BackBox.org News
  • BackBox.org
  • Linux
  • Community
  • News
  • Services
  • Sitemap
  • Contact
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
Cyber Resilience Act – Part II

Cyber Resilience Act – Part II

July 7, 2026/in General News

In this second part, we demonstrate how a Cyber Resilience Act (CRA) assessment is performed in practice. Using a low-cost IP camera as an example, we show how a product is classified, how threats are modelled, how hardware and firmware are analysed, and how compliance gaps against IEC 62443-4-2 can be identified.

You may want visit the Cyber Resilience Act – Part I, where we also explored the legal landscape of CRA and discuss the shifting responsibilities for digital product manufacturers, establishing that CRA compliance is a fundamental requirement for market access in the EU.

From Threats to Requirements

Consider a common consumer product: a budget IP camera sourced via marketplaces such as Wish or Temu.

The journey toward CRA readiness begins with defining the device’s attack surface through threat modelling for example using the STRIDE methodology, which categorizes threats into Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

Threat modelling ensures that subsequent testing focuses on realistic attack scenarios and the security controls that matter most for the product, rather than relying on a generic checklist.

We map the ecosystem into three critical security zones: the device layer (hardware and firmware), the network layer (data in transit), and cloud integration (remote management and mobile applications). Given the nature of a low-cost consumer device, we assign lower priority to Denial of Service and Repudiation, while focusing on high-impact vectors such as Spoofing (identity theft), Information Disclosure (unauthorized video access), Tampering (firmware manipulation), and Elevation of Privilege (unauthorized administrative control).

STRIDE Threat Profile

The resulting threat profile provides the foundation for the remainder of the assessment. With a clear understanding of the attack surface and the most relevant risks, the next step is determining the device’s classification under the Cyber Resilience Act (CRA) and mapping the corresponding security requirements under IEC 62443-4-2.

Classifying the Product

For this scenario, we follow Annex III of the CRA and classify this IP camera as an “Important Class I” product. This classification determines which CRA obligations apply and serves as the basis for selecting the appropriate security requirements that must be verified during the assessment. As a result, its security requirements extend beyond basic protection against accidental failures. In this context, targeting Security Level 2 (SL 2) under IEC 62443-4-2 provides a suitable baseline, offering a defense-in-depth approach against intentional but non-targeted attacks and commonly available exploitation techniques.

The selected product class and target security level define the controls that must be validated. These requirements are then translated into practical test cases, guiding the technical assessment in a structured and repeatable manner.

Performing the Technical Assessment

Based on the defined test cases, we now validate whether the device actually implements the required security controls. This involves both non invasive testing, such as network traffic analysis, and hardware level examination to assess the security mechanisms built into the product.

We begin by deploying the device in a controlled laboratory environment to observe its behavior and analyze network communications. We then move to hardware level analysis to verify the security mechanisms implemented within the device. This includes disassembling the device, extracting and analyzing the firmware from flash memory, identifying debug interfaces, and connecting a serial adapter to observe the boot process and eventually obtain low-level system access for further investigation.

Dumping firmware from flash ROM
Capturing signals from debug pins
Signal capture decoding
Boot sequence capture

The laboratory assessment produced a comprehensive set of observations covering both hardware and software security. We can now evaluate these findings against the target security level and identify where the device meets or falls short of the required controls.

Security Findings

Following the completion of the analysis and execution of the defined test cases, multiple security weaknesses were identified across authentication, authorization, and integrity controls, with severities ranging from high to low. These include device enumeration vulnerabilities, unauthenticated access to video streams over the local network, unauthenticated UART-based shell access via a physical interface, and the absence of firmware integrity protections, among others.

Identified vulnerabilities and their severity

We now evaluate the identified vulnerabilities against the target security level to determine whether the product satisfies the required security controls.

Overall, the device fails to satisfy any recognized security level requirements. In particular, it does not meet seven mandatory test cases required for Security Level 1, nor does it comply with an additional five criteria necessary to achieve Security Level 2. The only area demonstrating full compliance is Data Confidentiality (FR 4), which passes all test cases for both Security Level 1 and Security Level 2.

Overview of achieved security levels by functional requirements
Security Level Achievement Meter

Taken together, these findings indicate that security was not systematically considered during the product’s development. Several weaknesses affect fundamental security controls required to protect the device against common attack scenarios.

While the identified vulnerabilities highlight concrete technical weaknesses, their real value lies in demonstrating where the product fails to satisfy the applicable CRA and IEC 62443 requirements. This provides manufacturers with a clear basis for prioritizing remediation and planning their path toward compliance.

This is not simply a penetration test. Every assessment activity is driven by the applicable CRA requirements and the corresponding IEC 62443 security controls.

From Findings to CRA Readiness

This sample assessment illustrates how a structured, CRA-focused security evaluation can be applied in practice, spanning from threat modelling and system classification through to hands-on technical validation and security testing. The accompanying sample report provides a detailed breakdown of the methodology, the identified vulnerabilities, and the resulting compliance assessment.

The Cyber Resilience Act represents a fundamental shift in how digital products must be engineered and maintained for the European market. As demonstrated through this assessment, achieving CRA readiness requires more than identifying vulnerabilities. It requires a structured methodology that translates regulatory requirements into measurable technical controls, validates their implementation, and provides manufacturers with a clear roadmap toward compliance.

Sample Report report_99200_IP_Camera_A2308_v1.0.pdf

Compass Security Blog – ​Read More

Share this entry
  • Share on Facebook
  • Share on X
  • Share on WhatsApp
  • Share on LinkedIn
  • Share on Vk
  • Share on Reddit
  • Share by Mail
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png 0 0 admin https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png admin2026-07-07 08:06:372026-07-07 08:06:37Cyber Resilience Act – Part II
Search Search
Copyright © BackBox.org
  • Link to X
  • Link to Facebook
  • Link to LinkedIn
  • Link to Youtube
  • Link to Telegram
Link to: BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Link to: BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRABeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Link to: CERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware Link to: CERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware CERT/CC Warns of Hidden Admin Backdoor in Tenda Router FirmwareCERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware
Scroll to top Scroll to top Scroll to top