Consumer IoT security: From “nice to have” to “new normal”

The current rise of the Internet of Things (IoT) ecosystem is something that cannot be denied. For example, smart building elements, vehicles connected to a smart transport infrastructure, or gadgets that can be controlled remotely through mobile applications and cloud are only a few examples of the current state. Moreover, the rate at which IoT is expanding is currently accelerating. Based on recent reports, it is expected that 5.8 billion IoT endpoints will be in use by the end of 2020, only in automotive and enterprise environments.
Whenever the term IoT is mentioned, the thoughts are initially running towards smart consumer gadgets. In fact, this paradigm, even though slightly outdated, is still correct for a large extend. Based on reports, the market of consumer IoT products is projected to reach 153.8 Billion $ by 2026 . However, together with the increase in connected products volume and functionality, the cybersecurity risks associated with these products are strongly increasing as well. Due to the volume of this market, as well as its connectivity to other high-risk environments, this becomes a serious issue.
Are there published guidelines for securing IoT devices?
The responsibility for introducing sufficient security controls inside IoT products lies mostly with their developers, as they are the ones who have technically the ability to design such security functionalities. But often one of the biggest challenges is knowing precisely what kind of security controls to include. Is simple authentication and encryption of data sufficient, or should IoT products include more sophisticated features such as secure boot, protection against physical tampering or side channel attacks? Since this is an essential question, the need for sufficient and good quality international standards and best practices is critical for consumer IoT domain. Luckily, we don’t lack such publications. The IoT Security Foundation framework, IEC 62443-4-2, GSMA IoT requirements or ETSI EN 303 645 are examples of well known publications which can be used as reference for implementing security by design in such products. It is sometimes hard to pick the favorite out of this list (and with even many more other publications that address the domain as well). However, in the last two years, the cybersecurity world has started to focus its attention more and more towards ETSI EN 303 645, with the hope that this could become the ultimate reference standard that we were all looking for.
ETSI EN 303 645, officially released by ETSI in June 2020, provides a common view on what a consumer IoT security baseline should look like. Straight to the point, while leaving out of scope requirements which would make the testing effort difficult and too long. The standard is split into 13 chapters, including requirements focused on various domains of control, such as secure authentication, software updates, software integrity, secure installation, etc.
The standard itself aims to provide a baseline of security requirements, therefore, as expected, the testing depth is medium. General security evaluation knowledge related to hardware, software and protocols security are sufficient in order to go through the requirements. The difficulty comes however from interpreting some requirements which are made “flexible” on purpose. For example, the requirement “The product shall have an update mechanism for the secure installation of updates” requires first of all consensus on what is meant by “secure installation”, especially in sense of what is good enough and what is not good enough. There are multiple other instances of such requirements where common interpretation is needed in order to reach a testing verdict. Finally, the smooth applicability of the standard will require a certain set of evidences to be provided by the developer to facilitate the evaluation. This is still expected to be much less extensive than the evidence set for a, for example, Common Criteria evaluation.
Is it possible to currently certify the security of IoT products?
In one word, yes! The existence of relevant security certification schemes was an essential aspect in the increase of security by design adoption among developers. Being able to get this official recognition in return, and use it for creating a market advantage, can stimulate manufacturers of consumer IoT products to allocate more time and budget to cybersecurity. There are in fact several options that developers can choose from, and currently the most relevant are based on the ETSI EN 303 645 standards. National certification schemes for IoT have been established in Finland and Singapore . At the same time, private certification schemes exist for certifying based on the ETSI norm . We all know that security is not a cheap business. In order to certify a product, developers will need to invest not only in contracting a testing facility, but also in order to create the necessary product documentation, as well as address possible detected security gaps. However, at the end of the day, these kind of labels and certificates distinguish a product among the thousands of other similar devices on the IoT market. And finally, a certification assignment is not only a checkbox kind of work. The testing and documentation evaluation will often help the developer in making the product more mature, improve its user and deployment guidance, or address security gaps which were not spotted during the development.
Are there, or will there be mandatory laws for IoT products security?
A regulatory background focused specifically on (consumer) IoT products has been missing so far, but it’s becoming a more and more hot topic of discussion. This is mostly because consumers will almost always be more attracted by the functionalities (or price) of a product, rather than researching its security capabilities. Therefore, such security validation needs to happen in the background, in order for consumers to be able to choose only from minimum protected devices.
The EU, as well as UK, USA, Brazil and other regions are considering local laws and regulations aimed to mandate a minimum level of cybersecurity in the products which are placed on the market. In the beginning, it is aimed that this minimum level should be something that developers can achieve without unreasonable costs or effort. Laws like the RED (Radio Equipment Directive in EU), UK IoT security law or the California IoT security law ask for a baseline security, including secure passwords, vulnerability disclosure procedure or secure software updates. While minimal, such a beginning set of mandatory requirements is expected to make a major difference in improving the security posture of IoT products available on the market. As the years go on, it is expected that this set of minimum requirements will be expanded, and the security of consumer IoT products will gradually get higher. The only thing we can hope is that, in several years from now we will see security as the “new normal”, instead of a “nice to have” feature.