2FA / MFA - EU legal requirement
Hi, I've created a new post to again highlight the importance of this to Tado. Without 2 factor authentication/MFA, Tado will soon be in breach of EU law.
In 2022, the EU Commission proposed the Cybersecurity Resilience Act (CRA) which introduces mandatory cyber controls to, amongst other things, IoT devices including Tado products. The CRA is likely to be agreed before the European Parliament elections in early 2024.
The CRA forces manufacturers to ensure consumers can use products securely, and products with digital elements must comply with extensive cybersecurity requirements. Tado will have to perform a compliance assessment and implement "secure by design".
Tado will also be classed as a "high risk" product like a smart meter device, as it has potential to cause real world harm. For example, increasing the heat in a baby's room to dangerous levels, or turning off heating in an elderly person's house, both represent risk to life.
If manufacturers like Tado do not comply with the Act, the EU authority and member states can prohibit the product from being sold within the EU. In addition, fines of up to Eur15million or 2.5% of global turnover can be levied.
As a new Tado customer I expected MFA and was surprised it's not implemented. These kind of cyber controls cannot be popularity contest, voted on as part of a product feature roadmap. They are essential core secure-by-design requirements especially when a product can cause real world harm. Facebook offers 2FA, banks & Mastercard use 2FA, so the argument that it's "too complicated for users" is false.
I've created a new post because several of the previous posts have "personal want" or "power user feature" objections, and none highlighted the strong argument that the EU will be able to fine Tado and shut down your business without essential cyber controls.
Other people with cyber certifications have posted on this and I fully agree with their comments. I'm head of cyber for a global $billion tech company and regularly deal with these challenges, so please trust that this cannot be ignored. If Tado would like to informally discuss further please feel free to get in touch via my email.
Comments
-
Having purchased Tado products on Amazon, I have been asked by Amazon Answers 'Does the app require two factor authentication' - I have had to reply that it doesn't and I am concerned that I can see no indication that Tado intends to introduce 2FA in the near future.0
-
If it becomes law then they will have to comply. However, I'm sure there will be a grace period for companies to implement and/or sell old stock
I'm not familiar with the requirement but if it requires changes at the device level, I suspect Tado will not implement it for existing hardware and move forward with a new generation of devices. This will leave existing installations at more risk but TBH, I don't think the EU could do much about that as I'm sure there are millions of IoT devices out there that also won't be compliant
0 -
@cdmstr Are you referring to '2-factor authentication for payments in the EU'?
0 -
Tick tock, tado.
https://ec.europa.eu/commission/presscorner/detail/en/IP_23_6168
EU Commission welcomes political agreement on Cyber Resilience Act.
"Manufacturers of hardware and software will have to implement cybersecurity measures across the entire lifecycle of the product, from the design and development, **** to after the product is placed on the market ****"
davidlyall - fyi tado is fully able to implement 2FA/MFA on their current platform.0 -
@GrayDav4276 the explanation of how it works is too complex for this forum. In simple terms, with exception of the bridge, tado devices are dumb and receive commands from cloud API via the bridge. The bridge uses oauth2 login to the tado cloud API, this is all set up when you set up your bridge and use the app etc. Implementing 2FA alongside a standard token login / oauth2 is simple and is done by many, many service providers. It won't require new tado hardware, just app and cloud side code.
I've massively oversimplified this to make it understandable.0 -
Implementing 2FA has nothing to do with the hardware/devices. Tado will use the same cloud infrastructure and platform to support the next generation of hardware. They will simply update app code and back end infrastructure/api to support any new hardware features. Multi factor authentication is (/would be) entirely handled by the app and the cloud service.
All tado hardware is dumb, excluding the bridge, and all tado intelligence is served by the cloud API. This is why there are so many issues with device behaviour, backup schedules when internet access is unavailable etc. This won't change, because that would require a wholesale rearchitecture of both the hardware and cloud platform, which tado absolutely won't do. This is why the argument "they won't do MFA/other API driven feature because they're working on the next generation" is wrong - it's actually more work for them to not implement next generation API improvements onto the current generation, because to do so requires an entirely separate infrastructure architecture. Cost ineffective, unless they get a huge cash injection and are prepared to junk their entire existing tech base.
In plain English - if they implement MFA as part of the next generation of hardware release, it will pretty much be automatically implemented for the current generation. And tado will shortly be legally obliged to implement MFA as part of secure-by-design under the incoming EU cyber resilience act.
So, tick tock.0 -
I hope tado is getting ready for their certification and reporting requirements under the EU Cyber Resilience Act, which they will fail without secure by design patterns including MFA.
Interesting that Panasonic and tado just signed a large cooperation partner deal.
If tado are sensible, a significant amount of the cash and manpower from that deal will be used to properly secure the product set. Before, y'know, the platform gets compromised and a resulting malfunction in a heating system is identified as the contributing factor to a serious harm or death. I wouldn't like to be the board facing a corporate manslaughter charge...0 -
They have 1-2 years to report their finding and another year to implement. Which means, 3 years after the law came into effect. Not really that much of a rush.
And manslaughter? Come on...
0 -
Lack of basic industry standard cybersecurity controls resulting in compromise is, legally, negligence. Simply look at the number of for example ICO fines for data breaches caused by poor practice.
Then consider if an attacker compromises the API platform, which completely controls all tado device intelligence. If the attacker increases the heat demand in summer, or disables heating in winter, it's not a leap of imagination to consider the danger to young babies, vulnerable or elderly people sleeping in a room with TRV.
How many tado users have a simple, weak or guessable password? And if tado hasn't implemented basic MFA for an API platform, it's likely their security design is lacking in other areas.
So, yes, corporate manslaughter due to failure to implement basic cybersecurity controls.
There is a reason the EU CRA is becoming law. It's exactly because of cases like this.-1 -
PSTIA is now UK law. Although it currently only mandates the most basic and weakest of controls, the direction of travel for IOT manufacturer cybersecurity obligations is clear.
"The UK’s consumer connectable product security regime comes into effect on 29 April 2024. Businesses in the supply chains of these products need to be compliant with the legislation from that date."0 -
@Emcee please can you advise Tado's position.0
-
@Emcee I think you and your colleagues are misunderstanding the law. You are correct that it does not explicitly say the phrase "MFA is required".
However it does mandate Secure by Design and risk assessment and enhanced measures for IoT providers in high risk categories, which includes Tado. Any competent auditor will find that a lack of strong authentication equals non compliance.
May I also draw your attention to the recent £6m the ICO levied on ACSG because - amongst other things - they did not implement MFA.
https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2024/08/provisional-decision-to-impose-6m-fine-on-software-provider-following-2022-ransomware-attack/
"This includes taking steps to assess and mitigate risks, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date"
Regardless, any competent cyber risk analyst will tell you that MFA or similar is critical to your service. Debating that fact is pointless.
I'm sure you can see my private profile information, to validate the basis of my expert opinion. As above I'm very happy to have an informal discussion privately about this.
Thank you0 -
@cdmstr
Ultimately, this is the hands of my colleagues, but I will continue to raise the topic.
Out of curiosity how are "IoT providers in high risk categories" designated? And why do you think tado° would be one of those?
I can appreciate you are very knowledgeable regarding this topic, so I am asking in good faith 🙂0 -
@Emcee your questions need a longer answer and justification discussion than a forum can provide, but let me give you the overview & point you in the right direction. I would expect Tado to have suitable GRC experts supporting the business who understand this in detail. If Tado doesn't, that's a significant issue.
Tado falls under the definition of a CRA class 1 product, requiring further conformity assessment. Please read the list under CRA Annex III here:
.FYI there is also still a debate about the scope of CRA classification of devices where measurable "physical world" impact could result from "digital" compromise. This is why Smart Meter gateways are a class 2 product and subject to the strictest controls.
Tado could arguably sits in this class 2 category for the reasons I explained above - a compromise of your platform can result in real world harm in a similar manner to smart meter gateways. For example, turning the heating off in winter, or boosting heating in summer, will both pose threat to health for elderly and young children. Over-heating can also create financial impact to consumers via increased energy bills. And that aside, as you store all usage, config and scheduling data in your cloud platform, a bad actor who gained access to that information could use it in multiple ways (which I'm not going to explain further here).
According to press release tado sold over 2m thermostats in 2022 (https://www.tado.com/gb-en/press-releases/3milsales), meaning the potential scope of compromise could have large scale impact similar to smart meter gateways. Your platform is a prime target for organized and nation state attacks because you will be an easier target than critical national infrastructure, and yet have a similar impact (For example, 2m Europeans unable to heat their homes in winter is an attractive threat/outcome for some bad actors).
The CRA will require you to declare conformity with Act principles. Amongst other Act obligations you are required to perform risk assessments and implement Secure By Design principles. As I posted previously, any competent infosec/cybersec auditor will expect to see risks listed that include various levels of compromise of your platform, which by definition has to fall out of tolerance, and therefore requires a risk treatment plan. Failing to deliver on that plan is a breach of the CRA, which also includes the "obligation to provide duty of care for the entire lifecycle" of the product.
To help you understand what Secure By Design is, the following page is the UK Gov explanation:
. You'll see how it's aligned to my explanation above about risk management, and the secure principles and approaches expected. Now whilst I accept this is specific to UK Gov service providers, it's (1) built on a strong infosec foundation and is (2) applicable to and re-used by private sector. I've provided this link as it's provides a simpler, clearer explanation than trying to direct you through industry standards.As you hopefully now see, the CRA infosec requirement on Tado (and all manufacturers) is significant. It reaches far beyond just MFA, but MFA is a key technology to keep consumers safe. It is widely used, known and understood, meaning there's no consumer side knowledge barrier to implement, and it immediately mitigates a significant risk to your customers. The lack of MFA (when you're using core libraries that already offer this functionality) does also lead me to think Tado has lax infosec practices across the business and lifecycle.
Here's a hypothetical scenario for you, which is deliberately silly to show the principle but not give an instruction manual. I can go to Amazon and pull a list of everyone who has reviewed a Tado product. I can use their Amazon profile to find some information about them - perhaps a name, a pseudo-email address, or a photo to reverse image search. I can take this information and put it into a well known website that lists data breaches. I may then find that person's information and passwords in a data breach. Considering a huge number of people reuse passwords (Google survey said 65%
), I may get lucky and also find they've reused their credentials or some permutation thereof for their tado account. Credential stuffing 101.Without MFA protecting the login, I can control that person's physical environment. I'm sure some people will dismiss that as nonsense but it demonstrates the principle. Let's remember that nation states will happily dedicate large numbers of people to these kinds of activities, such as troll farms (https://www.gov.uk/government/news/uk-exposes-sick-russian-troll-factory-plaguing-social-media-with-kremlin-propaganda).
A forum is a very difficult place to properly articulate the risks, obligations and issues. We've not touched on all the other CRA obligations, GDPR obligations etc. We haven't discussed how Tado infrastructure is designed and protected. I'm simply posting here as a consumer, to highlight one issue that I can see and concerns me (MFA).
The only viable approach for Tado as a business is to engage expert GRC and infosec consultants to properly assess security posture. Again, happy to have a proper offline discussion with Tado team because Tado and all smart heating manufacturers are a prime target.
Hope that helps.
0 -
Surely this must be a priority for the company - it’s a pretty basic and very old security function (not to mention already in the process of being replaced by the next phase of security in the form of passkeys). To just have a password verification for a company presenting itself as tech savvy and forward thinking is very poor!0