The end of leaky computers, programs and primitive passwords in the EU – Connect.cz

While the authorities keep a watchful eye to prevent, for example, carcinogenic rubber ducks from entering the toy market, even in 2024 you can get a home Wi-Fi router with a default common administrator password, which many people forget to change and every neighbor behind the wall will Google it in a few seconds.

But that will soon come to an end, as legislators around the world are preparing new legislation that finally remembers that a leaky program, a leaky operating system, leaky Bluetooth toys and of course even those home Wi-Fi routers can be similar to the national economy a disaster.

Similar lists of default passwords for managing WI-Fi routers will hopefully finally become a thing of the past. It used to be the easiest way to get free internet in every other apartment building

Great Britain is the first in the world

Great Britain was the first in the world to mark the point in which the Product Safety Act (PSTI), which has been in preparation for years, comes into full force these days. With its advent, products with weak encryption, those default primitive passwords and those that are leaky will disappear from the UK market, but with all due respect the manufacturers don’t care at all.

Simply put, PSTI sets a new standard for minimal cyber security.

One of the simplest solutions is to have a unique default password for each device

The end of leaky programs and boxes in the EU

Europe will follow the same path. If all goes according to plan, sometime at the end of the decade we will learn the new acronym CRA – Cyber ​​Resilience Act (Czech version of the proposal) and the new term product with digital elements.

It is such a product “any software or hardware product and its solution for remote data processing,” it is written in article 3, but if we translate it into human, it is just any crap connected to the internet: The application on the mobile, the operating system of the mobile and finally the mobile itself.

The EU will especially shine a light on browsers, password managers and network elements

If you ever want to manufacture, import and distribute such a product in EU countries, the Cyber ​​Resilience Act will prepare a bunch of obligations for you, depending on whether it is just the rubber duck with Bluetooth or something much more important.

If you have any of this at home (right now in your hands or looking at it) it will need to be extra secure

That’s what we’ll call it critical products with digital elements and we will further divide it according to (in)security into two classes I and stricter II. European authorities can add other products to the list even after the approval of the act according to the state of technological development and additionally regulate them.

No more leaks of insecure databases

So let’s say that in 2031 you make some program or toy that will log into the Internet and require an account. Because you saved on programmers, the account will only be secured with a primitive password with a length of seven characters.

All this will have to be fulfilled by every product with digital elements

With the advent of the CRA, it should be a real problem. In Annex I, there is a list of security requirements for (any) product with digital elements, and immediately in paragraph 3c) it is written that you will have to protect everything “through state-of-the-art mechanisms.”

In 2031, it will certainly no longer be a seven-digit password and HTTP without encryption, as well as passwords stored in plain text and in overcome hashes on the server side, as is still the case in some cases today, and then everyone is surprised that someone once again leaked a database with readable user accounts.

Petr Novák has a problem, because according to the website Have I been pwned, his e-mail is part of 22 different data breaches, for which no one was usually punished significantly

The definition of an insecure interface would most likely include the popular MQTT protocol in an unencrypted versionwhich is used by many current smart home boxes to communicate with the control server.

Years ago, thanks to this, I was able to connect to a certain British household and monitor practically everything, starting with the state of the lighting in the house and ending with the geographical location of its inhabitants.

My product is vulnerable, so I am reporting this to the authorities immediately

When something goes wrong and your product is as leaky as Emmental (because you saved, after all), you will have to arrange a remedy. And in style. Not only will you have to report to the European Cyber ​​Security Special Authority ENISA, but CRA of course requires you to also inform your customers immediately and produce (if possible) a patch.

By the way, how many times have you updated the firmware of an older home Wi-Fi router? Just a few years ago, it was a complete exotic even for quite expensive domestic models costing thousands. On the other hand, continuous security updates were the main attraction for other manufacturers – after all, the Czech Turris project also started years ago.

I will tell the customer everything and without hesitation

Manufacturers’ communication will have to be transparent, fast and factual at the same time. If something goes wrong, the manufacturer won’t be able to hide it for weeks and months. They will post nicely and thoroughly what the problem was, what the effects of the problem might have been, and what all needs to be done to fix it. And again, we’re not talking about some multi-million network B2B solution with more honest support – these responsibilities will apply to virtually everyone products with digital elements.

And finally, all this will be happening for at least years. None such that the bond with the customer essentially ends with the shipped goods. No! CRA calculates ideally with five yearsduring which the manufacturer will constantly test its product, look for errors in it and inform all interested parties.

And if not, I’ll face a draconian fine

Finally, the most important thing. Let’s say it’s still 2031 and I’ve made some kind of connected box, toy or program, I’m trying to sell it in the EU and some high-profile CRA legislation.

What am I in danger of?

This is already covered in Article 33 with the all-encompassing subtitle Sanctions. And they will be big, “for non-compliance with the basic requirements for cyber security (abbreviated) will be imposed administrative fines up to EUR 15,000,000“ it is written in the draft act.

Well, if a big fish does it, the administrative purse swells with a fine “up to 2.5% of its total annual turnover worldwide for the previous financial year.’

Legislators propose slightly smaller fines for milder offenses. For example, if I provide false information. For example, if I try to hide that even an average high schooler can crack my password manager.

Yesterday was too late

CRA legislation is definitely needed, as the responsibility for cyber security is still somewhat transferred to the end user. And even though this individual responsibility is the alpha and omega of any security (they installed millions in the firewall, but after a week the director clicked on the phishing link and filled in the login and password)you cannot resign from the primary one at the manufacturer.

Just as a car company is responsible for an exploding car engine and has to fix it, so should anyone who makes a poorly secured piece of code or a physical product and wants to sell it to us.