The need for standard IoT security testing

Over the last few weeks, a succession of ‘smart’ consumer products have been shown to have serious security issues, from cars to web-enabled baby monitors. If manufacturers want consumers to have confidence in products intended generally to be part of the ‘Internet of Things’ (IoT), then they also need to assure us that we are not entering a security nightmare of their making.

The great majority of consumer products now comply with international standards: in the USA, those of ANSI and allied organisations, in the EU those of CEN and siblings, and worldwide the ISO (and related specialist organisations such as IEC).

I recently bought a fairly cheap car ‘jump starter’ and lead acid battery power supply which declares conformity with:

  • EU Directives 2006/95/EC, 2004/108/EC, 2011/65/EU (ROHS);
  • CEN standards EN61558-1:2005/A1:2009, EN61558-2-6:2009, EN61000-6-1:2007, EN6100-6-3:2007, EN55014-1:2006+A1:2009, EN55014-2:1997+A1:2001+A2:2008, EN61000-3-2:2006+A1:2009+A2:2009, EN61000-3-3:2008.

All that for a mere £40!

Yet there is not a single meaningful standard of relevance to the security of the electronics in cars, baby monitors, or anything else, as far as I can see.

There are several generic standards approaches, of which the best known is probably the Common Criteria (CC, or ISO 15408). IETF has developed RC 2196, which also tackles security in a very broad and general way. In Europe, a technical committee (TC CYBER) within ETSI is looking at the area with the aim of producing ‘a global cyber security ecosystem of standardisation and other activities’, but it is far from clear whether or when anything practical will result. There are others too, but none that could currently offer the consumer any worthwhile assurance or protection.

One good way of bringing about the sea change that we need now, not in a decade or two, is for some of the major players to accept that there is a problem, and to adopt an interim industry standard, which could be very rapidly developed by a commercial security lab. That standard would of course evolve rapidly, and might not be as all-embracing as the ultimate standards we might have in a few years. But it would stop the yawning gap that currently exists.

Security researchers should not fear such a move. At the moment, they rely on clients coming to them and paying them to fix products. In the IoT, it would appear that very few products receive that sort of treatment at present. Voluntary adoption of evolving standards would bring far more products to test, and greater industry support for further research. It could thus start the security industry on the road to proper integration with vendors.

Others might consider security testing too complex or ill-defined for practical standards. Having worked for several years in British, CEN and ISO standardisation, and testing, I have yet to see anything in commerce which cannot – with good sense and intelligence – be addressed in workable standards which can be tested reliably and reproducibly.

Our biggest problem is that, even when there are existing standards from which to build, developing an international standard takes at least 2-3 years. If the initial objective is a little grander than it needs, and the area is not well-served by existing standards, that can readily spin out for five years or longer. Vendors and consumers are not prepared to wait that long, so immediate action is needed.

The added value to consumers should be considerable: under voluntary standards, no-one would be prohibited from selling non-compliant or untested products, but that would become considerably more difficult as support for the standards increased. Overheads in standards testing are surprisingly low: most standards are implemented by type-testing a small number of prototypes, and the cost in doing so is then spread over total product sales.

If you had the choice, would you buy a protective helmet or electrical goods which did not comply with an appropriate standard, or a car whose seatbelts did not comply with the established standard? Then why should consumers not have a reasonable degree of assurance and protection when buying products such as baby monitors?

Does anyone fancy a Kickstarter to set up the security lab?