On the 25th of May the European Union will effectuate new legislation on data protection and privacy. Both the General Data Protection Regulation (GDPR) and ePrivacy legislation will have a positive impact on data privacy and security. On top of this new EU legislation, both the British and Dutch government have published statements which will lead to additional regulation on IoT security. Will these initiatives force vendors to improve IoT security for home users in general?
How does General Data Protection Regulation impact IoT security?
The GDPR affects all companies that collect personal data. The legislation applies a wide view on what is considered personal data. Companies residing outside EU are also affected when they collect personal data in the EU. To put it simple, the GDPR demands that companies apply a “reasonable” level of protection for personal data. Companies failing the requirements will be facing fines up to of four percent of their turnover or 20 million euro whichever of both is highest. The goal is to reduce data breaches involving personal data and consecutive financial fraud and identity theft based on these stolen personal data. This legislation affects all cloud and IoT services which administrate personal data. Most smart devices record personal data (IoT security cameras, smart watches tracking activity) or require personal data to register (smart phones use email address).
How does ePrivacy legislation impact IoT security?
Although the ePrivacy legislation primarily is directed towards privacy (e.g. what user and metadata is allowed to be tracked in online communications) it also applies to IoT devices. This additional legislation also prohibits the interception of any electronic communications unless permitted by a Member State or EU law. In layman’s term this requires that all communication should be encrypted to prevent outsiders copying or snooping this data. As the test of our own Smart TV showed (see blog Security flaws in firmware used by 30+ popular TV brands) metadata and user data is often transmitted unencrypted while service ports are kept open for remote control. The critical vulnerabilities found in the latest tested Smart TV firmware would have been a formal breach of the ePrivacy legislation. The risk of EU administrative fines would have triggered a different reaction at the vendor of the smart TV and the other 30 smart TV brands using the affected firmware.
The strong IoT statements of British and Dutch government
In March the British Department for Digital, Cultural and Sports released a report on Improving the cyber security of consumer Internet of Things Report called “Secure by Design”. Mrs. Margot James the Minister for Digital and Creative Industries endorses this report which demands that all internet connected (IoT) devices will have a unique user-ID and password. This is even a step further than the US IoT Cybersecurity Improvement Act of 2017.
The Dutch Member of Parliament Kees Verhoeven has successfully put cyber security on the agenda and is pushing the Minister of Justice and Security Ferdinand Grapperhaus to put words into actions. One of the means is to formally ask the Minister’s viewpoint on specific issues through formal parliament questions. The MP asked the Minister of Justice and Security what his view was on a Dutch expert’s study relating to the security of IoT devices. The Minister answered that “vendors would be liable for the damage caused due to insufficient security measures”. This also includes (as an example) the damage caused by botnets to essential infrastructure. This would imply that a banking corporation could sue a vendor of smart TV’s or security camera’s when these IoT devices would be used in DDoS attacks.
Light at the end of the IoT (in)security tunnel?
At AV-Comparatives we think that economical stimuli and fines may help to improve the security of IoT devices, even if it is getting harder for the vendors. Sadly, these new regulations have to proof their promise and much is still under construction. Concerned home users not wanting to wait, might consider adding additional security on their home network such as F-Secure’s SENSE, BullGuard’s Dojo, Avast’s Smart Life, Bitdefender’s Box or Norton’s Core.