …
No one asked for toys to be connected to the internet. This was just an excuse to: spy on kids, put drm in toys, and force dlc down parents throats. I hope this permanently kills the iot market. If regulation does not destroy the consumer IOT market, it will be a psychopath user who does.
As far as I can tell from the Directive, this isn’t really about toys. That’s just a small addendum to basically any radio-connected mobile device. Including (and therefore mainly) smartphones.
The meat of it, is that the EU will require a testing body to verify security of them. Which goes to the heart of both Android phones in general, but also iPhones. Amongst other points, to verify the security, the testing body is going to have to read the source code. All of it. Modem firmware included. And what manufacturer is going to allow that?
Not saying I’m against this, it’s quite...Brave. But it’s much bigger than toys.
.....to tell people what they are getting into?
*
1. For example, every IoT device RELIES on a server somewhere which is recording FOR EVER everything that goes on on the IoT device? How may people know this?
*
2. Even if GDPR applies to item #1, how many people know A) who to call and B) what to say......if they want their personal data deleted?
*
3. Ah!!....deleted!!!! What does this mean? Deleted from live databases? Deleted from ALL backups? Deleted from the data exfiltrated by a hack by "bad guys"?
*
Yup.....it's pretty clear that the general public have NO IDEA what they are getting into with the average IoT device!! I think they should be told!!!
it's perhaps unreasonable to expect kit makers to keep providing software patches for years after they've stopped shipping a device
Why? I don't see why people should be allowed to lob shit into the market and wash their hands of things.
I think if companies were required to provide 3 years of security updates, this would stop cheap garbage marketed on a razor-thin margin.
Agreed. If anything, companies that release internet-connected devices should be on the hook for resolving major security vulns for the generally useful lifetime of the device. It should also be setup in such a way that they cannot just shut down or orphan their subsidiary in an attempt to wash their hands of the situation.
I can see the flip side of this though.
Electronic devices these days are modular. They comprise components made by many different manufacturers. Think of a laptop. It will contain, at minimum, a motherboard, a processor, a screen, keyboard and touchpad, some memory, and some storage. The motherboard will itself contain several built-in components from different manufacturers. BIOS, A USB controller, PCIE and SATA buses, and so on. Any one of these components could be found to have a security flaw several years down the line.
Should the maker of the laptop be responsible, for instance, for fixing a security flaw discovered in the processor (e.g. Heartbleed)? Surely that responsibility lies with the maker of the processor, but is there also a responsibility for the company that assembled the laptop to pass on a fix to mitigate such flaws? What if such flaws render the whole device irreparably insecure? Who is liable? Is the customer entitled to a RTM replacement or hardware fix? At whose cost? What if this happens after 1 year? 5 years? 25 years?
I'm not saying there aren't answers to these questions, but I don't think they will be simple ones, and they do raise questions about chain-of-trust when modern devices are built from many heterogeneous components.
Definitely agree, but 3 years is not enough.
I would push for 10 years. That should definitely cover the possible lifetime of the shit quality that IoT is made with.
It would also push IoT makers to pay a hell of a lot more attention to the shit they shovel onto the market. The more secure they make 'em, the less updating they need to pay for, and the consumer benefits.
"I think if companies were required to provide 3 years of security updates, this would stop cheap garbage marketed on a razor-thin margin."
Unfortunately it would probably result in more imported technology and companies going under to get out of such obligation.
"I don't see why people should be allowed to lob shit into the market and wash their hands of things."
This is the norm. This is reality as much as it sucks. This is where reputation becomes important.
And that imported tat would not get a CE mark*, and thus be illegal to sell in the EU. I don't see most consumers suddenly buying grey-market imports to get around measures put in place for their own safety.
It's akin to people buying cheap Chinese phone chargers on eBay and then being shocked when their house burns down. I think most people have figured out by now not to do that.
*Yes, I know this won't stop Chinese sweat-shops putting CE marks on them, but plus ça change, n'est-ce pas?
Here's the best law to pass for those who send out viruses and hack into any ones system. First time offense, The death penalty when they are caught. NO DEALS. Forfeiture of all assets OR Put them on public display, in a diaper with plastic pants and do not allow any diaper changes, ever. Ket them die in their own human waste.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
