ETSI’s Technical Committee on Cybersecurity (TC CYBER) issued a standard to set a security baseline for connected consumer products and IoT services.
The standard will also provide a basis for future IoT certification schemes.
As more devices in the home connect to the internet, the cybersecurity of IoT is a growing concern – particularly regarding personal data.
Products and appliances that were previously offline are becoming connected and must be designed to withstand cyber threats such as risks to consumers’ privacy and distributed denial of service attacks on devices.
Securing consumer IoT
ETSI’s TS 103 645 specifies high-level provisions for securing consumer devices and associated services, from children's toys and baby monitors, to safety devices like smoke detectors, and door locks, plus smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, appliances and smart home assistants.
TS 103 645 requires implementers to:
• avoid universal default passwords, which have been the source of many security issues
• provide a vulnerability disclosure policy so researchers and others can report security issues
• make systems resilient to outages
• validate data input whether via user interfaces, transferred by application programming interfaces (APIs) or between networks to prevent hackers from exploiting gaps and weaknesses
• comply with the General Data Protection Regulation (GDPR).
Stephen Russell, Secretary-General of ANEC, an organisation representing consumers in standardisation and an ETSI member, called the standard a “landmark specification for consumers and industry alike”.
“The potential benefits of the IoT will be achieved only if products and services are designed with trust, privacy and security built in, so consumers feel they are secure and safe to use.”
He said the standard “focuses on the technical and organisational controls that matter most in addressing significant and widespread security shortcomings.”
“Stakeholders at all levels have worked together to make sure the specification was outcome-focused, rather than prescriptive, giving organisations the flexibility to innovate and implement security solutions appropriate for their products," stated Luis Jorge Romero, ETSI’s Director General.
Earlier this month, ETSI released a new specification to secure sensitive data in the cloud.