Tougher regulation needed to force IOT companies to be secure
The European Commission announced new cybersecurity requirements for IoT devices.
The new rules are part of a plan to overhaul the EU’s telecommunications laws. The expected proposal comes following warnings that many IoT devices include little or no security protections.
Euractive’s Catherine Stupp said: “The commission would encourage companies to come up with a labelling system for internet-connected devices that are approved and secure.”
One recent threat came from a powerful malware called Mirai which has infected IoT devices across the world.
EU lawmakers want to remove fears caused from security attacks by creating rules that force companies to meet tough security standards and go through multi-pronged certification processes to guarantee privacy.
An analysis published by Flashpoint found that the web-based administration for devices made by Chinese company XiongMai Technologies, can be trivially bypassed without the need to supply a username or password.
The main issue discovered, was even if owners of these IoT devices change the default credentials, the machines can still be reached over the Internet.
Zach Wikholm, a spokesperson from Flashpoint said: “The issue with these particular devices is that a user cannot feasibly change this password. The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”
This is also the case for various Internet-connected devices, as the default setup still use the username and password, leading to an easy target of internet threats.
Thibault Kleiner, Deputy Head of cabinet for Oettinger said: “That’s really a problem in the internet of things. It’s not enough to just look at one component. You need to look at the network, the cloud. You need a governance framework to get certification.”
The European Commission plans to solve this with tougher regulation.
Kliener added that the Commission would encourage companies to come up with a labeling system for internet-connected devices that are approved and secure.