European Commission airs out new IoT device security draft law – interested parties have a week to weigh in

Infosec pros and other technically minded folk have just under a week left to comment on EU plans to introduce new regulations obligating consumer IoT device makers to address online security issues, data protection, privacy and fraud prevention.

Draft regulations applying to "internet-connected radio equipment and wearable radio equipment" are open for public comment until 27 August – and the resulting laws will apply across the bloc from the end of this year, according to the EU Commission.

Billed as assisting Internet of Things device security, the new regs will apply to other internet-connected gadgets in current use today, explicitly including "certain laptops" as well as "baby monitors, smart appliances, smart cameras and a number of other radio equipment", "dongles, alarm systems, home automation systems" and more.

"The key objective of this initiative is to contribute to strengthen the 'ecosystem of trust' which stems from the synergies of all related pieces of EU law concerning protection of networks, privacy and against fraud," said the explanatory note on the draft EU regulation, a summary of which is downloadable via the link above.

"This initiative should then allow on the EU market only the radio equipment that is sufficiently secure."

The Netherlands' FME association has already raised public concerns about the scope of the EU's plans, specifically raising the "feasibility of post market responsibility for cybersecurity".

The trade association said: "If there is a low risk exploitable vulnerability; at what level can the manufacturer not release or delay a patch, and what documentation is required to demonstrate that this risk assessment was conducted with this outcome of a very low risk vulnerability?"

While there are certainly holes that can be picked in the draft regs, cheap and cheerful internet-connected devices pose a real risk to the wider internet because of the ease with which they can be hijacked by criminals.

• Hard to believe but Congress just approved an IoT security law and it doesn't totally suck
• UK.gov wants mobile makers to declare death dates for their new devices from launch
• GCHQ asks tech firms to pretty please make IoT devices secure
• Remote code execution flaws lurk in countless routers, IoT gear, cameras using Realtek Wi-Fi module SDKs
• We need to talk about criminal adversaries who want you to eat undercooked onion rings
• Nurserycam horror show: 'Secure' daycare video monitoring product beamed DVR admin creds to all users

The proposed EU regs are similar to those being floated in the UK to tighten up IoT security; rules which were also suddenly widened to cover mobile phones and tablets. Previously the legislation had been sold as a way of securing otherwise painfully insecure IoT devices; GCHQ offshoot the National Cyber Security Centre, a major sponsor of the Secured by Design initiative, may have had the Mirai botnet in mind.

Identity management firm Sectigo's CTO Jason Soroko told The Register, in an interview about botnets and router security, that poor security in these devices stems from industry design choices intended to ease deployment, use and configuration: "If you and I right now, were to investigate the top five latest [routers], would we find a huge difference in terms of how they're built? Would we find open Telnet ports? I bet you we would. Would we find vulnerabilities in terms of weak credential form factors for PHP web interface code?"

Soroko thought the answer was obvious. Certain router makers have learned the hard way that end-of-life equipment that contain insecurities can have a reputational as well as security impact. That said, it's perhaps unreasonable to expect kit makers to keep providing software patches for years after they've stopped shipping a device. Consumers cannot rely on news outlets shaming makers of internet-connected goods into providing better security; new laws are the inevitable next stage, and there's a growing push for them on both sides of the Atlantic.

Device makers being banned from selling in the EU over security and data protection issues is not new. In 2017, the German telecoms regulator banned the sale of children's smartwatches that allowed users to secretly listen in on nearby conversations and later that year, the French data protection agency issued a formal notice to a biz peddling allegedly insecure Bluetooth-enabled toys – Genesis Toys' My Friend Cayla doll and the i-Que robot, because the doll could be misused to eavesdrop on kids. The manufacturers are also obliged to comply with the GDPR. However, the new draft law is evidence that certain loopholes might soon begin to close. ®