As useful as connected devices like video doorbells and smart lights are, use caution when using connected technology in your home, especially after years of reading about security camera hacks, refrigerator botnet attacks and smart stoves turning on themselves. But until now, there hasn’t been an easy way to assess a product’s safety. A new initiative from the Connectivity Standards Alliance (CSA), the organization behind the smart home standard Matter, hopes to solve this problem.
The IoT Device Security Specification announced this week by CSA is a baseline cybersecurity standard and certification program designed to provide a single, globally recognized security certification for consumer IoT devices.
Equipment manufacturers that adhere to the specification and pass the certification process can bear CSA’s new Product Safety Verification (PSV) mark. If you buy a security camera or smart light bulb with this mark, you’ll know it meets the requirements to help protect it from malicious hackers and other intrusions that could affect your privacy.
“Getting global consumer IoT security certification is a big step forward. It’s much better than nothing.” Steve Hanna, Infineon
“Research continues to show that consumers view security as an important device purchase driver, but they don’t know what to consider from a security perspective to make an informed purchase,” said Eugene Liderman, director of mobile security strategy at Google. Decide.” edge. “Such a program would provide consumers with a simple, easily identifiable metric to look for.”
Liderman was a member of the CSA working group that defined the program’s 1.0 specification, which Developed by CSA’s 200+ member companies. These include (along with Google) Amazon, Comcast, Signify (Philips Hue) and several chip manufacturers including Arm, Infineon and NXP.
CSA CEO Tobin Richardson said products bearing the PSV logo could begin appearing as early as this holiday shopping season.
Cybersecurity signs rule them all
CSA’s announcement on March 18 follows news last week that the FCC had approved the implementation of a new network security labeling program for consumer IoT devices in the United States. Both programs are voluntary, and the CSA label does not compete with the US Internet Trustmark. Instead, it goes a step further, adopting all of the U.S. requirements and adding cybersecurity baselines from similar programs in Singapore and Europe. The end result is a single specification and certification scheme that can operate in multiple countries (see sidebar).
Richardson said the goal is to have CSA’s PSV mark recognized by governments so that manufacturers only need to go through the certification process once to sell in all major markets. This could reduce costs and complexity for manufacturers and potentially lead to more choices for consumers.
The PSV mark has been recognized by the Cyber Security Agency of Singapore, and the CSA said it is working towards mutual recognition with similar schemes in the US, EU and UK. “This is very possible, and for some [countries], that’s for sure,” Richardson said. “It’s mostly a matter of dealing with some paperwork.”
To receive the PSV mark, a device must comply with the IoT Device Security Specification 1.0 and pass a certification program, which includes answering a questionnaire and providing accompanying evidence to an authorized testing laboratory. Key points required include:
- A unique identity for each IoT device
- No hard-coded default passwords
- Secure storage of sensitive data on device
- Secure communication of safety-related information
- Securing software updates throughout the support period
- Security development process, including vulnerability management
- Public documentation about security, including support periods
According to the CSA, the voluntary program applies to most connected smart home devices, including light bulbs, switches, thermostats and security cameras, and can be traced to products on the market. In addition to the PSV mark, “a URL, hyperlink or QR code printed on the mark allows consumers to obtain more information about the device’s security features,” the CSA said in its press release.
The plan focuses specifically on device security — ensuring the physical device itself cannot be accessed — rather than privacy. “But there’s a strong connection between the two, and you can’t have privacy without security,” Richardson said. While security impacts privacy, the program doesn’t place many requirements on how manufacturers use the data collected by devices. CSA has a separate Data Privacy Working Group to deal with these worms.
Better security, but still not perfect
The current iteration of the program is not a panacea for IoT device security issues.Steve Hanna of Infineon Technologies, a 25-year cybersecurity researcher and chair of the program’s CSA working group, told us edge He also wants to see more content incorporated. “But we have to crawl, walk, and run,” he said. “Getting the Global Consumer IoT Security Certification is a big step forward. It’s much better than nothing.”
Google’s Lidman also pointed out that meeting minimum security standards does not guarantee that a device is free of vulnerabilities. “We firmly believe that the industry needs to raise standards over time, especially for sensitive product categories,” he said.
The CSA program continually updates specifications, requiring companies to recertify at least every three years. Additionally, Richardson said incident response processes need to be in place, so if a company encounters security issues, such as Wyze’s recent issues, it must resolve them before it can be re-certified.
API allows smart home platform applications to alert you of a device’s security status before it joins your network
To address concerns about mislabeling, Hanna said, CSA will create a library of all certified products on its website so you can cross-check a company’s claims. He also said there are plans to make this information available in an API, which would allow your smart home platform applications to alert you of a device’s security status before it joins your network.
Hanna warns against setting expectations too high. “Some companies are happy to be recognized for the work they’ve done, but we shouldn’t expect that with every product,” he said. He said some may find they have issues that prevent them from getting certified. “If or when the government makes these demands, that’s where the rubber hits the road.”
The voluntary program may seem like a finger in the dam, but it does solve two fundamental problems. For manufacturers, it makes it easier to comply with regulations in multiple countries at once, and for consumers, it provides a way to see what types of safety practices a company adheres to.
“Without labels or markings, it can be difficult for consumers to make purchasing decisions based on security,” said Hollie Hennessy, an IoT cybersecurity expert at technology analytics firm Omdia. While the program is voluntary, it could be a barrier to adoption. But Hennessy said her company’s research shows people are more likely to buy devices with privacy and security labels.
Ultimately, Hennessy believes a combination of such standards and certifications, as well as regulation and legislation, is needed to address consumer concerns about privacy and security on connected devices. But the move is a big step in the right direction.
