ETSI Releases Cybersecurity Standard for Consumer IoT Products

ETSI, a Europe-based tech standards organization, has released a cybersecurity spec for consumer Internet of Things (IoT) products.

Called ETSI TS 103 645, the standard seeks to provide a baseline for Internet-connected consumer devices while at the same time establishing a basis for future IoT certification initiatives.

Targeting the consumer -- as opposed to industrial -- space, the standard's scope includes devices such as: children’s toys and baby monitors; connected safety-relevant products such as smoke detectors and door locks; smart cameras, TVs and speakers; wearable health trackers; connected home automation and alarm systems; connected washing machines, refrigerators and other appliances; and smart home assistants.

The nonprofit ETSI, which describes itself as a leading standardization organization for Information and Communication Technology (ICT) standards, is based in Europe and originally had a distinct European focus, though it now says it has a global perspective and sees its standards used around the world. Thus the organization describes its newly released standard as "the first globally applicable standard for consumer IoT security."

While the standard is full of technical jargon, a couple of easily explained aspects call for implementers to stop using universal default passwords and implement a vulnerability disclosure policy to help security researchers and others report security issues they have discovered.

Other guidance includes details on how to:

  • Keep software updated
  • Securely store credentials and security-sensitive data
  • Communicate securely
  • Minimize exposed attack surfaces
  • Ensure software integrity
  • Ensure that personal data is protected
  • Make systems resilient to outages
  • Examine system telemetry data
  • Make it easy for consumers to delete personal data
  • Make installation and maintenance of devices easy
  • Validate input data

"As more devices in the home connect to the Internet, the cyber security of the Internet of Things (IoT) is becoming a growing concern," ETSI said in a news release yesterday (Feb. 19). "People entrust their personal data to an increasing number of online devices and services. In addition, products and appliances that have traditionally been offline are now becoming connected and need to be designed to withstand cyber threats. Poorly secured products threaten consumer’s privacy and some devices are exploited to launch large-scale DDoS (Distributed Denial of Service) cyber attacks."

About the Author

David Ramel is an editor and writer for Converge360.


  • Orange Shapes

    AI and Machine Learning Hot Topics at RSA Security Conference

    Several announcements of new and updated products that use these technologies stood out at this year's RSAC event.

  • Microsoft's Azure Sphere IoT Security Solution Goes GA

    Microsoft's long-awaited Azure Sphere security solution for IoT devices became generally available (GA) on Monday, almost two years after it was originally unveiled at the 2018 RSA Security Conference.

  • Architecture Small Graphic

    5G Mobile Tech Highlights Cisco Internet Report

    Blazing mobile connectivity speeds provided by next-gen 5G technology -- up to 13x more than today's average -- are highlighted in Cisco's big new Annual Internet Report, which also warns of bigger and more frequent distributed denial-of-service (DDoS) attacks.

  • EU Proposes Strict Regulations for AI

    The European Union this week unveiled its first proposed regulations for artificial intelligence technology, along with a strategy for handling personal digital data.