As useful as connected devices like video doorbells and smart lights are, use caution when using connected technology in your home, especially after years of reading about security camera hacks, refrigerator botnet attacks, and smart stoves turning on themselves. But until now, there hasn’t been an easy way to assess a product’s safety. A new initiative from the Connectivity Standards Alliance (CSA), the organization behind the smart home standard Matter, hopes to solve this problem.
The IoT Device Security Specification announced this week by CSA is a baseline cybersecurity standard and certification program designed to provide a single, globally recognized security certification for consumer IoT devices.
Equipment manufacturers that adhere to the specification and pass the certification process can bear CSA’s new Product Safety Verification (PSV) mark. If you buy a security camera or smart light bulb with this mark, you’ll know it meets the requirements to help protect it from malicious hackers and other intrusions that could affect your privacy.
“Being certified for global consumer IoT security is a big step forward. It’s much better than nothing.” Steve Hanna, Infineon
“Research continues to show that consumers view security as an important device purchase driver, but they don’t know what to consider from a security perspective to make a smart purchase,” said Eugene Liderman, director of mobile security strategy at Google. Decide.” edge. “Such a program would provide consumers with a simple, easily identifiable metric to look for.”
Liderman was a member of the CSA working group that defined the program’s 1.0 specification, which Developed by CSA’s 200+ member companies. These include (along with Google) Amazon, Comcast, Signify (Philips Hue) and several chip manufacturers including Arm, Infineon and NXP.
CSA CEO Tobin Richardson said products bearing the PSV logo could start showing up as early as this holiday shopping season.
One cybersecurity icon to rule them all
CSA’s announcement on March 18 follows news last week that the FCC had approved a new cybersecurity labeling program for consumer IoT devices in the United States. Both programs are voluntary, and the CSA label does not compete with the U.S. Web Trustmark. Instead, it goes a step further, adopting all of the U.S. requirements and adding cybersecurity baselines from similar programs in Singapore and Europe. The end result is a single specification and certification scheme that can operate in multiple countries (see sidebar).
Richardson said the goal is to have CSA’s PSV mark recognized by governments so that manufacturers only need to go through the certification process once to sell in all major markets. This could reduce costs and complexity for manufacturers and potentially lead to more choices for consumers.
The PSV mark has been recognized by the Cyber Security Agency of Singapore, and the CSA said it is working towards mutual recognition with similar schemes in the US, EU and UK. “It’s very possible, and for some [countries], that’s for sure,” Richardson said. “It’s mostly a matter of dealing with some paperwork. “
To receive the PSV mark, a device must comply with the IoT Device Security Specification 1.0 and pass a certification program, which includes answering a questionnaire and providing accompanying evidence to an authorized testing laboratory. Key points required include:
- A unique identity for each IoT device
- No hard-coded default passwords
- Secure storage of sensitive data on device
- Secure communication of safety-related information
- Securing software updates throughout the support period
- Security development process, including vulnerability management
- Public documentation about security, including support periods
According to the CSA, the voluntary program applies to most connected smart home devices, including light bulbs, switches, thermostats and security cameras, and can be retroactively applied to products on the market. In addition to the PSV mark, “a URL, hyperlink or QR code printed on the mark allows consumers to obtain more information about the device’s security features,” the CSA said in its press release.
The plan focuses specifically on device security — ensuring the physical device itself cannot be accessed — rather than privacy. “But there’s a strong connection between the two, and you can’t have privacy without security,” Richardson said. While security impacts privacy, the program doesn’t place many requirements on how manufacturers use the data collected by devices. CSA has a separate data privacy working group that deals with these worms.
Better security, but still not perfect
The current iteration of the program is not a panacea for IoT device security issues.Infineon Technologies’ Steve Hanna, a researcher with 25 years of cybersecurity experience and chair of the program’s CSA working group, told us edge He also wants to see more content incorporated. “But we have to crawl, walk, and run,” he said. “Getting the Global Consumer IoT Security Certification is a big step forward. It’s much better than nothing.”
Google’s Lidman also pointed out that meeting minimum security standards does not guarantee that a device will be free of vulnerabilities. “We firmly believe that the industry will need to improve standards over time, particularly for sensitive product categories,” he said.
The CSA program continually updates specifications, requiring companies to recertify at least every three years. Additionally, Richardson said incident response processes need to be in place, so if a company encounters security issues, such as Wyze’s recent issues, it must resolve them before it can be re-certified.
API allows smart home platform applications to alert you of a device’s security status before it joins your network
To address concerns about mislabeling, Hanna said the CSA will create a database of all certified products on its website so you can cross-check a company’s claims. He also said there are plans to make this information available in an API, which would allow your smart home platform applications to alert you of a device’s security status before it joins your network.
Hanna warns against setting expectations too high. “Some companies are happy to be recognized for the work they’ve done, but we shouldn’t expect that with every product,” he said. Some may find they have issues that prevent them from getting certified, he said. “If or when the government makes these demands, that’s where the rubber hits the road.”
A voluntary program may seem like a finger in the dam, but it does solve two fundamental problems. For manufacturers, it makes it easier to comply with regulations in multiple countries at once, and for consumers, it provides a way to see what types of safety practices a company adheres to.
“Without labels or markings, it can be difficult for consumers to make purchasing decisions based on security,” said Hollie Hennessy, an IoT cybersecurity expert at technology analytics firm Omdia. While the program is voluntary, it could be a barrier to adoption. Hennessy said her company’s research shows people are more likely to buy devices with privacy and security labels.
Ultimately, Hennessy believes that a combination of such standards and certifications, as well as regulations and legislation, will be needed to address consumer concerns about the privacy and security of connected devices. But the move is a big step in the right direction.