Securing consumer IoT devices: Why a global standard is needed

For consumers, the growth of the Internet of Things (IoT) means more and more objects in their home are now linked to the internet, and are potentially at risk of cyberattacks, or of revealing personal data in privacy breaches.

Over the last few years, says Alex Leadbeater, chairman, ETSI Cyber Security Technical Committee (TC CYBER), there have been increasing numbers of reports of this kind of consumer IoT problem. For example, security researchers recently discovered that ZipaMicro, a smart home hub, used the same private key in each hub, hardcoded into the devices. Combined with scrambled passwords they found on the internet, this enabled the researchers to open locks controlled by the hub.

Devices at risk include connected toys, which may well contain cameras and microphones that can be remotely accessed. As well as attacks over the internet, some toys now use Bluetooth, which is a potential weakness. Smart speakers, such as Amazon’s Echo, are also vulnerable to hackers listening in on private conversations.

These kinds of problems are usually fixed quickly by device vendors once they have been alerted in new products, but that may be too late and there is an inconsistent approach to fixing or recalling those already in the market. Governments are attempting to bring in legislation to mandate higher standards – for example, the UK is consulting on new laws, which may include compulsory labelling of products and minimum standards. The US is not far behind, with California already banning generic default passwords. Then in terms of data protection, there are laws such as the EU’s GDPR that apply to any stored personal information.

But this can make life difficult for product vendors – how can they ensure that they cost-effectively meet different sets of requirements in different countries, in a fast-changing market where regulations are still being defined?

Standard provides security recommendations

To address this problem, ETSI recently announced ETSI TS 103 645, the first global standard for consumer IoT security. The new standard aims to establish a benchmark for how companies should secure any consumer products that will be connected to the internet, and to promote best practice.

At the same time, it has been written with a focus on outcomes rather than specific methodologies, which means there is sufficient flexibility to enable companies to innovate and find the best solution for their particular products. The standard aims to address the needs of a wide range of connected devices, including toys, wearable fitness trackers, smart home assistants, smart TVs, door locks and home automation systems.

Let’s look at the advice in ETSI’s new standard, and how it will make connected consumer devices more secure.

Device requirements

First off, the standard says that all device passwords must be unique – overcoming the problem today where many products are sold with a default username and password, which users often don’t change. It also says it should be impossible to reset the password back to a default. It is surprising that many products on the market do not meet this or other more basic requirements in the new standard already.

Alex Leadbeater

Personal data protection is an important part of the standard, and it requires all sensitive information to be stored securely – both on devices themselves, and in any related services, such as in the cloud. Devices must not have credentials hard-coded, as these are relatively easy to discover.

The products need to make it easy for consumers to delete their personal data when they want to, with clear instructions provided. Similarly, installation and use of IoT devices needs to be simple and well-documented. Data must also be protected and encrypted when it’s being communicated. Devices must provide suitable protection against attacks on encryption.

All connected devices need to follow good security engineering practice, such as closing unused software and network ports to minimize the risk of attack. Any data inputted should be validated, to prevent exploits such as the use of out of range values. Devices must also be able to verify their software using some kind of hardware-based secure boot mechanism, and to handle any power or network outages successfully.

As well as requirements for the devices themselves, the ETSI standard has specific demands for product vendors. These include seeking out, and acting on, vulnerabilities promptly.

And device software must be able to be updated easily and securely.

Building consumer confidence

Consumers are justifiably concerned about IoT security. The new standard is an invaluable way for vendors to rebuild trust with their customers. By following its guidance, manufacturers can ensure their products meet appropriate levels of security and privacy. This means that customers are protected, and companies can avoid costly breaches, and the impact of negative publicity.

More importantly, the ETSI standard is a step change for consumers, giving them confidence that their safety, privacy and security will not be put at risk by using connected devices.

You can read the ETSI standard here

The author is Alex Leadbeater, chairman, ETSI Cyber Security Technical Committee (TC CYBER).

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES

Autonomous vehicles are six times safer and twice as likely to detect a collision risk

Posted on: May 23, 2022

London, UK. 23 May 2022 – Autonomous vehicles (AV) trained using extreme one-in-a-million accident data and ‘near-miss’ scenarios can achieve a six-fold improvement on the detection of a collision risk posed by other road users compared to vehicles being trained using traditional approaches. That’s the finding of D-RISK, a co-innovation project part funded by the

Read more

3 ways Augmented Reality and IoT can transform your service team

Posted on: May 23, 2022

Modern service teams are winning customer trust and increasing service profitability by optimising every aspect of the service dispatch— from how they communicate with connected products to how they train technicians and scale expertise.

Read more
FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more