Bad Homburg, April 29th, 2021 – Digital association Bitkom criticized the German government’s newly passed IT Security Act 2.0, describing it as “a combination of technical certification machinery and political-regulatory discretion with questionable added value for IT security.” However, Rainer M. Richter, IT security expert and CEO of IoT Inspector, disagrees: “The law is long overdue and finally includes all devices used in IT networks – including the millions of IoT devices. The recent example in the U.S. – where products from five well-known companies and OEM were explicitly banned from government use due to security concerns – shows the importance of regulation for such devices.” His team has developed an enterprise solution that can detect all vulnerabilities in IoT devices’ firmware in a matter of minutes. For hackers, smart helpers – from vacuum cleaner robots to routers, through lighting control to locking systems or security cameras with IP connections – are a Trojan horse that can easily be used to penetrate secured networks.
In September 2020, hackers also exploited a security gap in the firmware of a Citrix network device when they attacked the University Hospital in Düsseldorf. It took a whole month before this health facility could resume regular operations. “Anyone who then still claims that legal regulation offers questionable added value here has obviously not recognized the signs of the times, or is not aware of just how tremendous the risks are,” sums up Rainer M. Richter of IoT Inspector. The company continuously analyzes IoT devices of all kinds for research purposes, and thus regularly uncovers vulnerabilities that can be abused by hackers on a large scale within a very short time.
Operators of critical infrastructures (CRITIS) will be required to deploy attack detection systems within their IT structure from January 1st, 2022. This applies to around 90 hospitals nationwide that serve more than 30,000 full inpatients per year. The white hats – ethical hackers – at IoT Inspector welcome the BSI’s new position. “This step is both appropriate and logical, as the threat level from cybercrime in Germany remains at a tense high level,” added Arne Schönbohm, President of the BSI (German Federal Office for Information Security).
Banned in the U.S. for use in public authorities and public networks, granted dangerous administrator rights in the network of provider KPN in the Netherlands and thus suspected of espionage, Chinese manufacturer Huawei is also expected to provide components for the expansion of the 5G mobile network in Germany. As long as the BSI issues a ban based on the new IT security law, this risk would be eliminated. “It must become clear that not only computers, data centers and servers are a risk. In fact, every device with wired or wireless network access is. Any vulnerability within such devices is a potential gateway for cybercriminals – nine out of ten IoT devices we sampled were found to present security vulnerabilities. It is imperative things change,” demands Rainer M. Richter from IoT Inspector.