EU Radio Equipment Directive (RED): How Insecure is Consumer IoT?

A principal factor that will shape the views of the EU Radio Equipment Directive (RED) delegated act relates to how significant groups or individuals view the scale of the cybersecurity problem in consumer devices.

While it has been clearly demonstrated that some devices lack basic security features, some industry participants see the problem as overblown, for example by pointing out that an open Bluetooth link can only be exploited by a person in close proximity. Others note that the risk profile of consumer products differs sharply from business products used in an organization, such as a bank, and believe that, based on the risk profile, any cybersecurity requirements for consumer IoT should remain voluntary and be driven by market forces (as in the EU Cybersecurity Act).

These differing views were acknowledged in Impact Assessment on Increased Protection of Internet Connected Radio Equipment and Wearable Radio Equipment (April 2020), a consultancy report commissioned by the European Commission which considered various options for legislation of connected consumer devices (it ultimately recommended the RED delegated act approach). “Whilst some industry manufacturing associations expressed the view that the nature of the risks has been exaggerated outside of smart toys, ICT and cybersecurity associations and cybersecurity testing houses mentioned that, despite improved awareness among industry about the vulnerabilities, there are still too many products coming to the market that do not even have the most basic cybersecurity features integrated into smart products, making them vulnerable to hacking, attack and, therefore, also the data on a device or that the device is able to access (from other sources or devices),” the report states.

The problem has “grown much worse in the past five years” due to a lack of regulation, allowing “low quality, non-cyber-secure products” to remain legally sold on the European single market, according to some stakeholders surveyed by the report’s authors. In addition, B2C IoT products are seen as presenting a greater risk than those in the B2B market, given that B2C products tend to be cheaper and lower quality. Businesses typically demand encrypted products and often have better knowledge of how to secure their devices.

A view on the same topic was expressed by several scientists at Microsoft in a paper titled “The Seven Properties of Highly Secure Devices”: “Industry largely underestimates the critical need for the highest levels of security in every network-connected device. Even the most mundane device can become dangerous when compromised over the Internet: a toy can spy or deceive; an appliance can launch a denial of service [attack] or self-destruct; a piece of equipment can maim or destroy. With risks to life, limb, brand and property so high, single-line-of-defense and second-best solutions are not enough.”

READ MORE ARTICLES