New Internet of Things (IoT) security standards could make it easier to choose devices that are hardened against some of the most common vulnerabilities.
IoT covers pretty much any physical device which can be connected to a digital network. IoT devices like digital locks, smart speakers, home surveillance systems, and routers are increasingly common, but have frequently been flagged as at-risk to threat actors.
That poor security can create risks for the users of these devices, such as the wrong people being able to access their security webcam, and can risk opening a backdoor into their network.
IoT security flaws also can create problems for the wider world, such as when vulnerable routers were enrolled into a botnet, which was then used in a Russian espionage campaign. In a recent survey, 50% of IT leaders said they thought IoT was the weakest point of their security.
Now, the Connectivity Standards Alliance (CSA) has published the first version of its IoT Device Security Specification, which it hopes will create a single IoT cyber security standard and certification program.
That should give manufacturers an easy way to show that their devices comply with multiple international regulations and standards – and hopefully help consumers and businesses alike make better choices.
The CSA’s Product Security Working Group has consolidated the requirements from three sets of IoT cyber security regulations in the US, Singapore, and Europe into a single program so device makers can comply with international requirements. The alliance has already signed a mutual recognition arrangement with the Cyber Security Agency of Singapore.
The 32-page specification includes dozens of specific device security provisions.
Manufacturers must demonstrate compliance with those provisions by supplying evidence to an authorized test lab. If they pass, manufacturers will be able to use the ‘Product Security Verified’ badge on their packaging. a printed URL, hyperlink, or QR code on the badge gives consumers access to more information about the device’s security features.
The CSA said that nearly 200 member companies including Amazon, Arm, Google, Schneider Electric, and Signify (who make Philips Hue and the WiZ smart lights ) have pooled their expertise to work on the IoT Device Security Specification 1.0
The specification includes a set of technical requirements but also broader expectations around updates and privacy. It requires that each device has a unique identity and that passwords must also be unique to each device and cannot be reset to a universal factory default.
Devices are required to have protections against brute force authentication attacks – a common way of breaching IoT devices right now.
All sensitive data stored on the IoT device must be stored in a manner consistent with security best practices, the specs said. IoT devices also have to support software updates and devices should check for available updates at least once after they are set up and periodically after that, with ‘timely’ security updates provided during the duration of support.
The rules also require device makers to detail the expected device lifespan and the expected cyber security costs for end users. They also need to spell out the capabilities of the IoT device, including its external sensing capabilities, how data is created and handled, and its network access and requirements.
Similarly, hardware manufacturers will need to provide information about what personal data (and what telemetry data) is being processed, how it is being used, by whom, and for what purposes.
Manufacturers also need to establish a vulnerability disclosure process for their devices, which includes a way of reporting issues.
IoT security has been a long-running cause for concern
While some of these steps might seem like the very basics of cyber security, they have often been ignored by IoT device makers in the past. The new specification comes just as governments are paying more attention to the potential security risks in IoT devices.
Earlier this month, the US government launched its own voluntary cyber security labeling program for wireless consumer devices including home security cameras, internet-connected appliances, fitness trackers, garage door openers, and baby monitors.
The Federal Communications Commission (FCC) quoted figures suggesting there were more than 1.5 billion attacks against IoT devices in the first six months of 2021 – and that there are likely to be more than 25 billion connected IoT devices in operation by 2030.
The UK’s consumer connectable product security regime will come into effect on 29 April 2024, with companies selling devices in the UK required to be compliant from that date. That means being compliant with the ETSI EN 303 645 European standard.