The new EU Product Safety Regulation 2023/988, which becomes mandatory in December 2024, introduces significant changes for manufacturers, retailers, and importers. The increasing digitalization and the trend toward connected products impose new demands on product and IT security. In this blog post, we explore how penetration testing can help meet these requirements, identify the stakeholders involved, and explain how a service provider like us can support them.
Why Are Penetration Tests Critical for Product Safety?
Connected products such as smart home devices, wearables, or Industry 4.0 systems open up new opportunities but also bring risks from cyberattacks. The EU regulation requires manufacturers to conduct comprehensive risk analyses that address both physical and digital threats (IHK: Security of ICT and IoT Products, Productkanzlei: Product Safety Law 2024). Penetration tests are a key tool to identify and fix digital vulnerabilities early.
Specifically, penetration tests provide:
Detection of Security Vulnerabilities: By simulating realistic attacks, penetration tests uncover weaknesses in software, firmware, and network interfaces.
Verification of Cybersecurity Features: The regulation mandates that connected products must be resistant to foreseeable attacks. Penetration tests evaluate these requirements in practical scenarios (What Changes in 2024: …, Product Safety: New...).
Proof of Compliance: The results of these tests serve as documentation to demonstrate adherence to product safety regulations.
Examples from Penetration Testing in Practice:
Hardcoded Backdoors
IoT Security Cameras: Some models have been found to contain hardcoded, unchangeable administrator passwords. Attackers can exploit this vulnerability to access live feeds or use the device as an entry point into the network.
Routers: Older Wi-Fi routers often include standardized credentials like "admin/admin" that cannot be removed or disabled, leaving networks vulnerable to external attacks.
Debug Interfaces with Trivial System Access
Smart TVs: Certain models include open debugging interfaces such as UART or JTAG, which allow attackers to take control of the devices if they have physical access or an unprotected network connection.
Industrial Control Systems (ICS): Many control units feature unsecured debug interfaces, enabling attackers to manipulate firmware code directly, posing significant risks in critical environments such as production facilities.
Unencrypted Transmission of Sensitive Data
Smart Locks: Some smart locks communicate via unencrypted Bluetooth or Wi-Fi connections, making it possible for attackers to intercept passcodes or access credentials.
Mobile Banking Apps: Cases have been identified where sensitive information, such as usernames and passwords, is transmitted in plaintext over HTTP to servers, allowing attackers to steal this data through simple sniffing.
IoT Devices: Smart home assistants frequently transmit data such as voice commands or user IDs in unencrypted form, which can be intercepted and misused by third parties.
These real-world scenarios highlight the importance of using penetration testing to identify such vulnerabilities in products. This not only ensures compliance with the new EU regulation but also protects consumers from potential misuse.
Who Needs to Address Product Safety?
The new regulation affects a variety of stakeholders:
Manufacturers: They bear primary responsibility for the safety of their products, including conducting risk analyses and safety assessments (BTL Rechtsanwälte).
Importers: They must ensure that the products meet EU requirements and are properly documented (WhatChanges in 2024: …).
Retailers: They are obligated not to sell unsafe products and to take corrective actions if known safety deficiencies exist (IHK: Security of ICT and IoT Products).
Online Marketplaces: They have new obligations to ensure the safety of products offered on their platforms (Productkanzlei: Product Safety Law 2024).
Challenges and How We Can Address Them Together
Challenges for Companies
Complexity of Safety Requirements: Integrating cybersecurity into product safety requires specialized knowledge.
Proof of Compliance: Preparing technical documentation and conducting risk analyses is time-consuming and requires expertise.
Responsiveness to Security Incidents: Companies need to establish communication channels and implement procedures for swift responses.
Our Support as a Penetration Testing Provider
Customized Risk Analysis: We assist in identifying product-specific threats and offer tailored testing methods.
Comprehensive Security Assessments: In addition to digital security, we evaluate physical and software-related risks.
Training and Consulting: We provide workshops to raise awareness about cybersecurity and help optimize internal processes.
Regular Audits: Through ongoing testing, we help identify new vulnerabilities and ensure long-term product safety, for example, after significant feature updates.
Investing in Security Pays Off
The requirements of the new EU Product Safety Regulation are stringent – but achievable. Penetration testing offers an efficient way to ensure product safety and meet legal obligations. We invite you to contact us and work together to develop a tailored security plan for your products. Protect not only your customers but also your brand and market access.
Secure the future of your products now – reach out to us for a no-obligation consultation!