CYBERSECURITY FOR CONNECTED PRODUCTS

ANEC and BEUC Position paper

In recent years, consumers’ daily lives have become increasingly connected and digitalised. With the Internet of Things (IoT), the number of connected devices and services skyrocketed and interconnectivity between products reached all sectors of society (transport, health, banking, energy, etc.). According to recent estimations from the European Commission, there will be up to six billion connected products by 2020.

The Internet of Things and the proliferation of connected devices brings many benefits to consumers. Connected devices are convenient and simplify numerous aspects of consumers’ daily routines. For example, consumers are now able to track their physical activity, to use their energy more efficiently and even open their doors remotely through a smart lock in case they forgot their keys inside. According to a recent study, 67% of Europeans believe that digital technologies have a positive impact on their quality of life.

However, from a consumer perspective, an increase in the number of connected products is also a cause for concern. More connected products translate in more vulnerabilities for hackers to exploit. As the IoT ecosystem grows, the exposure of connected products to an eventual cybersecurity breach also increases. As pointed out by the European Commission, in 2016 more than 4,000 ransomware attacks happened per day. This represents an increase of 300% compared to 2015. In some Member States, half of all the crimes are cybercrimes.

One of the key reasons behind the increase of cyberattacks is the lack of security functionalities incorporated in the design of the connected products and/or services. Today, most of the connected devices available in the EU’s Single Market are designed and manufactured without the most basic security features embedded in their software. This has recently become evident with the exposure of two critical security flaws – named ‘Meltdown’ and ‘Spectre’ – in computer processors produced by Intel, AMD and ARM over the last two decades.

Two recent campaigns from a Forbrukerrådet in Norway have echoed the inadequate security mechanisms of popular consumer connected products intended for children – and sold across the EU. The first campaign (#ToyFail), which was launched in December 2016, looked at the technical features of popular connected toys sold in the EU market. They discovered that with a few simple steps anyone could access the microphone of the doll Cayla, one of the connected toys tested, and speak with the children through it without the knowledge of their parents.

The second campaign (#WatchOut), which was launched in October 2017, tested the security features of smart watches whose main function is to enable parents to keep in touch with their children and track their real-time location. Again, Forbrukerrådet discovered serious security flaws in these devices, including the possibility for an attacker to easily change the geo-location of the watch (‘location spoofing’) as well as track and contact the child directly.

The Position Paper of ANEC and BEUC provides further information, references as well as general recommendations to make consumer rights, privacy and security core features of the Internet of Things.