TL;DR: In our previous blog posts we concluded that there is quite a long way to go for both security and privacy of smart home environments. In this one, we will take a look at what the future might bring for these devices.
After taking a close look at a series of smart home devices and assessing how well they held up to the expectations of the buyer when it comes to security and privacy, we will propose a few solutions to help the industry move forward and the consumer to make the right decision when buying a new device.
To freshen up your memory, we’ll quickly go over the key takeaways of our previous blog posts. If you haven’t read them yet, feel free to check out the parts about security and privacy of smart home environments as well!
When it came to security, many of the devices we tested swung one of two ways: either security had played a major role in the manufacturing process and the device performed well across the board, or the manufacturer didn’t give a hoot about security and the device was lacking any kind of security measures altogether. This means that buying one of these devices is a pretty big hit or miss, especially for the less tech-savvy consumer.
To overcome this issue, consumer guidance is needed in some form or another to steer the buyer towards the devices that offer at least a baseline of security measures a consumer could reasonably expect of a device that they will eventually install into their household.
Many devices often didn’t perform much better when looking at privacy. Just like with security, there is a massive gap in maturity between manufacturers that put in an effort to be GDPR compliant and those that didn’t. Luckily the industry has undergone a major shift in mentality which means that most companies at least showed a lot more goodwill towards the people whose data they are collecting. Nevertheless, the need for stronger enforcement and more transparency around fines and sanctions became very clear from my results.
How can we regulate?
Regulating the market can be done in many ways, but for this blog post, we’ll be taking a look at two of them that have historically also been used for other products: in the form of binding standards and certifications, or as voluntary quality labels. Each of these has their own advantages and disadvantages.
Standardisation & Certification
The security industry is rife with standards: there is ISO/IEC 27001 to ensure organisations and their services adhere to the proper security practices; for secure development, there are standards such as the OWASP SAMM and DSOMM; when it comes to security assessments of specific services or devices, standards such as OWASP’s ASVS and MASVS come to mind. For IoT devices, this is no different: OWASP’s ISVS (IoT Security Verification Standard) offers a standardised, controlled methodology to test the security of IoT devices. And these are just the tip of the iceberg: there are a massive number of resources that can be used, as is reflected in this graph. The fact that so many standards exist, reflects the need for specialised industry-specific guidance: a “one-size-fits-all” solution may not exist.
Mandatory quality requirements and certification to certain standards is nothing new if we take a look at other markets. Take the food industry for example, where rigorous requirements ensure that the meals we put on our table at the end of the day won’t make us sick. But even when we look closer to the smart home devices market, we see that mandatory labels already exist in some form: the CE label is a safety standard that ensures the consumer goods we purchase in the store won’t malfunction and injure us, or the FCC label, that ensures they won’t cause any interference with other radio-controlled devices in the area. Whereas these safety-focused labels and standards are all commonplace and seen as a given, the concept of a binding cyber security baseline for such smart devices is a relatively new one and is not nearly as easily implemented.
The EU’s Cybersecurity Act (CSA) that was introduced in April 2019 gives the European Union Agency for Cybersecurity (ENISA) a new mandate to build out exactly such certification schemes. In response to this, they have published their first certification scheme candidate, the so-called EUCC, in July 2020. Even closer to home, here in Belgium the legal groundwork is also being laid for a Belgian National Cybersecurity Certification Authority, including provisions to accommodate the EU Common Criteria, Cloud Security and 5G certification schemes.
Taking a look overseas, the USA’s “Internet of Things Cybersecurity Improvement Act of 2020” shows us that the need for a stricter regulation of IoT devices not only occurs here in Europe. This newly passed law is based on NIST’s Internal Report 8259 “Foundational Cybersecurity Activities for IoT Device Manufacturers“, and you guessed it – it calls for the creation of IoT security standards and guidelines that the US government will adhere to, in the hope that industry will follow suit.
On top of the baseline, some consumers may be looking for additional safeguards and guarantees that the device they are buying is up to snuff. Especially when purchasing devices that handle more sensitive types of data, such as smart home assistants, cameras, or locks, security plays a larger role for many buyers. In this case, a voluntary quality label could form a good indicator for consumers that the manufacturer went the extra mile, and it would prove a good point to compete on for the manufacturers themselves to distinguish their product from the competitor’s offerings. Just like the certification of the baseline requirements for devices, an IoT quality label is also proposed in the aforementioned EUCC cybersecurity scheme candidate. Quality labels can be used to either reflect that a device adheres to a certain standard of cyber security or privacy, or that they have implemented additional measures beyond the baseline that are not necessarily found in other devices of the same category. In the case of the EUCC, the label will show a consumer that it is certified against that particular certification scheme, as well as list a CSA assurance level (Basic, Substantial, or High) to reflect the degree of how advanced the security measures of the device are.
The EUCC is not the first certification scheme that mentions a quality label. In the context of industrial control systems, the IEC 62443-4-1 and 62443-4-2 standards – which formulate guidelines for the production lifecycle and technical guidelines for the security of products – also provide a certification scheme and label, but adoption within the industry has been very slow.
While a widely adopted quality label is not available yet, in the meantime manufacturers can still distinguish themselves by being transparent about the security of their products: how about a page on the website that outlines the efforts spent on security?
To guide the smart home industry towards a better, more solid security baseline and stronger privacy guarantees, binding regulations for all devices sold within the EU can pave the way. These regulations should be based on the mandated use of secure building blocks and easy to verify guidelines. The recent cybersecurity act gives ENISA a new mandate to create exactly such certification schemes, a first of which they have released in July 2020 in the form of the EUCC.
Additionally, a voluntary IoT quality label can be a strong indicator for consumers who want more than just a baseline of security measures and a competition point for manufacturers who want to prove they went the extra mile.
This research was conducted as part of the author’s thesis dissertation submitted to gain his Master of Science: Computer Science Engineering at KU Leuven and device purchases were funded by NVISO labs. The full paper is available on KU Leuven libraries.
 Bellemans Jonah. June 2020. The state of the market: A comparative study of IoT device security implementations. KU Leuven, Faculteit Ingenieurswetenschappen.
About the Author
Jonah is a consultant in the Cyber Strategy & Culture team at NVISO. He taps into the knowledge of his technical background to help organisations build out their Cyber Security Strategy. He has a strong interest in ICT law and privacy regulation, as well as the ethical aspects of IT. In his personal life, he enjoys video & board games, is a licensed ham radio operator, likes fidgeting around with small DIY projects, and secretly dreams about one day getting his private pilot’s license (PPL).