Stop Bad Laws Before They Start

With everything else going on this summer, you might be forgiven for not keeping abreast of new proposed regulatory frameworks, but if you’re interested in software-defined radio (SDR) or even reflashing your WiFi router, you should. Right now, there’s a proposal to essentially prevent you from flashing your own firmware/software to any product with a radio in it before the European Commission. This obviously matters to Europeans, but because manufacturers often build hardware to the strictest global requirements, it may impact everyone. What counts as radio equipment? Everything from WiFi routers to wearables, SDR dongles to shortwave radios.

The idea is to prevent rogue reconfigurable radios from talking over each other, and prevent consumers from bricking their routers and radios. Before SDR was the norm, and firmware was king, it was easy for regulators to test some hardware and make sure that it’s compliant, but now that anyone can re-flash firmware, how can they be sure that a radio is conformant? Prevent the user from running their own firmware, naturally. It’s pretty hard for Hackaday to get behind that approach.

The impact assessment sounds more like advertising copy for the proposed ruling than an honest assessment, but you should give it a read because it lets you know where the commission is coming from. Reassuring is that they mention open-source software development explicitly as a good to be preserved, but their “likely social impacts” include “increased security and safety” and they conclude that there are no negative environmental impacts. What do you do when the manufacturer no longer wants to support the device? I have plenty of gear that’s no longer supported by firmware updates that is both more secure and simply not in the landfill because of open-source firmware.

Similarly, “the increased capacity of the EU to autonomously secure its products is also likely to help the citizens to better protect their information-related rights” is from a bizarro world where you can trust Xiaomi’s home-automation firmware to not phone home, but can’t trust an open-source replacement.

Public comment is still open, and isn’t limited to European citizens. As mentioned above, it might affect you even if you’re not in the EU, so feel free to make your voice heard. You have until September, and you’ll be in some great company if you register your complaints. Indeed, reading through the public comments is quite heartening: Universities, researchers, and hackers alike have brought up reasons to steer clear of the proposed approach. We hope that the commission hears us.

Hackaday Links: July 12, 2020

Based in the US as Hackaday is, it’s easy to overload the news with stories from home. That’s particularly true with dark tales of the expanding surveillance state, which seem to just get worse here on a daily basis. So we’re not exactly sure how we feel to share not one but two international stories of a dystopian bent; one the one hand, pleased that it’s not us for a change, but on the other, sad to see the trend toward less freedom and more monitoring spreading.

The first story comes from Mexico, where apparently everything our community does will soon be illegal. We couch that statement because the analysis is based on Google translations of reports from Mexico, possibly masking the linguistic nuances that undergird legislative prose. So we did some digging and it indeed appears that the Mexican Senate approved a package of reforms to existing federal copyright laws that will make it illegal to do things like installing a non-OEM operating system on a PC, or to use non-branded ink cartridges in a printer. Reverse engineering ROMs will be right out too, making any meaningful security research illegal. There appear to be exceptions to the law, but those are mostly to the benefit of the Mexican government for “national security purposes.” It’ll be a sad day indeed for Mexican hackers if this law is passed.

The other story comes from Germany, where a proposed law would grant sweeping surveillance powers to 19 state intelligence bodies. The law would require ISPs to install hardware in their data centers that would allow law enforcement to receive data and potentially modify it before sending it on to where it was supposed to go. So German Internet users can look forward to state-sponsored man-in-the-middle attacks and trojan injections if this thing passes.

OK, time for a palate cleanser: take an hour to watch a time-lapse of the last decade of activity of our star. NASA put the film together from data sent back by the Solar Dynamics Observatory, a satellite that has been keeping an eye on the Sun from geosynchronous orbit since 2010. Each frame of the film is one hour of solar activity, which may sound like it would be boring to watch, but it’s actually quite interesting and very relaxing. There are exciting moments, too, like enormous solar eruptions and the beautiful but somehow terrifying lunar transits. More terrifying still is a massive coronal mass ejection (CME) captured in June 2011. A more subtle but fascinating phenomenon is the gradual decrease in the number of sunspots over the decade as the Sun goes through its normal eleven-year cycle.

You’ll recall that as a public service to our more gear-headed readers that we recently covered the recall of automotive jack stands sold at Harbor Freight, purveyor of discount tools in the USA. Parts for the jack stands in question had been cast with a degraded mold, making the pawls liable to kick out under load and drop the vehicle, with potentially catastrophic results for anyone working beneath. To their credit, Harbor Freight responded immediately and replaced tons of stands with a new version. But now, Harbor Freight is forced to recall the replacement stands as well, due to a welding error. It’s an embarrassment, to be sure, but to make it as right as possible, Harbor Freight is now accepting any of their brand jack stands for refund or store credit.

And finally, if you thought that the experience of buying a new car couldn’t be any more miserable, wait till you have to pay to use the windshield wipers. Exaggeration? Perhaps only slightly, now that BMW “is planning to move some features of its new cars to a subscription model.” Plans like that are common enough as cars get increasingly complex infotainment systems, or with vehicles like Teslas which can be upgraded remotely. But BMW is actually planning on making options such as heated seats and adaptive cruise control available only by subscription — try it out for a month and if you like it, pay to keep them on for a year. It would aggravate us to no end knowing that the hardware supporting these features had already been installed and were just being held ransom by software. Sounds like a perfect job for a hacker — just not one in Mexico.

EARN IT: Privacy, Encryption, And Policing In The Information Age

You may have heard about a new bill working its way through the US congress, the EARN IT act. That’s the “Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020”. (What does that mean? It means someone really wanted their initials to spell out “EARN IT”.)

EARN IT is a bipartisan bill that claims to be an effort to put a dent in child exploitation online. It’s also managed to catch the attention of the EFF, Schneier, and a variety of news outlets. The overwhelming opinion has been that EARN IT is a terrible idea, will make implementing end-to-end encryption impossible, and violates the First and Fourth Amendments. How does a bill intended to combat child pornography and sex trafficking end up on the EFF bad list? It’s complicated.

Continue reading “EARN IT: Privacy, Encryption, And Policing In The Information Age”

California Looks To Compel IoT Security

There is a bill going through committee in the state of California which, if passed, would require a minium level of security for Internet of Things devices and then some. California SB 327 Information privacy: connected devices in its original form calls for connected device manufacturers to secure their devices, protect the information they collect or store, indicate when they are collecting it, get user approval before doing so, and be proactive in informing users of security updates:

require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device to provide a short, plainly written notice of the connected device’s information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of security patches and updates to a consumer who purchases the device.

This is just a proposal and will change as it finds its way through committee. Currently there a really no methods of punishment outlined, but recent comments have suggested individual prosecutors may have latitude to interpret these cases as they see fit. Additionally it has been suggested that the devices in question would be required to notify in some way the user when information is being collected. No language exists yet to clarify or set forth rules on this matter.

The security community has been sounding the cry of lackluster (often lack of) security on this growing army of IoT hardware and we’ve all known one day the government would get involved. Often this type of action requires a major event where people were in some way harmed either physically or financially that would push this issue. Denial of service attacks have already occurred and hijacking of webcams and such are commonplace. Perhaps what we saw in September finally pushed this into the limelight.

Any reasonable person can see the necessity of some basic level of security such as eliminating default passwords and ensuring the security of the data. The question raised here is whether or not the government can get this right. Hackaday has previously argued that this is a much deeper problem than is being addressed in this bill.

The size of California’s economy (relative to both the nation and the world) and the high concentration of tech companies make it likely that standards imposed if this law passes will have a large effect on devices in all markets.