By Patrick Van Eecke & Eline Dekyvere
ETSI, the European Telecommunications Standards Institute has released a new cybersecurity standard for consumer Internet of Things devices in February 2019 (TS 103 645). These rules are intended to apply to consumer devices that are connected to network infrastructures. The standard contains thirteen key cyber security recommendations for consumer IoT.
The new security standard deals with “connected toys and monitors for babies, safety-related products such as smoke detectors and door locks, smart cameras, televisions and loudspeakers, connected health devices, connected home automation and alarm systems or intelligent home assistants”, making them applicable to most IoT devices available to consumers. The purpose of these rules is to address significant and widespread safety deficiencies, and to serve as a basis for future IoT certification schemes according to ETSI.
The standard describes thirteen recommendations to realise the goal of ensuring safer IoT devices and to bridge the safety gap. These recommendations are:
- no default passwords
- keeping software updated
- manage vulnerability reports
- securely store security-sensitive data
- communicate securely
- minimize attack surfaces
- ensure software integrity
- protect personal data
- be resilient to outages
- make use of telemetry data
- allow users to delete personal data
- make installation and maintenance easy; and
- validate input data.
As is apparent from the list above, the standard mixes straightforward recommendations, like for example no default passwords, provide unique passwords, with more complex recommendations like for example keeping software updated. Here the standard details nine subsections describing how and when software updates should be done for IoT devices. Most notably amongst those subsections is the recommendation to have a written, published end-of-life policy for software components that are updateable.
The standard is not mandatory and remains a good practice document. This might change in the future, looking both at the roles European Union Agency for Network and Information Security (‘ENISA’) and European Data Protection Board (‘EDPB’) can play. ENISA will be established as an EU certification body under the new Cybersecurity Act, allowing for more stringent enforcement if ENISA would decide to also adopt these standards. As these standards also contain data protection principles, an EDPB endorsement is also a possibility pointing towards stronger enforcement of this standard.