Program, Which Could Become Global, Designed to Evaluate Security of Connected Devices
IoT devices: A group of IP security cameras made by Arlo (Photo: Arlo)
As internet-connected devices become more pervasive, there’s increasing worry that they could provide new avenues for hackers.
From connected thermostats to networked door locks and security cameras, every new endpoint potentially holds risk. But the IoT Alliance Australia is developing an independent certification and testing program that’s designed to help ensure connected devices meet high security and privacy standards before they hit the market.
The program, called the IoT Security Trust Mark, is aimed at helping connected device manufacturers embed safety and security by design as well as proactively protect consumers, says Matt Tett, who is chair of IoTAA’s cybersecurity and network resilience workstream enabler and managing director of Enex TestLab. The effort, slated to launch in September, could eventually expand worldwide.
“The remit is big,” Tett says. “It could be moms and dads in their homes buying TVs and fridges or smart speakers and devices for their kids, or it could be a government department or agency that’s looking to put in the latest conferencing system. There’s a whole gamut of stakeholders.”
There are plenty of examples of connected device security going wrong. For example, an Australian company that sells the TicTokTrack, a GPS-tracking smartwatch for kids, twice introduced a security flaw that could have allowed an attacker to spoof a child’s location (see: Australian Kids’ Smartwatch Maker Hit By Same Bug Again).
Tett says the Trust Mark program, which has a rigorous testing component, could help manufacturers avoid those kinds of problems.
IoT Standards: Many Guidelines, Few Laws
There’s been much effort worldwide to ensure smart devices don’t introduce security risks. ENISA in Europe released good security practices for IoT guidelines two years ago. Also in 2018, the U.K. released Code of Practice for Consumer IoT Security for manufacturers.
Meanwhile, the Australian government is refining a code of practice for IoT manufacturers that’s intended to ensure devices have basic security features. A public consultation on the code concluded on March 1.
In the U.S., a new law, SB 327, took effect in January in California that mandates IoT devices must have reasonable security features. And, the Cyber Shield Act has been introduced in the U.S. Congress for the second time. That act would introduce benchmarks that connected devices have to meet to earn a “Cyber Shield” label.
But for the most part, IoT manufacturers today aren’t bound by legislation or regulations, which also can be tricky to write given the changing nature of security requirements.
Australia’s IoT Security Trust Mark program was inspired by work that Enex TestLab did for the U.K. government between 2007 and 2011, Tett says. The lab tested products that the U.K. government was evaluating for critical national infrastructure. Vendors that passed evaluations were to be given greater weighting in tenders.
The program proved “that you can have an independent, agnostic, vendor-sponsored certification program provided you have the right checks and balances in there,” Tett says.
The Trust Mark program will have an independent decision authority that decides whether products are approved, Tett says. The products will be evaluated by separate, independent testing facilities. In other countries, a host country IoT association can promote and market that evaluated products that have gone through the program, Tett says.
“IoT is not just an Australian problem,” Tett says. “It’s the world’s problem.”
The testing program will have two phases. First, manufacturers will develop a statement of claims, describing security, safety and privacy aspects of a device. Those could include “baseline” aspects, such as policies on default passwords, how encryption is used and how the device can be patched. They also could include information about specific security features, such as how the device securely transmits personal data..
IoT: A smart washer and dryer made by GE (Photo: GE)
In the second phase, an accredited test facility will verify the manufacturer’s claims and issue a letter of recommendation. But a decision authority will decide whether a device passes or fails. If it passes, it will be certified. Manufacturers will be given another shot if a device fails to earn certification but is later improved, Tett says.
Examiners will also look at how easy or difficult a manufacturer makes it for users to control security aspects. For example, on some smart TVs, it’s possible to turn off voice recognition technology, which could pose a privacy risk. If turning that capability off is too difficult, the TV may not earn Trust Mark certification, Tett says.
“Most people who buy a TV aren’t even going to think whether it’s listening to them,” Tett says. “Products have to fail safe and fail secure, not fail open.”
Certification will be a continuous process that will follow the lifecycle of the product, Tett says. Some household appliances, such as washing machines, refrigerators and dishwashers, run software and connect to the internet. There are concerns that manufacturers may stop supporting security updates even though the devices are still being used.
If a manufacturer changes the product, it will have to go through certification again. Close oversight by host country IoT associations and decision authorities will ensure that can’t just vendors pay money, get a certification and do no further work, Tett says.
“That’s always been a big one,” Tett says. “For certifications, people sort of say ‘Ah, if a vendor is paying for it, they get it and then they forget about it.”
The program will be voluntary and paid for by vendors. One of the goals is to be able to test and certify products in a short period of time. The turnaround time is a maximum of 30 days, and Tett says most IoT products will be evaluated within seven to 10 days.
The fee is capped at AU$50,000 ($34,000) for the most complicated IoT products. Tett says certification would cost between AU$7,000 to $12,000 for most products.
Trust Mark is scheduled to roll out in September after the IoTAA refines the program. Vendors will likely see a market advantage in being able to carry the Trust Mark for their product as well as more confidence for consumers, Tett says.
“I think it will give consumers an added level of confidence that what they’re buying is controllable by them and not controllable by others,” Tett says.