CRA Insights Archives - Cyber Resilience Act

One Product, Two Worlds: Will the EU’s Cyber Resilience Act Trigger a US Ban?

One Product, Two Worlds: Will the EU’s Cyber Resilience Act Trigger a US Ban? For global tech manufacturers, the “Holy Grail” is a single product design that can be sold everywhere. But a regulatory storm is brewing that might make that impossible. On one side of the Atlantic, the EU’s Cyber Resilience Act (CRA) is finalizing a “Secure by Default” world. On the other, the US is increasingly viewing connected devices through the lens of national security and “foreign influence.” Could complying with the EU actually get your product banned in America? The EU: Security Through Automation The CRA aims to fix a massive problem: millions of “zombie” IoT devices […]

The Router Revolution: Why the FCC Ban is a Global Game Changer

The Router Revolution: Why the FCC Ban is a Global Game Changer By Erel Rosenberg, Clea Rozenblum and SeongEun Kim i46 s.r.o. – For years, the conversation around router security was about “bugs”—software vulnerabilities that a quick firmware update could fix. But as of March 2026, the game has changed. The U.S. Federal Communications Commission (FCC) recently dropped a bombshell: a near-total ban on new foreign-made routers, with Chinese manufacturers like TP-Link directly in the crosshairs. But this isn’t just an American policy shift. It’s the first domino in a global realignment that is making “Chinese-made” a non-starter for European risk assessments. 1. From “Vulnerability” to “Inherent Risk” In the […]

Why Risk Assessment Falls Short in Cybersecurity

Why Risk Assessment Falls Short in Cybersecurity While new regulations like the Cyber Resilience Act (CRA) and the AI Act make risk assessment a legal requirement, they often put manufacturers in a difficult spot. The problem is that many security risks come from things a manufacturer can’t control, like the underlying operating system. This creates a “no-win” situation: Ignore the risk and hope for the best. Kill the product because the external flaw can’t be fixed. Since we can never reach “zero risk,” we need a mindset shift. Instead of just checking boxes on a risk assessment, we should focus on active problem-solving—identifying the threats we actually have the power […]

Understanding the Notepad++ Updater Hijack

Understanding the Notepad++ Updater Hijack The Notepad++ Updater Hijack refers to a security vulnerability, specifically a DLL Hijacking attack, that was discovered and exploited in the update mechanism of the popular text editor, Notepad++. This vulnerability allowed an attacker to execute malicious code on a user’s system by manipulating the way the application’s updater searched for and loaded necessary files. I. Core Mechanism: DLL Search Order Hijacking The vulnerability exploited the predictable search order that Windows applications, including the Notepad++ updater executable (gup.exe), use to locate Dynamic Link Libraries (DLLs). 1. How the Attack Worked Vulnerable Component: The executable responsible for handling updates (gup.exe) was the entry point for […]

DISK46: A Secure, LUKS-Preinstalled Linux Distribution for Raspberry Pi Risk Assessment

DISK46: A Secure, LUKS-Preinstalled Linux Distribution for Raspberry Pi Risk Assessment I. Product Identification DISK46 represents a specialized Linux distribution image, meticulously crafted with a preinstalled LUKS (Linux Unified Key Setup) encryption layer. This design choice prioritizes robust data security from the moment of deployment. 1. Target Hardware and Supported Distributions: This system is specifically engineered for the Raspberry Pi platform, a popular series of small, single-board computers. To cater to a wide range of user preferences and project requirements, DISK46 offers compatibility with several prominent Linux distributions: Operating System Version/Type Key Features Best Use Case Ubuntu 2024.04 Server Optimized for headless/server use; no GUI Server-side applications, IoT gateways […]

Securing the Edge: Disk Encryption Challenges Under the EU CRA

Securing the Edge: Disk Encryption Challenges Under the EU CRA The European Union’s Cyber Resilience Act (CRA) is redefining security mandates for all products with digital elements. For IoT device manufacturers, compliance begins with securing the data itself. Two specific requirements detailed in Annex I of the CRA directly address data security and integrity at rest and in transit: Requirement Summary (e) Protect the confidentiality of stored, transmitted or otherwise processed data… Mandates the protection of data confidentiality (personal or otherwise), often requiring encryption at rest or in transit using state-of-the-art mechanisms. (f) Protect the integrity of stored, transmitted or otherwise processed data… Requires protecting the integrity of all data, […]