[German]German BSI (Federal Office for Information Security) has written down some security requirement for new smartphones. Consequence: You cannot buy Android devices anymore. Also Windows 10 devices might be kicked, if such gadged are available. And App? Will facing also trouble.
I already found this tweet from the BSI, which deals with security criteria for secure smartphones, a few days ago.
What security criteria should #smartphones meet when shipped and beyond? Our new requirements catalog for the development of security requirements for smartphones serves as a basis for discussion. #GermanyDigitalSecureBSI https://t.co/eKfhQ2e8U9 pic.twitter.com/1tYmKNcuqJ
— BSI (@BSI_Bund) February 25, 2020
“In recent years, smartphones have developed into the control center through which we control and handle more and more everyday processes. Insecure smartphones can therefore very quickly have very real negative effects. Consumers should be able to rely on the fact that a smartphone already contains a basic level of IT security at the time of purchase, so that they can use the opportunities offered by digitization as smoothly as possible. Manufacturers and OEMs are therefore called upon to make the devices as secure as possible, right from the start and over a certain period of use. Our catalogue of requirements is a guide to more security-by-design and security-by-default,” emphasises BSI President Arne Schönbohm.
Requirements Catalogue for secure Smartphones
As a basis for discussion on the development of security requirements for smartphones, the German Federal Office for Information Security (BSI) has published a catalogue of requirements. In order to enable users to move as safely as possible in the digital world, the requirements catalogue lists security criteria that smartphones should meet in their delivery state and beyond. These include:
- Conformity to EU and national law
- Up-to-date OS version – Support with security updates for 5 years
- Security updates within one month after release
- Protection against unauthorized access to end devices
- Device encryption, SD card encryption
- Safe runtime environment / HSE
- Safe boot process
- Unlocking the bootloader
- Data protection
- Preinstalled Apps in the system partition
- Permissions for (pre-installed) apps
- Secure software development process
- Telemetry only with user consent
- Secure software platform
- Network gateways
- Used Cloud services must be displayed before first use
- Basic configuration at purchase: safety before comfort
- Interfaces: WLAN etc.
- FIDO2 Authentication
The BSI’s requirements catalogue contains criteria for securing the devices by means of certain hardware properties as well as for hardening and protecting the software contained in the shipping state. The catalogue also specifies and standardizes requirements for the provision of updates during the life of the devices. In addition, the catalogue contains criteria for the protection of user data, for example in the area of telemetry features, and for more transparency for consumers.
Today’s devices won’t pass the criteria!
If you browse the above keywords, Android devices won’t pass the criteria alone because of the lousy update policy. But even a Windows 10 phone would be kicked out immediately because of Microsoft’s telemetry feature. And Apple’s iOS devices would be problematic because of the cloud integration.
However, the BSI catalogue of requirements has no legal binding force, but actually shows how far away we are from the current electronic scrap of Far Eastern manufacturers equipped with US software in terms of reasonable consumer devices. Time to change this situation and kick off those unsecure devices.
Good idea, 5 years too late, but let’s start and do it
The BSI catalogue is the starting point for a public discourse with manufacturers and original equipment manufacturers (OEM), network operators and civil society. The BSI is striving for the participation of all social groups in the further development of these requirements, which in future are to be incorporated into guidelines for issuing the IT security label for smartphones planned by the German government. Hence: The catalogue comes 5 years too late, but is nevertheless an important step. The English edition of the requirements catalogue can be downloaded here.