Product Security & Telecoms Infrastructure (PSTI)

PSTI CIE-Group Distributor Statement of Compliance

CIE-Group Ltd declares under our own responsibility that all connected devices distributed in the UK via CIE are fully compliant with the security requirements set forth in The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.

PSTI Section 21 outlines the responsibility of distributors to the UK market to meet security requirements applicable to relevant connectable products. Distributors have a responsibility to ensure manufacturer partners provide a compliance statement and that only compliant products are brought onto the UK market.

Our compliance includes the following provisions:

• Each device is secured with a unique password or a password set by the user. Passwords unique to each device are generated using a security mechanism designed to mitigate the risk of automated attacks targeting a specific class or type of device.
• Vulnerabilities can be reported to the relevant product manufacturer via CIE-Group by emailing [email protected]. Reporters of security issues will receive an acknowledgment upon receipt of their report and will be provided with regular updates until the issue is fully resolved.
• CIE-Group’s manufacturing partners commit to providing security updates for qualifying products throughout clearly defined support periods.

Detailed information regarding the support periods can be found in the following individual manufacturer PSTI statements:

2N fully complies with the UK PSTI Act 2022

We’ve made some small changes to ensure that when our UK customers are working with 2N products and systems, they are working with fully compliant IP devices. Good news for our UK customers - we’re fully compliant with 2N OS version 2.42.3 and newer!

What the act stipulates and what 2N have changed

• Password Setup/Changes
  The PSTI policy stipulates that a product cannot be used until its password has been set up or changed. You can do it directly in the GUI of the 2N device, via 2N Access Commander or using My2N Management Portal.
  
  In the context of this regulation, we also had to disable the Local Call option by default. However, you can enable it yourself in the device's web interface at any time after changing your default password (go to section Service – Phone – Local Calls).

• Vulnerability Disclosure Policy
  This outlines guidelines for security researchers to report potential vulnerabilities, encouraging responsible security research and protecting users from risks. You can report a 2N vulnerability in this contact form.

• Security Update Support
  Manufacturers must publicly provide information on how long they will offer security updates for their products. This transparency ensures customers are aware of the support duration.
  Check 2N security update support here.

Clockaudio PSTI Statement of Compliance

The Clockaudio products listed below are in conformity with the following security requirements for manufacturers under Schedule 1 of The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023:

Users can report vulnerabilities to Clockaudio via [email protected]; furthermore, users will receive acknowledgement of the receipt of a security issues report and status updates until the resolution of the reported security issues.

Clockaudio will provide security updates for their qualifying products during the defined support period. The defined support period will end 4 years after the product is declared End-of-Life. Up-to-date information concerning the defined support periods for the current Clockaudio product range and End-of-Life models is listed below.

List of Models requiring PSTI Compliance

• CDT-100 Mk3  1.0
• CUT-4  1.0
• CDT3 Mk2  1.0, 1.20

What is The Product Security & Telecoms Infrastructure (PSTI) Act?

At present, connectable consumer products such as smart TVs, smartphones and internet-connected smart speakers are required to comply with existing regulations that guard against physical risks such as overheating, environmental damage, or electrical interference. However, until now, regulations have not covered cyber risks, such as privacy breaches and personal data loss. To address this regulatory shortfall, The Product Security & Telecoms Infrastructure (PSTI) Act will:

• Mandate that manufacturers, importers and distributors ensure that their consumer connectable devices meet minimum security standards.
• Establish a robust regulatory framework designed to adapt effectively to rapid technological advancements, evolving cyber threat tactics and the global regulatory environment.

Compromised connectable products can:

• Serve as gateways for broader network and cyber attacks.
• Pose direct threats to consumer safety, such as enabling domestic fires or facilitating unauthorised access to homes via compromised smart door locks.

Market Challenges with Consumer Connectable Products

The market currently disincentivises the integration of essential security features in connectable products, largely due to consumer assumptions that these products are inherently secure. Despite the average UK household possessing numerous connectable devices, few consumers actively enhance their security or are aware of how to do so.

PSTI Act Approach to Enhancing Product Security

The PSTI Act aims to keep pace with the rapidly evolving range of consumer connectable products by specifying updated security requirements through regulation. These requirements will:

• Prohibit default-only passwords to mitigate easy exploits by cyber criminals.
• Mandate that products include a vulnerability disclosure policy, facilitating early detection and resolution of security flaws.
• Ensure transparency regarding the duration of security updates provided to consumers.
• Manufacturers, importers and distributors will need to comply with these requirements and are responsible for ensuring their products include a compliance statement and address any compliance failures.

Grandstream Products Fully Comply with PSTI Regulations in the United Kingdom

Boston, MA, USA - April 25, 2024 – Grandstream Networks, Inc. announces that all of our active products fully comply with the applicable security requirements in Schedule 1 of The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023, as required in the United Kingdom.

Schedule 1 specifies security requirements that must be followed by manufacturers of relevant connectable products, which includes all Grandstream products and solutions.. This includes:

Password is unique per device or defined by the user of the device, and the password which is unique per device is generated by using a security mechanism that reduces the risk of automated attacks against a class or type of device.

Users can report vulnerabilities to Grandstream via https://www.grandstream.com/vulnerability-report-form.  Users who submit a vulnerability report will receive a confirmation of the receipt of a submitted vulnerability report and status updates until the reported issue is resolved.

Grandstream Networks, Inc. will provide security updates for our products during the pre-defined support period. The defined support period will end 1 year after the product’s end-of-life date. For further information regarding the products that have entered End of Life, please visit: https://www.grandstream.com/support/product-archive