Big problem, little action Why cybersecurity is a top consumer issue
It has been said many times. Technology is changing the way we live. It changes our markets, our societies and how we interact with each other.
It is also changing the products we buy and the way we use them. Cars, baby monitors, fridges, toys, washing machines are now computers ‘connected to the internet’.
The nature of consumer products is changing: they are becoming a mix of hardware, software, data and services.
And products are evolving all the time. Remote software updates can add new functionalities and result in a product becoming different from the one purchased.
Connected products can bring huge potential benefits. In terms of convenience for instance, consumers can now switch on the washing machine remotely to take advantage of cheaper energy tariffs.
A smart thermostat can optimise your heating and allow you to save energy.
But this is only one side of the equation. The ‘Internet of Things’ inevitably leads to an increase in risks and challenges.
A connected product may invade a person’s privacy. Unsecure products can be hacked and lead to theft of one’s personal data, thus making people vulnerable to worries like credit card fraud.
And there’s the risk that people get physically harmed when safety is com- promised by cyberattacks.
Our member organisations are constantly carrying out tests in order to give guidance to consumers when they want to choose a connected device.
The results of their tests show that the market is swamped with products which pose big risks.
Test Achats/Test Aankoop from Belgium installed 19 popular smart devices, like alarm systems, a smart lock and a robot vacuum cleaner, in one apartment.
It didn’t take the two hackers they hired very long to find security flaws which, in some cases, even allowed them to enter the apartment.
Unfortunately, children’s products are among those most at risk. Consumer group Forbrukerrådet from Norway showed that strangers can seize control of smart watches and use them to track and eavesdrop on children.
UK consumer association Which? revealed that it was very easy to connect to a ‘smart’ toy to send a child a message.
Consumers are usually not aware that a connected fridge or smart lock may lack basic cybersecurity features and be prone to hacks.
Worse, consumers would often not even know when a product has been hacked and is posing a privacy, security or safety risk for their owners
Laws not up-to-date
EU laws aren’t fit to address these challenges. The lack of EU rules stipulating that products must be cybersecure is a glaring gap to protect consumers.
There is need for a horizontal cybersecurity legislation to ensure that all connected products being placed on the EU market are cybersecure.
Another major flaw is that the concept of ‘safety’, as enshrined in the EU’s product safety legislation, is too narrow to adequately protect consumers from new problems which come along with internet-connected objects.
This is because product safety is understood in the traditional sense only regarding their potential harm to consumers’ health and their physical safety such as through exposure to harmful chemicals and injuries.
What it does not capture are risks to our privacy or the digital security of our environment and devices for instance a smart lock that can be easily hacked makes houses vulnerable to burglaries and intrusions.
In addition to the fact that the EU’s legislation is not fit for purpose, authorities are not in a position and/or not motivated to perform effective market checks to keep dangerous unsecure connected products off the shelves.
The lack of a state-of-the-art definition of ‘safe’ products means checks by authorities are not weeding out products that pose risk to consumers due to security flaws.
Consumer groups’ testing clearly shows digital products fly under the radar of market supervision.
Makes you WannaCry
This negligence and lack of action on making connected products more secure is baffling.
The risks stemming from insecure connected products are not just problematic for consumers but also for society at large.
The WannaCry ransom attack from May 2017 crippled hospitals in the UK and led to damages exceeding billions of dollars.
Irrespective of the origins and way of dissemination of WannaCry, what the attack clearly showed was that it’s too easy to play with our cybersecurity.
Keeping millions of consumer products unsafe and prone to attack is a dis- service to our society and our economy.
And the Cybersecurity Act?
In light of the risks it is disappointing that the recently adopted Cybersecurity Act falls short of making consumer products safer.
It does introduce a cybersecurity certification scheme. However, companies are not required to get a certificate for their product it is a non-binding scheme.
The result is that unsafe toys, smart watches and routers can still end up on the market.
Policymakers should adopt binding rules which require all manufacturers of connected consumer products to adhere to a minimum set of cybersecurity measures before placing their products on the market.
These binding rules should at least include strong authentication mechanisms (for instance passwords), data encryption and making security updates available.
The Cybersecurity act has been adopted, what else can be done? Our member organisations will continue to test products, inform consumers and alert authorities when they discover grave security flaws.
Other legislative tools such as actions under the EU’s Radio Equipment Directive can help fixing some of the legal loopholes.
There is also movement at national level.
The UK Government recently released a promising Code of Practice for Consumer IoT Security which sets out 13 practical guidelines for manufacturers and industry stakeholders to improve the security of their connected devices.
Initiatives like this code are a welcome development. The European Union Agency for Network and Information Security (ENISA) can also play a leading role her in terms of providing guidance or a model code but more is definitely needed.
Voluntary measures are not enough.
There is a strong need for a binding legal instrument that makes sure that unsafe connected products are kept off the market.