Want to get paid for a vulnerability similar to this one?
Contact us at: firstname.lastname@example.org
This goes back a bit, but I was reminded of it this morning:
Amazing where you can get inspiration. I went to an electronics manufacturing trade show, just to keep up with what’s happening over in that sector. Nothing particularly new that anyone was selling particularly relevant to security.
However, I sat in on a seminar on the new EU “Restriction of (certain) Hazardous Substances” directive. (This comes into effect in nine days, and there is all kinds of concern over the fact that the specific regulations for compliance haven’t been promulgated yet. Remember HIPAA, you lot? 🙂
RoHS (variously pronounced “rows,” “row-hoss,” or “rosh”) is intended to reduce or eliminate the use of various toxic materials, notably lead and mercury, from the manufacture of electronic equipment. This would reduce the toxic waste involved in manufacturing of said equipment, and particularly the toxic materials involved in recycling (or not) old digital junk. EU countries all have to produce legislation matching the standard, and it affects imports as well. In addition, other countries are producing similar legislation. (Somewhat the same as the EU privacy directive, although without the “equivalent protection” clause.) Korea is getting something very close to RoHS, California somewhat less. Japan is going after informational labelling only. China, interestingly, is producing more restrictive laws, but only for items and devices for sale within China. If you want to manufacture lead, mercury, and hexavalent chromium computers in China for sale to other countries, that is just fine with them.
There are points relevant to various domains. In terms of Physical security, and particularly life safety, there are issues of the environmental hazards of toxic materials in the electronic devices that we use. (This is especially true in regard to BCP: lead, for example, vaporizes at temperatures seem in building fires.)
There is a certification process for ensuring compliance with the regulations. Unfortunately, a number of manufacturers are carefully considering whether it is worth complying with the regulations. Even if the products are compliant in terms of hazardous materials, the documentation required for compliance certificates requires details of materials used that could, to educated engineers and others in competing businesses, give away trade secrets involved in manufacturing processes.
The certification and due diligence processes are, like SOX, recursive. In order to prove that your products are compliant, you also have to demonstrate that your suppliers, and their products, are also compliant.
There is also an interesting possibility of unintended consequences. Outside of the glass for CRTs, the major use of lead is in solder. Increasing the proportion of tin in the solder increases the temperature at which it melts, which is one factor. However, another is that tin-only solder has a tendency to grow “whiskers.” (The conditions and time for growing whiskers is not fully understood.) Therefore, in an attempt to reduce the health risk of toxic materials, RoHS may be forcing manufacturers to produce electronic goods with shorter lifetimes, since the whiskers may become long enough to produce short circuits within electronic devices. Indeed, these devices may have an additional risk of fire …