More and more consumer products contain wireless network connectivity either providing local short range connectivity to other devices or are directly connected to the internet – raising the risk of hacks or personal data breaches. Smart speakers, connected toys, domestic appliances and smart locks are all potentially vulnerable if not adequately secured by design and during their expected lifespan. As an example the Furby Connect doll with Bluetooth connectivity, enabled anyone within 100 feet to hack its wireless connection and access its microphone. Given that this product was intended for use by children, such a fundamental security flaw was especially unfortunate.
Everyone recognises there’s a problem, but exactly how to solve it isn’t yet well-defined. Governments are still developing legislation to improve security and product labelling, and to protect personal data. However, given the poor security of many current and historic IoT products regulation alone is not going to solve the problem overnight.
This leaves product vendors in a difficult position, with a need for clear direction in consumer IoT security. To fill this gap, ETSI recently announced ETSI TS 103 645, the first worldwide standard for consumer IoT security. This sets a benchmark for how to secure consumer products connected to the internet, and aims to promote best practice.
What the standard requires
The new standard focuses on outcomes, giving companies the flexibility to innovate and find different solutions. It addresses the needs of many products, including toys, wearable fitness trackers, smart home assistants, smart TVs, smart locks and home automation systems.
The standard says that personal data must be stored securely – on devices themselves, in any related services, such as in the cloud, and when it’s in transit. This will often mean a suitable level of encryption is required. It must be easy for consumers to delete their personal data, with clear instructions.
Similarly, installation and use of connected devices must be simple and well-documented. The devices’ software must be easy for customers to update, and vendors must tell consumers when they need to do this.
All connected devices need to follow good security practice, such as closing unused software and network ports to minimize the risk of attack. Any data inputted should be validated, to prevent exploits such as using out of range values.
Device passwords must be unique – many products today are sold with a generic default username and password, which users often leave unchanged. Devices must also be able to verify their software using some kind of hardware-based secure boot mechanism, and to handle any power or network outages successfully.
As well as the devices themselves, the ETSI standard has specific demands for product manufacturers, and explains they have a duty of care to their customers. This includes actively looking for problems and vulnerabilities, and putting in place a system for consumers to report issues – and then acting promptly on that information, including public disclosure.
Above all the standard's 13 provisions address many of the fundamentally poor security capabilities and product support which were addressed by the IT industry for the PC market in many cases 20 years ago. None of the provisions are rocket science although it is accepted that some provision may require more effort for the industry to achieve than others.
Ensuring security and privacy
With the press full of stories of security breaches, it’s no surprise that consumers are concerned. Within Europe cyber security is rapidly being considered a fundamental consumer expectation or right enforced by the GDPR and Cyber Security Act (CSA). Vendors need to rebuild trust with their customers, and the new ETSI standard will enable them to do this, and to meet the right levels of security and privacy.
It’s a win-win: customers are protected, and companies can avoid expensive breaches and the impact of negative publicity. When consumers are confident, they will feel comfortable taking advantage of new connected products, and all the benefits they can bring.