[jeroenhd]

I think ASUS' turnaround time on this was quite good, I don't see the problem here. ASUS didn't deny the bug, didn't threaten to prosecute anyone for reverse engineering their software, and quickly patched their software. I have no doubt that before the days of responsible disclosure, this process would've taken months and might have involved the police.

Normal people don't care about vulnerabilities. They use phones that haven't received updates in three years to do their finances. If you spam the news with CVEs, people will just get tired of hearing about how every company sucks and become apathetic once there's a real threat.

The EU is working on a different solution. Stores are not permitted to sell products with known vulnerabilities under new cybersecurity regulations. That means if ASUS keeps fucking up, their motherboards become dead stock and stores won't want to sell their hardware anymore. That's not just computer hardware, but also smart fridges and smart washing machines. Discover a vulnerability in your dish washer and you may end up costing the dish washer industry millions in unusable stock if their vendors haven't bothered to add a way to update the firmware.

[ycombinatrix]

>They say “This issue is limited to motherboards and does not affect laptops, desktop computers”, however this affects any computer including desktops/laptops that have DriverHub installed

>instead of them saying it allows for arbitrary/remote code execution they say it “may allow untrusted sources to affect system behaviour”.

Sounds like Asus did in fact deny the bug.

[bayindirh]

I call this "save the face" move. I once reported suspected card skimming at an ATM. The skimmer was integrated, so it would be an inside job. The bank said ATMs can malfunction sometimes, but both ATMs are replaced with different ones in a couple of days.

[buzer]

> Stores are not permitted to sell products with known vulnerabilities under new cybersecurity regulations.

What are the specifics on that? Like does the vulnerability need to be public or is it enough if just the vendor knows about it? Does everyone need to stop selling it right away if new vulnerability is discovered or do they some time patch it? I'm pretty sure software like Windows almost definitely has some unfixed vulnerabilities that Microsoft knows about and is in process of fixing every single day of the year. Currently even if they do have a fix, they would end up postponing it until next patch Tuesday.

And what even is "vulnerability" in this context? Remote RCE? DRM bypass?

[chillax]

Probably refering to CRA - Cyber Resilience Act

https://schjodt.com/news/the-cyber-resilience-act-enters-int...

https://digital-strategy.ec.europa.eu/en/policies/cyber-resi...

https://ec.europa.eu/commission/presscorner/detail/en/qanda_...

[jeroenhd]

The full legal text doesn't fit in a HN comment, but I believe this is the meat of the description: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:...

Note that in the legal text above there is language stating what requirements from the annexes applies to what hard/software.

As far as I know (I haven't read the text fully) selling stuff is fine if the end user can update their software.

There is no clear description of what "vulnerability" entails. The definitions do include things like:

    ‘vulnerability’ means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;
    ‘cyber threat’ means a cyber threat as defined in Article 2, point (8), of Regulation (EU) 2019/881;
    ‘cybersecurity risk’ means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;

[buzer]

Thanks. I tried to look into this a bit more and it sounds quite a few places are interpreting "be made available on the market without known exploitable vulnerabilities" as that there cannot be any known vulnerability at the release date. Germany's Federal Office for Information Security (BSI, https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publicat...) seems to be even looser with the definition, on 5.3.2.3 they actually say it's just "SHOULD", not "MUST". No clue what they are basing that on.

The "including the possibility to reset the product to its original state" is interesting one, would that prevent manufacturers from not allowing user to downgrade to original version (via eFuses)? 5.3.3.1 on those guidelines does say "initial or newest version", but that doesn't really sound like original state.

[Polizeiposaune]

"Stores are not permitted to sell products with known vulnerabilities under new cybersecurity regulations."

Do stores have to patch known vulnerabilities before releasing the product to customers or can customers install the patch?

[jeroenhd]

I believe it's okay to let customers install the patch. The regulation itself can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML

Basically, the manufacturer has to issue a patch, and the distributor has to ensure that the patch is available before selling the vulnerable devices. Without secure software, the product is essentially CE-incompliant, which means it practically isn't allowed to be sold.

IANAL though.

[MrBuddyCasino]

This sounds like another bureaucratic nightmare. Who is going to track this?

[geoffpado]

Grocery stores everywhere have the ability to pull recalled products off their shelves pretty quickly. I did it fairly regularly at my first job as a shelf-stocker for a small local store in rural MO. Somehow we made it work, so clearly someone figured out how to deal with that "bureaucratic nightmare". I see no reason why hardware products that are on a list due to known issues would be any different.

[MrBuddyCasino]

Thats actually a good analogy, well said!

An immediate sales stop and recall is certainly appropriate when food endangers people's health, I'm not sure it is the right decision in this case. You could give manufacturers some time to fix it, and only then stopping the sales. This way they would still be incentivised to quickly make a fix, but avoid the potentially huge economic downside, which will lead to higher barriers of entry and probably further consolidation, hurting consumers in a different way. Remember that regulation always benefits the incumbents.

[mschuster91]

You know, vendors could just do the right thing and invest into security so that they don't ship vulnerable stuff from the start...

[MrBuddyCasino]

I'll pass the message on, if you kindly sign this contract to never have a car accident for the rest of your life. Just do the right thing and invest in your driving skills.

[mschuster91]

> Just do the right thing and invest in your driving skills.

Well your analogy just proves my point, LOL.

The EU mandates that you take driving school lessons and pass an appropriate examination. Some countries go even further and demand regular medical checkups (Italy does so for senior citizens, if you're 80+ it's once every two years). And if you manage to get in the spotlight for too many or too egregious violations, your license gets suspended to permanently revoked, in addition to some serious fines and the requirement to undergo further evaluation or even therapy (e.g. if you're facing substance addiction issues).

Use that analogy on software/firmware for appliances, and then you get:

- an initial independent certification requirement before introduction into the market - and no, CE doesn't count: all that "CE" signifies is that you as the manufacturer/importer believe your product is conforming to regulations. For many products (IIRC, everything but medical products and devices containing radio transmitters), that's it, you don't even have to go to a third party like the TÜV for a formal audit.

- obligations if you manage to stand out with security issues, including a temporary order to not sell any more units until they are reworked

- getting permanently booted off the market if your violations are too serious.

[aspenmayer]

Stores don’t have the capability to do this. These aren’t car dealerships we’re talking about here, more like Walmart or Best Buy. It would take a recall/RMA or online firmware updates, both of which already exist and are widely used.

[jillyboel]

It's still hilarious how the police will get involved for you tinkering with your own computer inside your own home.