Smart home cybersecurity is a growing concern, as more Internet of Things devices come onto the market. Now the European Union wants to give device makers a legal obligation to ensure their products are safe from hackers, and to update them as needed to keep them that way …
Background
Apple developed the HomeKit standard with two goals in mind. First, to make smart home devices easy to control, with everything done through a single app. Second, to ensure that your smart home is secured against cyber attackers.
With HomeKit, encrypted keys are used to identify devices, and when (for example) your iPhone sends an unlock command to your smart door lock, the iPhone will verify the identity of the lock, and the lock will verify the identity of your iPhone.
To establish a relationship between an iOS, iPadOS and macOS device and a HomeKit accessory, keys are exchanged using Secure Remote Password (3072-bit) protocol utilising an eight-digit code provided by the accessory’s manufacturer, entered on the iOS or iPadOS device by the user, and then encrypted using ChaCha20-Poly1305 AEAD with HKDF-SHA512 derived keys. The accessory’s MFi certification is also verified during setup. Accessories without an MFi chip can build in support for software authentication in iOS 11.3 or later.
When the iOS, iPadOS and macOS device and the HomeKit accessory communicate during use, each authenticates the other using the keys exchanged in the above process.
However, even HomeKit can be vulnerable, as demonstrated to us back in 2017, when a security researcher was able to take remote control of smart locks and other devices. (Apple fixed the bug following our reporting.)
Proposed smart home cybersecurity law
The European Union has proposed a law to ensure that all smart home devices comply with cybersecurity requirements, as TechCrunch notes.
The proposed EU Cyber Resilience Act will introduce mandatory cybersecurity requirements for products that have “digital elements” sold in across the bloc […]
The draft regulation also has a focus on smart device makers communicating to consumers “sufficient and accurate information” — to ensure buyers able to grasp security considerations at the point of purchase and set up devices securely after purchase.
Penalties proposed by the Commission for non-compliance for “essential” cybersecurity requirements scale up to the higher of €15M or 2.5% of worldwide annual turnover, with other regulation obligation breaches having a maximum sanction of €10M or 2% of turnover.
Not only would manufacturers have to ensure that their devices are safe when launched, but would also be required to provide security updates as required for the full life cycle of the product.
The EU is concerned about broader threats, in addition to the security of residential homes.
With the growth in smart and connected products, a cybersecurity incident in one product can have an impact on the entire supply chain, possibly leading to severe disruption of economic and social activities across the internal market, undermining security or even becoming life-threatening.
The organization believes that its law could be replicated around the world.
While other jurisdictions around the world look into addressing these issues, the Cyber Resilience Act is likely to become an international point of reference, beyond the EU’s internal market. EU standards based on the Cyber Resilience Act will facilitate its implementation and will be an asset for the EU cybersecurity industry in global markets.
FTC: We use income earning auto affiliate links. More.
Comments