Bitkom vs IT Security: New Law Offers “Questionable Added Value”

Rainer M. Richter: “According to our random samples, nine out of ten IoT devices show security vulnerabilities.”

Bad Homburg, April 29th, 2021 – Digital association Bitkom criticized the German government’s newly passed IT Security Act 2.0, describing it as “a combination of technical certification machinery and political-regulatory discretion with questionable added value for IT security.” However, Rainer M. Richter, IT security expert and CEO of IoT Inspector, disagrees: “The law is long overdue and finally includes all devices used in IT networks – including the millions of IoT devices. The recent example in the U.S. – where products from five well-known companies and OEM were explicitly banned from government use due to security concerns – shows the importance of regulation for such devices.” His team has developed an enterprise solution that can detect all vulnerabilities in IoT devices’ firmware in a matter of minutes. For hackers, smart helpers – from vacuum cleaner robots to routers, through lighting control to locking systems or security cameras with IP connections – are a Trojan horse that can easily be used to penetrate secured networks.

Hacker Attack On Clinic Bore Serious Consequences

In September 2020, hackers also exploited a security gap in the firmware of a Citrix network device when they attacked the University Hospital in Düsseldorf. It took a whole month before this health facility could resume regular operations. “Anyone who then still claims that legal regulation offers questionable added value here has obviously not recognized the signs of the times, or is not aware of just how tremendous the risks are,” sums up Rainer M. Richter of IoT Inspector. The company continuously analyzes IoT devices of all kinds for research purposes, and thus regularly uncovers vulnerabilities that can be abused by hackers on a large scale within a very short time.

A Duty To Secure Critical Infrastructures

Operators of critical infrastructures (CRITIS) will be required to deploy attack detection systems within their IT structure from January 1st, 2022. This applies to around 90 hospitals nationwide that serve more than 30,000 full inpatients per year. The white hats – ethical hackers – at IoT Inspector welcome the BSI’s new position. “This step is both appropriate and logical, as the threat level from cybercrime in Germany remains at a tense high level,” added Arne Schönbohm, President of the BSI (German Federal Office for Information Security).

Huawei Also Under Scrutiny

Banned in the U.S. for use in public authorities and public networks, granted dangerous administrator rights in the network of provider KPN in the Netherlands and thus suspected of espionage, Chinese manufacturer Huawei is also expected to provide components for the expansion of the 5G mobile network in Germany. As long as the BSI issues a ban based on the new IT security law, this risk would be eliminated. “It must become clear that not only computers, data centers and servers are a risk. In fact, every device with wired or wireless network access is. Any vulnerability within such devices is a potential gateway for cybercriminals – nine out of ten IoT devices we sampled were found to present security vulnerabilities. It is imperative things change,” demands Rainer M. Richter from IoT Inspector.

Copy Of Ads 480 120


ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.



Sara Fortmann

Marketing Manager


euromarcom public relations GmbH

+49 611 973 150