EU security body calls for a security trust mark for IoT devices

For all the excitement and buzz around the Internet of Things, spurred on by connected gadgets being sold in great numbers both online and on the high street, there is no denying that it has a serious problem.

And the problem is that often IoT devices are found to be lacking when it comes to security and protecting their owners’ privacy.

As we have often documented on this blog, time after time vulnerabilities are found in IoT devices giving hackers an opportunity to spy on unsuspecting users, steal information, or even hijack gadgets to perform internet attacks on others.

Take, for instance, the millions of IP cameras and routers that have been hijacked into botnets in recent months to launch devastating denial-of-service attacks against innocent websites.

A failure to build security and privacy into a device from the outset has resulted in devices leaking information or leaving open backdoors through which malicious hackers can sneak into owners’ private lives.

With an estimated 20-50 billion connected devices expected to hit the market by 2020, this isn’t a problem that’s going to be going away any time soon.

As more and more internet-enabled devices enter the home, developed by a wide variety of vendors who often exhibit little to no understanding of security issues, it’s clear that there’s a burning need to promote best practices more widely.

Enter ENISA, the EU Agency for Network and Information Security, which has produced a paper calling for internet connected devices sold in Europe to carry a trust label which could help consumers make wiser purchasing decisions.

Such a label would work like the CE mark (The letters “CE” are the abbreviation of French phrase “Conformité Européene”), used across Europe to signify electronic devices that have reached specific standards.

A similar system is in place in the United States, which uses the FCC mark for electronic products.

If ENISA gets its way, we might begin to see devices that have reached at least a minimum standard for security, granted a label of conformity.

As an ENISA proposal explains:

Currently there is no basic level, no level zero defined for the security and privacy of connected and smart devices. There are also no legal guidelines for trust of IoT devices and services and no precautionary requirements in place. This is why we recommend effective baseline requirements for security and privacy in the networked architecture and value chain as a whole: from simple IoT devices up to complex IoT systems like connected cars and factories. Stakeholders need an equal and level playing field to implement trust into connected devices and services.

With so many IoT devices failing so badly at security and privacy, I can’t help but welcome any attempt to improve standards.

But what does worry me is that standards can get out-of-date rapidly in the world of infosecurity – and there is a danger that some manufacturers would view any “IoT trust mark” as a tick box that – once achieved – can then be ignored.

Standards like those proposed by ENISA should be viewed as a starting point, not a finishing line, and woe betide any vendor who cuts corners with their customers’ security and privacy in an attempt to save money or make their product’s design simpler.

2 comments

  • By Boi Sletterink - Reply

    While I think standards and labels are a step forward, software security is dynamic, not static, and a one-time audit and seal of approval gives a false sense of security. This is because both software and audits are imperfect by nature, and once it has been tested, someone else will surely find a new vulnerability if you wait long enough. Therefore, I think that we need to hold manufacturers liable for timely fixing of vulnerabilities for (at the very least) the expected or advertised lifetime of that software. Any useful label will require the manufacturer to include a secure update mechanism – in as much that can be tested – and require them to provide updates for this lifetime.

    We will also need a penalty clause if they break their warranty claim – perhaps refund the product owners and give them a fine to boot? If not, the liability clause is a paper tiger.

  • By john lewis - Reply

    A nice idea but it can only be a baseline, suitable for non-critical IoT.

    Mission / safety-critical IoT is a long, long-way away. I am waiting for one of the majors to announce that they have it. I think I shall be waiting a long time.

  • Add Comment

    Your email address will not be published. Required fields are marked *