ETSI Releases Cybersecurity Standard for Consumer IoT Products

ETSI, a Europe-based tech standards organization, has released a cybersecurity spec for consumer Internet of Things (IoT) products.

Called ETSI TS 103 645, the standard seeks to provide a baseline for Internet-connected consumer devices while at the same time establishing a basis for future IoT certification initiatives.

Targeting the consumer -- as opposed to industrial -- space, the standard's scope includes devices such as: children’s toys and baby monitors; connected safety-relevant products such as smoke detectors and door locks; smart cameras, TVs and speakers; wearable health trackers; connected home automation and alarm systems; connected washing machines, refrigerators and other appliances; and smart home assistants.

The nonprofit ETSI, which describes itself as a leading standardization organization for Information and Communication Technology (ICT) standards, is based in Europe and originally had a distinct European focus, though it now says it has a global perspective and sees its standards used around the world. Thus the organization describes its newly released standard as "the first globally applicable standard for consumer IoT security."

While the standard is full of technical jargon, a couple of easily explained aspects call for implementers to stop using universal default passwords and implement a vulnerability disclosure policy to help security researchers and others report security issues they have discovered.

Other guidance includes details on how to:

  • Keep software updated
  • Securely store credentials and security-sensitive data
  • Communicate securely
  • Minimize exposed attack surfaces
  • Ensure software integrity
  • Ensure that personal data is protected
  • Make systems resilient to outages
  • Examine system telemetry data
  • Make it easy for consumers to delete personal data
  • Make installation and maintenance of devices easy
  • Validate input data

"As more devices in the home connect to the Internet, the cyber security of the Internet of Things (IoT) is becoming a growing concern," ETSI said in a news release yesterday (Feb. 19). "People entrust their personal data to an increasing number of online devices and services. In addition, products and appliances that have traditionally been offline are now becoming connected and need to be designed to withstand cyber threats. Poorly secured products threaten consumer’s privacy and some devices are exploited to launch large-scale DDoS (Distributed Denial of Service) cyber attacks."

About the Author

David Ramel is an editor and writer for Converge360.