Website maintenance scheduled June 18-21.

Difficulties accessing portions of the community or navigating certain sections may occur.

2FA / MFA - EU legal requirement

Options

Hi, I've created a new post to again highlight the importance of this to Tado. Without 2 factor authentication/MFA, Tado will soon be in breach of EU law.

In 2022, the EU Commission proposed the Cybersecurity Resilience Act (CRA) which introduces mandatory cyber controls to, amongst other things, IoT devices including Tado products. The CRA is likely to be agreed before the European Parliament elections in early 2024.

The CRA forces manufacturers to ensure consumers can use products securely, and products with digital elements must comply with extensive cybersecurity requirements. Tado will have to perform a compliance assessment and implement "secure by design".

Tado will also be classed as a "high risk" product like a smart meter device, as it has potential to cause real world harm. For example, increasing the heat in a baby's room to dangerous levels, or turning off heating in an elderly person's house, both represent risk to life.

If manufacturers like Tado do not comply with the Act, the EU authority and member states can prohibit the product from being sold within the EU. In addition, fines of up to Eur15million or 2.5% of global turnover can be levied.

As a new Tado customer I expected MFA and was surprised it's not implemented. These kind of cyber controls cannot be popularity contest, voted on as part of a product feature roadmap. They are essential core secure-by-design requirements especially when a product can cause real world harm. Facebook offers 2FA, banks & Mastercard use 2FA, so the argument that it's "too complicated for users" is false.

I've created a new post because several of the previous posts have "personal want" or "power user feature" objections, and none highlighted the strong argument that the EU will be able to fine Tado and shut down your business without essential cyber controls.

Other people with cyber certifications have posted on this and I fully agree with their comments. I'm head of cyber for a global $billion tech company and regularly deal with these challenges, so please trust that this cannot be ignored. If Tado would like to informally discuss further please feel free to get in touch via my email.

9
9 votes

Active · Last Updated

Comments

  • Having purchased Tado products on Amazon, I have been asked by Amazon Answers 'Does the app require two factor authentication' - I have had to reply that it doesn't and I am concerned that I can see no indication that Tado intends to introduce 2FA in the near future.
  • davidlyall
    davidlyall ✭✭✭
    Options

    If it becomes law then they will have to comply. However, I'm sure there will be a grace period for companies to implement and/or sell old stock

    I'm not familiar with the requirement but if it requires changes at the device level, I suspect Tado will not implement it for existing hardware and move forward with a new generation of devices. This will leave existing installations at more risk but TBH, I don't think the EU could do much about that as I'm sure there are millions of IoT devices out there that also won't be compliant

  • rafm5
    rafm5 ✭✭✭
    edited May 2023
    Options

    @cdmstr Are you referring to '2-factor authentication for payments in the EU'?

    https://www.termsfeed.com/blog/2-factor-auth-eu-payments/

  • Tick tock, tado.

    https://ec.europa.eu/commission/presscorner/detail/en/IP_23_6168

    EU Commission welcomes political agreement on Cyber Resilience Act.

    "Manufacturers of hardware and software will have to implement cybersecurity measures across the entire lifecycle of the product, from the design and development, **** to after the product is placed on the market ****"

    davidlyall - fyi tado is fully able to implement 2FA/MFA on their current platform.
  • @GrayDav4276 the explanation of how it works is too complex for this forum. In simple terms, with exception of the bridge, tado devices are dumb and receive commands from cloud API via the bridge. The bridge uses oauth2 login to the tado cloud API, this is all set up when you set up your bridge and use the app etc. Implementing 2FA alongside a standard token login / oauth2 is simple and is done by many, many service providers. It won't require new tado hardware, just app and cloud side code.

    I've massively oversimplified this to make it understandable.
  • Implementing 2FA has nothing to do with the hardware/devices. Tado will use the same cloud infrastructure and platform to support the next generation of hardware. They will simply update app code and back end infrastructure/api to support any new hardware features. Multi factor authentication is (/would be) entirely handled by the app and the cloud service.

    All tado hardware is dumb, excluding the bridge, and all tado intelligence is served by the cloud API. This is why there are so many issues with device behaviour, backup schedules when internet access is unavailable etc. This won't change, because that would require a wholesale rearchitecture of both the hardware and cloud platform, which tado absolutely won't do. This is why the argument "they won't do MFA/other API driven feature because they're working on the next generation" is wrong - it's actually more work for them to not implement next generation API improvements onto the current generation, because to do so requires an entirely separate infrastructure architecture. Cost ineffective, unless they get a huge cash injection and are prepared to junk their entire existing tech base.

    In plain English - if they implement MFA as part of the next generation of hardware release, it will pretty much be automatically implemented for the current generation. And tado will shortly be legally obliged to implement MFA as part of secure-by-design under the incoming EU cyber resilience act.

    So, tick tock.
  • cdmstr
    Options
    I hope tado is getting ready for their certification and reporting requirements under the EU Cyber Resilience Act, which they will fail without secure by design patterns including MFA.

    Interesting that Panasonic and tado just signed a large cooperation partner deal.

    If tado are sensible, a significant amount of the cash and manpower from that deal will be used to properly secure the product set. Before, y'know, the platform gets compromised and a resulting malfunction in a heating system is identified as the contributing factor to a serious harm or death. I wouldn't like to be the board facing a corporate manslaughter charge...
  • FFM
    Options

    They have 1-2 years to report their finding and another year to implement. Which means, 3 years after the law came into effect. Not really that much of a rush.

    And manslaughter? Come on...

  • cdmstr
    Options
    Lack of basic industry standard cybersecurity controls resulting in compromise is, legally, negligence. Simply look at the number of for example ICO fines for data breaches caused by poor practice.

    Then consider if an attacker compromises the API platform, which completely controls all tado device intelligence. If the attacker increases the heat demand in summer, or disables heating in winter, it's not a leap of imagination to consider the danger to young babies, vulnerable or elderly people sleeping in a room with TRV.

    How many tado users have a simple, weak or guessable password? And if tado hasn't implemented basic MFA for an API platform, it's likely their security design is lacking in other areas.

    So, yes, corporate manslaughter due to failure to implement basic cybersecurity controls.

    There is a reason the EU CRA is becoming law. It's exactly because of cases like this.
  • cdmstr
    Options
    PSTIA is now UK law. Although it currently only mandates the most basic and weakest of controls, the direction of travel for IOT manufacturer cybersecurity obligations is clear.

    "The UK’s consumer connectable product security regime comes into effect on 29 April 2024. Businesses in the supply chains of these products need to be compliant with the legislation from that date."