New Internet of Things (IoT) security standards could make it easier to choose devices hardened against some of the most common vulnerabilities.
IoT covers virtually any physical device that can connect to a digital network. IoT devices such as digital locks, smart speakers, home surveillance systems, and routers are becoming more common, but have frequently been flagged as at risk to threat actors.
That poor security can create risks for users of these devices, such as the wrong people being able to access your security webcam, and they may risk opening a backdoor into your network.
IoT security flaws can also create problems for the rest of the world, such as when vulnerable routers were enrolled in a botnet, which was then used in a Russian espionage campaign. In a recent survey, 50% of IT leaders said they thought IoT was the weakest point of your security.
Now, the Connectivity Standards Alliance (CSA) has published the first version of its IoT Device Security Specificationwhich hopes to create a single IoT cybersecurity standard and certification program.
This should give manufacturers an easy way to demonstrate that their devices comply with multiple international regulations and standards and hopefully help both consumers and businesses make better decisions.
The CSA Product Security Working Group has consolidated the requirements of three sets of IoT cybersecurity regulations in the US, Singapore and Europe into a single program so that device manufacturers can comply with international requirements. The alliance has already signed a mutual recognition agreement with the Singapore Cyber Security Agency.
The 32-page specification includes dozens of device-specific security provisions.
Manufacturers must demonstrate compliance with those provisions by providing testing to an authorized testing laboratory. If approved, manufacturers will be able to use the “Product Safety Verified” badge on their packaging. A URL, hyperlink, or QR code printed on the badge gives consumers access to more information about the device's security features.
The CSA said nearly 200 member companies, including Amazon, Arm, Google, Schneider Electric and Signify (which makes Philips Hue and WiZ smart lights) have pooled their expertise to work on the IoT Device Security Specification 1.0.
The specification includes a set of technical requirements but also broader expectations around updates and privacy. Requires that each device have a unique identity and that passwords also be unique for each device and cannot be reset to a universal factory default.
Devices are required to have protections against brute force authentication attacks, a common way to compromise IoT devices at the moment.
All sensitive data stored on the IoT device must be stored in a manner consistent with security best practices, as specified. IoT devices must also support software updates and devices must check for available updates at least once after they are configured and periodically thereafter, with “timely” security updates provided for the duration of support.
The rules also require device manufacturers to detail the expected lifespan of the device and expected cybersecurity costs for end users. They should also explain the capabilities of the IoT device, including its external sensing capabilities, how data is created and managed, and its network access and requirements.
Similarly, hardware manufacturers will need to provide information about what personal data (and what telemetry data) is processed, how it is used, by whom and for what purposes.
Manufacturers should also establish a vulnerability disclosure process for their devices, including a way to report issues.
IoT security has been a long-standing concern
While some of these steps may seem like cybersecurity basics, they have often been ignored by IoT device manufacturers in the past. The new specification comes just as governments are paying more attention to potential security risks in IoT devices.
Earlier this month, the U.S. government launched its own voluntary cybersecurity labeling program for consumer wireless devices, including home security cameras, internet-connected appliances, fitness trackers, and garage door openers. and baby monitors.
The Federal Communications Commission (FCC) cited figures suggesting that There were more than 1.5 billion attacks against IoT devices. in the first six months of 2021, and that there are likely to be more than 25 billion connected IoT devices in operation by 2030.
The UK consumer pluggable product security regime It will come into force on April 29, 2024 and companies selling devices in the UK will have to comply from that date. This means complying with the European standard ETSI EN 303 645.