ETSI launches world’s first applicable standard for consumer IoT security

Security has been a problem in the IoT realm for years, especially on the consumer side. Default passwords, lax firmware controls, open ports and exposed services have enabled bad actions, from spying on moms breastfeeding to turning thousands of smart devices into botnets capable of taking down the Internet. But if one standards institute has something to say about it, things are about to change.

The European Telecommunications Standards Institute (ETSI), an independent standardization organization in the telecommunications industry, has released the first globally applicable standard for consumer IoT security, “to establish a security baseline for internet-connected consumer products and provide a basis for future IoT certification schemes.”

The specification (TS 103 645) spells out high-level provisions for the security of internet-connected consumer devices and their services. It also requires vendors to eliminate the use of universal default passwords, and to implement a vulnerability disclosure policy to allow security researchers to report security issues, among other things.

The guidelines cover connected children’s toys and baby monitors, connected safety products (smoke detectors, door locks etc.), smart cameras, TVs and speakers, wearables, home automation and alarm systems, and connected appliances like smart washing machines and fridges. Smart home assistants also made the list.

“Stakeholders at all levels have worked together to make sure the specification was outcome-focused, rather than prescriptive, giving organizations the flexibility to innovate and implement security solutions appropriate for their products” says Luis Jorge Romero, ETSI’s Director General. “We’re really proud to release a standard that was highly needed for consumers and society at large.”

ETSI also hopes that, by pushing for these changes, vendors will also become compliant with the General Data Protection Regulation (GDPR). However, in the absence of legal backing, for the time being ETSI’s specification remains just that – a specification.