For consumers, the growth of the Internet of Things (IoT) means more and more objects in their home are now linked to the internet and are potentially at risk of cyberattacks, or of revealing personal data in privacy breaches, that is why it has become increasingly important that certain IoT Security measures are put in place.
Over the last few years, says Alex Leadbeater, chairman, ETSI Cyber Security Technical Committee (TC CYBER), there have been increasing numbers of reports of this kind of consumer IoT problem. For example, security researchers recently discovered that ZipaMicro, a smart home hub, used the same private key in each hub, hardcoded into the devices. Combined with scrambled passwords they found on the internet, this enabled the researchers to open locks controlled by the hub.
Devices at risk include connected toys, which may well contain cameras and microphones that can be remotely accessed. As well as attacks over the internet, some toys now use Bluetooth, which is a potential weakness. Smart speakers, such as Amazon’s Echo, are also vulnerable to hackers listening in on private conversations.
These kinds of problems are usually fixed quickly by device vendors once they have been alerted in new products, but that may be too late and there is an inconsistent approach to fixing or recalling those already in the market. Governments are attempting to bring in legislation to mandate higher standards – for example, the UK is consulting on new laws, which may include compulsory labelling of products and minimum standards. The US is not far behind, with California already banning generic default passwords. Then in terms of data protection, there are laws such as the EU’s GDPR that apply to any stored personal information.
But this can make life difficult for product vendors – how can they ensure that they cost-effectively meet different sets of requirements in different countries, in a fast-changing market where regulations are still being defined?
Standard provides security recommendations
To address this problem, ETSI recently announced ETSI TS 103 645, the first global standard for consumer IoT security. The new standard aims to establish a benchmark for how companies should secure any consumer products that will be connected to the internet, and to promote best practice.
At the same time, it has been written with a focus on outcomes rather than specific methodologies, which means there is sufficient flexibility to enable companies to innovate and find the best solution for their particular products. The standard aims to address the needs of a wide range of connected devices, including toys, wearable fitness trackers, smart home assistants, smart TVs, door locks and home automation systems.
Let’s look at the advice in ETSI’s new standard, and how it will make connected consumer devices more secure.
First off, the standard says that all device passwords must be unique – overcoming the problem today where many products are sold with a default username and password, which users often don’t change. It also says it should be impossible to reset the password back to default. It is surprising that many products on the market do not meet this or other more basic requirements in the new standard already.
Personal data protection is an important part of the standard, and it requires all sensitive information to be stored securely – both on devices themselves, and in any related services, such as in the cloud. Devices must not have credentials hard-coded, as these are relatively easy to discover.
The products need to make it easy for consumers to delete their personal data when they want to, with clear instructions provided. Similarly, the installation and use of IoT devices need to be simple and well-documented. Data must also be protected and encrypted when it’s being communicated. Devices must provide suitable protection against attacks on encryption.
All connected devices need to follow good security engineering practices, such as closing unused software and network ports to minimize the risk of attack. Any data inputted should be validated, prevent exploits such as the use of out of range values. Devices must also be able to verify their software using some kind of hardware-based secure boot mechanism and to handle any power or network outages successfully.
As well as requirements for the devices themselves, the ETSI standard has specific demands for product vendors. These include seeking out, and acting on, vulnerabilities promptly.
And device software must be able to be updated easily and securely.
Building consumer confidence
Consumers are justifiably concerned about IoT security. The new standard is an invaluable way for vendors to rebuild trust with their customers. By following its guidance, manufacturers can ensure their products meet appropriate levels of security and privacy. This means that customers are protected, and companies can avoid costly breaches and the impact of negative publicity.
More importantly, the ETSI standard is a step-change for consumers, giving them confidence that their safety, privacy, and security will not be put at risk by using connected devices.
The Fastcomm Advantage
Fastcomm’s business is to build technology platforms that empower its clients to digitally transform their businesses and therefore to understand and address the growing needs of their customers. Our mission is to build long-term technology partnerships that help transform companies, allowing them to concentrate on their core business.
We have a proven track record of understanding disruptive technologies and the effect that they have on businesses. We have built platforms in the IOT and OTT technology domains that allow us to connect people, places and things successfully.
The Fastcomm group of companies has been providing solutions to its partners, since 2002. We have offices in the USA, Europe, and South Africa, allowing us to produce innovative solutions, utilizing know-how and skills acquired worldwide.
Our skilled engineering teams have, over many years, created platforms and building blocks that allow for rapid development and deployment of solutions.