Securing consumer IoT devices: Why a global standard is needed
For consumers, the growth of the Internet of Things (IoT) means more and more objects in their home are now linked to the internet, and are potentially at risk of cyberattacks, or of revealing personal data in privacy breaches.
Over the last few years, says Alex Leadbeater, chairman, ETSI Cyber Security Technical Committee (TC CYBER), there have been increasing numbers of reports of this kind of consumer IoT problem. For example, security researchers recently discovered that ZipaMicro, a smart home hub, used the same private key in each hub, hardcoded into the devices. Combined with scrambled passwords they found on the internet, this enabled the researchers to open locks controlled by the hub.
Devices at risk include connected toys, which may well contain cameras and microphones that can be remotely accessed. As well as attacks over the internet, some toys now use Bluetooth, which is a potential weakness. Smart speakers, such as Amazon’s Echo, are also vulnerable to hackers listening in on private conversations.
These kinds of problems are usually fixed quickly by device vendors once they have been alerted in new products, but that may be too late and there is an inconsistent approach to fixing or recalling those already in the market. Governments are attempting to bring in legislation to mandate higher standards – for example, the UK is consulting on new laws, which may include compulsory labelling of products and minimum standards. The US is not far behind, with California already banning generic default passwords. Then in terms of data protection, there are laws such as the EU’s GDPR that apply to any stored personal information.
But this can make life difficult for product vendors – how can they ensure that they cost-effectively meet different sets of requirements in different countries, in a fast-changing market where regulations are still being defined?
Standard provides security recommendations
To address this problem, ETSI recently announced ETSI TS 103 645, the first global standard for consumer IoT security. The new standard aims to establish a benchmark for how companies should secure any consumer products that will be connected to the internet, and to promote best practice.
At the same time, it has been written with a focus on outcomes rather than specific methodologies, which means there is sufficient flexibility to enable companies to innovate and find the best solution for their particular products. The standard aims to address the needs of a wide range of connected devices, including toys, wearable fitness trackers, smart home assistants, smart TVs, door locks and home automation systems.
Let’s look at the advice in ETSI’s new standard, and how it will make connected consumer devices more secure.
First off, the standard says that all device passwords must be unique – overcoming the problem today where many products are sold with a default username and password, which users often don’t change. It also says it should be impossible to reset the password back to a default. It is surprising that many products on the market do not meet this or other more basic requirements in the new standard already.
Personal data protection is an important part of the standard, and it requires all sensitive information to be stored securely – both on devices themselves, and in any related services, such as in the cloud. Devices must not have credentials hard-coded, as these are relatively easy to discover.
The products need to make it easy for consumers to delete their personal data when they want to, with clear instructions provided. Similarly, installation and use of IoT devices needs to be simple and well-documented. Data must also be protected and encrypted when it’s being communicated. Devices must provide suitable protection against attacks on encryption.
All connected devices need to follow good security engineering practice, such as closing unused software and network ports to minimize the risk of attack. Any data inputted should be validated, to prevent exploits such as the use of out of range values. Devices must also be able to verify their software using some kind of hardware-based secure boot mechanism, and to handle any power or network outages successfully.
As well as requirements for the devices themselves, the ETSI standard has specific demands for product vendors. These include seeking out, and acting on, vulnerabilities promptly.
And device software must be able to be updated easily and securely.
Building consumer confidence
Consumers are justifiably concerned about IoT security. The new standard is an invaluable way for vendors to rebuild trust with their customers. By following its guidance, manufacturers can ensure their products meet appropriate levels of security and privacy. This means that customers are protected, and companies can avoid costly breaches, and the impact of negative publicity.
More importantly, the ETSI standard is a step change for consumers, giving them confidence that their safety, privacy and security will not be put at risk by using connected devices.
You can read the ETSI standard here
The author is Alex Leadbeater, chairman, ETSI Cyber Security Technical Committee (TC CYBER).