Connected devices like video doorbells and smart lights can be useful, but be careful when using connected technology in your home, especially after years of reading about security camera hacks, refrigerator botnet attacks, and smart stoves turning on automatically. It is wise to do so. But until now, there has been no easy way to assess the security aspects of a product. A new program from the Connectivity Standards Alliance (CSA), the group behind smart home standard Matter, hopes to solve this problem.
CSA's IoT Device Security Specification, announced this week, is a baseline cybersecurity standard and certification program aimed at providing a single, globally recognized security certification for consumer IoT devices. .
Device manufacturers that comply with the specifications and go through the certification process can earn CSA's new Product Security Verified (PSV) mark. If the security camera or smart light bulb you're purchasing bears this mark, you know it meets our requirements to protect against malicious hacking and other intrusions that can affect your privacy. .
“Achieving global consumer IoT security certification is a huge step forward. Anything is better than nothing,” said Steve Hanna from Infineon.
“Research shows that consumers rate security as an important factor in their device purchases, but they don't know what to look for from a security perspective to make informed purchasing decisions,” Google Mobile said Eugene Leiderman, Director of Security Strategy. The Verge. “Programs like this provide consumers with simple and easily identifiable metrics.”
Liderman is a member of the CSA working group that defined the program's 1.0 specification. is developed by CSA's more than 200 member companies. These include (along with Google) Amazon, Comcast, Signify (Philips Hue), and several chipmakers such as Arm, Infineon, and NXP.
CSA CEO Tobin Richardson said products bearing the PSV mark could start appearing as early as this year's holiday season.
One cybersecurity mark to rule them all
CSA's March 18 announcement follows last week's news that the FCC has approved implementation of a new cybersecurity labeling program for consumer IoT devices in the United States. Both programs are voluntary, and the CSA label does not conflict with the U.S. Cyber Trust mark. Instead, it goes a step further by incorporating all of the U.S. requirements and adding cybersecurity baselines from similar programs in Singapore and Europe. The end result is a single specification and certification program that works in multiple countries (see sidebar).
Richardson said the goal is for CSA's PSV mark to be recognized by governments, allowing manufacturers to go through a single certification process and sell in all major markets. This potentially reduces cost and complexity for manufacturers and provides more choice for consumers.
The PSV mark is recognized by Singapore's Cyber Security Authority, and CSA says it is working on mutual recognition with similar programs in the US, EU and UK. “It is very likely that in some cases [countries]That's for sure,” Richardson says. “It's mainly about organizing documents.”
To earn the PSV mark, a device must comply with the IoT Device Security Specification 1.0 and pass a certification program that involves completing a questionnaire and submitting supporting evidence to an accredited testing laboratory. The main requirements are:
- Unique ID for each IoT device
- No hard-coded default passwords
- Keep sensitive data safe on your device
- Secure communication of security-related information
- Provides secure software updates throughout the support period
- Secure development process including vulnerability management
- Security public documentation including support period
The voluntary program applies to most connected smart home devices, including light bulbs, switches, thermostats and security cameras, and can be applied retroactively to products on the market, according to the CSA. Along with the PSV mark, “his URL, hyperlink or QR code printed on the mark will allow consumers to access detailed information about the security features of their device,” he CSA said in a press release. I am.
This program focuses specifically on device security, rather than privacy, i.e., preventing access to the physical device itself. “But there's a close relationship in that you can't have privacy without security,” Richardson says. Although security impacts privacy, the program does not place many requirements on how manufacturers use the data collected by their devices. CSA has a separate data privacy working group dealing with the potential of this worm.
Security has improved, but it's still not perfect
The current iteration of the program is not a silver bullet to solve IoT device security concerns. said Infineon Technologies' Steve Hanna, a 25-year cybersecurity researcher and chair of the program's CSA working group. The Verge There are still things he wants to incorporate. “But we have to crawl, walk and run,” he says. “Achieving global consumer IoT security certification is a huge step forward. It's better than nothing.”
Google's Leiderman also pointed out that meeting minimum security standards does not guarantee that a device is free from vulnerabilities. “We strongly believe that the industry needs to raise its standards over time, especially when it comes to sensitive product categories,” he says.
CSA plans to continue updating its specifications and requires companies to recertify at least every three years. Additionally, Richardson said there are requirements for an incident response process so that if a company encounters security issues (such as Wyze's recent issues), they must fix them before recertification. Masu.
The API allows smart home platform apps to alert you to the security status of a device before it joins the network.
To address concerns about label misuse, CSA says it will have a database of all certified products on its website, allowing businesses to cross-check their claims. He also plans to make the information available in his API, so that his smart home platform apps can alert him to the security status of a device before it joins the network. states that it is possible.
Hannah is careful not to get her hopes too high. “Some companies are excited about this feature to recognize the work they've done, but they shouldn't expect every product to have this,” he says. Some people may have problems and not be able to get certified, he says. “When these things are required by the government, that's where the problem lies.”
Voluntary programs may seem like putting a finger in the dam, but they solve two fundamental problems. For manufacturers, it makes it easier to comply with multiple country regulations in one step, and for consumers, it paves the way for information about what kind of security practices companies adhere to. .
“Without labels and markings, it may be difficult for consumers to make purchasing decisions based on security,” says Holly Hennessy, IoT cybersecurity expert at technology analyst firm Omdia. Hennessey said the program's voluntary nature could be a barrier to adoption, but her company's research shows people are more likely to buy devices with privacy and security labels. stated that it is shown.
Ultimately, Hennessy believes that this combination of standards and certification, along with regulation and legislation, is needed to address consumer concerns about privacy and security in connected devices. But this move is a big step in the right direction.
