Are your smart home devices secure? Some will soon sport this security seal of approval
There are many cybersecurity issues plaguing smart home devices, from video doorbells that can be easily hacked to a popular security camera brand suffering a consumer privacy scandal. A big deciding factor for smart home users choosing a product is how it can keep their information secure.
The Connectivity Standards Alliance (CSA) -- the organization behind Matter and Zigbee -- just announced a "Product Security Verified Mark" for IoT devices. Essentially, this mark serves as a seal of approval added to devices that complete a cybersecurity certification process -- to assure the buyer that these devices are verified as secure.
Also: I tested this $40 security camera from Amazon and it now has a place in my home
Buying a smart lock, security camera, or video doorbell can put you at risk for cyberattacks from malicious actors. Currently, different products advertise compliance with different security certifications making it difficult for consumers to understand which ones are genuinely secure. Having this Product Security Verified Mark on a product will indicate that the device meets strict, internationally recognized cybersecurity standards, helping buyers feel safer using it in their homes.
The CSA's Product Security Working Group released the IoT Device Security Specification 1.0, a standard that IoT devices must meet to sport the Product Security Verified Mark. This standard can be adopted internationally through agreements with other countries' cybersecurity and consumer protection organizations and is already in place in the US and Singapore.
The Product Security Verified Mark will be added to the packaging of those IoT devices in compliance.
"The unveiling of the IoT Device Security Specification 1.0, alongside its certification program and the Product Security Verified Mark, signals an important milestone in bolstering IoT security and building confidence with consumers," said Tobin Richardson, Alliance President & CEO of the CSA. "By bringing together diverse international regulations into a cohesive specification, the Product Security Certification Program streamlines the process, reduces redundancy, and provides manufacturers with a singular, respected avenue for certifying their devices globally."
Also: The best VPN services: Expert tested and reviewed
According to the CSA, an IoT device must meet specific requirements to receive the Product Security Verified Mark, including the following:
- Unique identity for each IoT device
- No hardcoded default passwords
- Secure storage of sensitive data on the device
- Secure communications of security-relevant information
- Secure software updates throughout the support period
- Secure development process, including vulnerability management
- Public documentation regarding security, including the support period
The Product Security Working Group created the certification process, which includes dozens of specific device security provisions, by unifying requirements from the most popular baselines in the US, Singapore, and Europe.
Also: I'm building my dream smart home - here are the 5 things I decided on first
The steps involved in getting a product to meet the IoT Device Security Specification 1.0 include submitting the device to an authorized test laboratory along with necessary documentation, justifications, and evidence of compliance with the security provisions outlined in the requirements.
The device will undergo review and technical testing to ensure secure data storage, communication protocols, and software update mechanisms. If issues arise during the process, the manufacturer must correct them and resubmit their application. Once the device passes all tests, the laboratory will issue a certification to validate the device's compliance.
The certification process is available now for IoT device manufacturers, and we can expect IoT devices to sport the Product Security Verified Mark starting in late 2024 and early 2025.
Knowing which smart home device won't compromise your home security or personal data has become easier in recent years, yet cyberattacks are still common in IoT devices. While the Federal Trade Commission (FTC) has developed its processes to protect Americans from devices prone to cyberattacks, international regulations differ. This results in imported devices that may not meet FTC standards being sold by online retailers, like Amazon and Temu, going unnoticed -- until someone's privacy is compromised.
"As consumers embrace the convenience and value of IoT devices, the Alliance is dedicated to helping to create more comprehensive protection for consumers. This initiative aims to establish a robust baseline for all consumer IoT devices," said Steve Hanna of Infineon Technologies AG and Chair of the Product Security Working Group Steering Committee. "The Alliance's Product Security Verified Mark and IoT Device Security Specification 1.0 will make it easier for manufacturers to address consumer IoT security requirements around the world."
Also: Airbnb bans the use of all indoor security cameras starting April 30
Multiple organizations have advocated for stronger security standards for IoT devices for decades. However, this parallel work failed to harmonize cybersecurity standards, as different governments and organizations have developed different standards to achieve the same goal. This can result in manufacturers only complying with the minimum security requirements necessary for each market,
The CSA hopes the IoT Device Security Specification 1.0 will lead to a globalized standard that improves cybersecurity across borders for consumer electronics, especially as subsequent iterations are released.