Security of connected objects: Europe takes action

These seemingly innocuous devices are increasingly used and installed in private homes. Problem is, by being connected, they collect more or less sensitive data about our private lives, which are then stored on servers.

As many products are manufactured by Chinese manufacturers and/or marketed by American brands, we can legitimately ask the question of the use made of this mass of information.

Even though the GDPR has been strengthening the protection of the personal data of all European citizens for 5 years, various cases have made the headlines regarding excessive exploitation or too low a level of security of this data.

In 2019, the data of 2.4 million users of Wyze, a maker of security devices, had been leaked. The same year, the CNIL already warned against devices that were starting to be more and more present in our kitchens, robots.

To strengthen the protection of personal data, Parliament and Council negotiators announced a provisional agreement on proposed legislation on cybersecurity requirements for products with digital elements.

Data going to the cloud

According to the Cyber ​​Resilience Act (Cyber ​​ACT), connected devices will need to benefit from a basic level of cybersecurity when sold in the EU. The provisionally adopted text maintains the general orientation of the Commission’s proposal, in particular with regard to the following points:

• rules to rebalance the responsibility for compliance towards manufacturers, who must fulfill certain obligations such as providing cybersecurity risk assessments, issuing declarations of conformity and cooperating with competent authorities;
• the vulnerability handling processes for manufacturers to ensure the cybersecurity of digital products, and the obligations of economic operators, such as importers or distributors, with regard to these processes;
• measures to improve transparency on the security of hardware and software products for consumers and professional users;
• a market surveillance framework to enforce the rules.

But the cybersecurity of these products will not be so simple to establish. Currently, the majority of them have very low levels of cybersecurity, resulting in widespread vulnerabilities.

Under certain conditions, these connected devices can serve as an attack vector for malicious actors. Under condition of anonymity, a hacker explained to us that it is indeed very easy to access surveillance cameras installed in private homes.

“In most cases, brands’ default passwords are not changed. By scanning the IP addresses of these devices, I easily find a way to watch the living room of individuals… I just need to know the reference of the camera to then find the factory-generated password on the internet..

Another risk is the recovery of personal data without your knowledge. In November 2022, British security expert Paul Moore published a video in which he accused the manufacturer Eufy of sending data to the cloud, even if this option is disabled.

To reinforce the level of security and ensure transparency from manufacturers, work will continue at the technical level in the coming weeks, in order to finalize the details of the new regulation.