Small Step Systems

Legal Disclaimers as CRA Mitigations

A device violates essential CRA requirements. Although simple state-of-the-art security measures are available, the manufacturer mitigates the violations with legal disclaimers. This goes against the intention of the CRA: improving cybersecurity in real life and not just on paper.

Legal Disclaimers as CRA Mitigations

Guided by the TÜV Süd, a manufacturer performed risk assessments for several of their measurements instruments. They identified 60-80 threats for each instrument. For many threats, they applied the following mitigation: "Add disclaimer saying <XYZ>", where <XYZ> included

  • "Only authorised personnel may use this feature",
  • "Customer controls access to device and network", and
  • many other creative concoctions.

The manufacturer had found the holy grail how to avoid the time-consuming implementation of annoying security measures. At least, they thought so.

By how much do these disclaimers improve the cybersecurity resilience of the measurement instruments? Exactly, by absolutely nothing! They violate the intention of the CRA: improving cybersecurity for all products in the EU market. A paper tiger and some cheap legal tricks won't cut it. Manufacturers must implement real security measures, even more so when these measures are standard and easy-to-implement with very little effort. Otherwise, market surveillance authorities can simply declare the security measures of the manufacturer as not state-of-the-art - with sales bans, recalls and penalties as some of the possible consequences.

Disclaimer: Only Authorised Personnel May Use This Feature

👎
Context: As an admin user, I can update the measurement instruments from a USB drive.
Mitigations: Add a disclaimer to the user information saying: "Only authorised personnel is allowed to perform updates from a USB drive."

I seriously doubt that such a disclaimer would deter an attacker. He doesn't even have access to the technical documentation with the disclaimer 😉 Now that we had a good laugh, let's get serious.

The crucial question is: Why does the manufacturer need the disclaimer at all? Many bog-standard mitigations are available.

  • The device should have at least two user groups: normal and admin users. The admin group should be minimal. Shared passwords between admin users are a no-go! So are easy-to-guess passwords! These simple measures strengthen access control (2d) and limit the attack surfaces (2j).
  • The manufacturer should sign the update archive cryptographically. The device then checks that no bad actor tampered with the update. This prevents Integrity violations (2f).
  • The device could disable the USB port by default. When the admin starts an update, the device enables the USB port. When the update is done or after a given time, it disables the USB port again. This limits the attack surface (2j) to the short period when the USB port is enabled.
  • When an attacker gains admin access, he can seriously damage the device, can more easily gain access to other local and remote devices and can wreak havoc somewhere else. The previous security measures minimise the negative impact on conneted devices (2j).

The last bullet point describes a common attack pattern: The NotPetya attack targeted Ukrainian tax software and brought down shipping giant Maersk.

If a few simple measures can prevent an attack from damaging expensive equipment or from going viral, manufacturers better implement them. Providing a legal disclaimer is a lame attempt to avoid implementing simple security measures.

Disclaimer: Customer Controls Access to Device and Network

👎
Context: A research institute operates a measurement instrument in a laboratory. The instrument is part of a local area network with other devices. Access to the network is restricted by VPN. The instrument sends measurement data in plaintext to other devices using a proprietary protocol.
Mitigations: Add a disclaimer to the user information saying: "The customer controls access to the network containing the machine. Hence, the customer is responsible for protecting the data in the network."

The manufacturer of the measurement instrument transfers the risk to its customer, the research institute, by adding a disclaimer. This approach is again a ridiculous attempt to avoid the implementation of some standard security measures. I am wondering, whether the manufacturer goes down the legal-disclaimer route, because they cannot update their machines in the field. Such non-upgradable or hard-to-upgrade devices are top candidates for early retirement before 11 December 2027.

Let us consider a pretty likely scenario. The main application of the measurement instrument crashes. It takes the manufacturer two days to reproduce the crash and one day to fix it. In these three days, half of the people in the lab cannot work, because their devices depend on the measurement data of the broken instrument. The manufacturer does not minimise the negative impact on connected devices (2i). As a mitigation, the instrument could fall back to the previous version of the main application, which is working fine. This mitigation would also increase the availability of the instrument (2h), another essential product property.

Let us extend the scenario a little bit. One of the researchers didn't get his grant extended. He is angry and uses the proprietary protocol to send bad messages to the measurement instrument, which crashes regularly. The other researchers don't know about this vulnerability. That's a very simple denial-of-service attack and again a violation of the availability of the instrument (2h).

Using a proprietary plaintext protocol is certainly not state of the art and violates the confidentiality of the data transferred between the devices. It makes the life of the disgruntled researcher so much easier.

Breaching VPNs is especially attractive for cyber criminals and state-sponsored actors, because it gives them access to companies, universities and administrations. Serious flaws in VPNs are not fixed although they are known for years. Once a bad guy breaches the VPN, the measurement instrument is easy prey.

Disclaimers Might Have a Place in the Intended Purpose

‘intended purpose’ means the use for which a product with digital elements is intended by the manufacturer, including the specific context and conditions of use, as specified in the information supplied by the manufacturer in the instructions for use, promotional or sales materials and statements, as well as in the technical documentation

CRA Article 3.23 (emphasis mine)

The intended purpose captures the operational environment of the device. The measurement instrument, for example, uses strong X-rays and should only be operated in a laboratory with appropriate protection. Access to such labs is restricted to a small group of people, which reduces the cybersecurity risk. Furthermore, the manufacturer could demand that the measurement instrument may only be used in a virtual private network (VPN) isolated from the normal IT.

By rephrasing the disclaimers, the manufacturer can narrow down "the specific context and conditions of use". They can implement weaker security measures to mitigate the violations of the essential product properties - but they can't ignore these violations.

👉
In my CRA Survival Bootcamps, I teach manufacturers how to do CRA compliance on their own. How to do the risk assessment of the essential product properties properly and with reasonable effort is the core part of the bootcamps.
Share Share Share Share Share Email

Read next