The European Commission is drafting new cybersecurity rules for Internet of Things (IoT) devices after a number of European security firms have warned that current IoT devices come with little or no security features, according to a report from security blogger Brian Krebs.
The rules would apply to devices like smart home devices, web-connected security cameras, DVRs and routers.
According to Krebs, the commission is drafting the new security requirements for IoT devices as part of an overhaul of the European Union’s telecommunications laws.
“The commission would encourage companies to come up with a labeling system for internet-connected devices that are approved and secure,” according to Catherine Stupp, a reporter for Euractive.com, who first reported on the potential rule changes. “The EU labeling system that rates appliances based on how much energy they consume could be a template for the cybersecurity ratings.”
Devices that Krebs noted could be particularly vulnerable to cybersecurity breaches are white-labeled DVRs and IP cameras made by a Chinese company called XiongMai Technologies, which are sold to vendors who use the devices in their own products. Krebs said devices made by XiongMai Technologies contain a very hackable default username and password built into their firmware.
“The issue with these particular devices is that a user cannot feasibly change this password,” according to Flashpoint’s Zach Wikholm. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present.”