Smart home gadgets are open to attack: So time for IoT security laws? No, says Europe

EU's new Cybersecurity Act won't mandate certifications for IoT products, and consumer advocates are unhappy.
Written by David Meyer, Contributor

Video: Mirai botnet: Variant uses known exploits to attack IoT devices.

The European Union on Tuesday moved closer to having new rules on cybersecurity certification and cooperation between countries, after the European parliament's industry committee advanced a proposed Cybersecurity Act.

The committee, known as ITRE, overwhelmingly voted through a report that will set out the parliament's negotiating stance on the law, if it is approved in a plenary vote after the summer recess.

That would open the way for talks with member states, and ultimately the introduction of the new regulation.

However, consumer groups are not happy with the text that's going through. They say it leaves a major attack vector open, because it doesn't introduce mandatory security certifications for connected consumer products, such as smartwatches and smart home devices.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

The certifications in question would state that the product or service has no known vulnerabilities, complies with international standards and specifications, and can only be used by authorized people.

Parliament only wants mandatory certifications for tech products and services that present the highest security risks. These certifications are likely to include things like energy infrastructure, although the details still need to be thrashed out in negotiations.

And even there, parliament is the EU institution that wants the toughest rules. The European Commission and the Council of the EU, which represents the bloc's member states, are keen on an entirely voluntary system.

According to European consumer organization BEUC, everyone is missing the severity of the threat posed by insecure connected devices of the more everyday variety.

"Connected products without proper security are popping up across our continent, paving the way for the next big cybersecurity crisis," said BEUC director general Monique Goyens.

That's why consumer groups have long been calling on European institutions to mandate cybersecurity requirements, such as security updates, strong passwords or encryption for smartwatches, connected cars, and smart fridges, she said.

"There are rules to make our cars safe. There are rules to make our food safe. But there are no rules to make connected products safe and secure," Goyens added.

"It is very disappointing that the EU institutions still seem to underestimate the dimension of the problem and are unwilling to address it by mandating security by design and default."

Meanwhile, the Computer & Communications Industry Association, a tech industry lobbying group, welcomed the approved report.

"We urge member states to support Parliament's position on this matter in the final negotiations," said CCIA senior manager Alexandre Roure.

BEUC is an umbrella body of consumer groups, with national members including Which? in the UK, and StiftungWarentest in Germany.

Several of these national watchdogs have come out with reports in the last year or two that demonstrate the risks associated with insecure connected products

Which? identified flaws in connected toys that would let strangers talk to children, for example, while the Norwegian Consumer Council highlighted serious vulnerabilities in kids' smartwatches that threaten users' privacy.

Apart from these reports, the advent of botnets such as Mirai have demonstrated just how dangerous insecure connected devices can be, when dragooned into providing firepower for distributed denial-of-service (DDoS) attacks.

SEE: How to optimize the smart office (ZDNet special report) | Download the report as a PDF (TechRepublic)

However, the failure of the Cybersecurity Act to address such issues may not be the end of the story.

BEUC communications chief Johannes Kleis suggested that there might be a way to introduce new cybersecurity requirements for connected products in the upcoming revision to rules for radio equipment.

And then there's the Digital Content Contracts Directive, a piece of legislation that is currently being negotiated with the Council of the EU.

Although this directive is nominally about giving consumers better protections when buying digital content and services online, the European Parliament managed to make amendments that would have the law cover embedded software.

If these parts of the directive survive the law's final negotiations, they would force retailers to at least tell customers about the security updates they should install when security flaws in connected devices come to light.

For now, though, the security of connected smart devices still falls into what BEUC describes as a "gaping hole in EU legislation".

Previous and related coverage

New IoT security rules: Stop using default passwords and allow software updates

New rules set out best practice for IoT devices, but are the makers going to listen?

Security flaws in children's smartwatches make them vulnerable to hackers

It's another IoT security flaw - attackers can hack smartwatches to monitor the wearer's location, eavesdrop on conversations or even communicate with the child.

FBI to parents: Beware, your kid's smart toy could be a security risk

The FBI outlines the risks of giving your children a smart toy.

Mirai botnet adds three new attacks to target IoT devices

This new version of the botnet uses exploits instead of brute force attacks to gain control of unpatched devices.

An Internet of Things 'crime harvest' is coming unless security problems are fixed

A senior police officer says IoT manufacturers must be held to account when their products open doors to new ways of committing crimes.

As IoT attacks increase 600% in one year, businesses need to up their security TechRepublic

Internet of Things attacks, cryptocurrency mining, and ransomware dominated the security landscape at the end of 2017, according to Symantec.

IoT attacks are getting worse -- and no one's listening CNET

If there was one theme at this year's Kaspersky conference, it was the constant reminder that many connected devices have potentially serious gaps in security.

Editorial standards