New ETSI privacy standard for IOT

New Privacy standard ETSI TS 103 645 available for Cyber Security for Consumer Internet of Things.

ETSI¹ has released a standard for Cyber Security for Consumer Internet of Things (IoT).

The IoT is a network of 'smart' devices, sensors and other objects (often connected to the internet), that collect data about their environment, can exchange the data collected and can take, based on this data, (semi)autonomous decisions and/or actions that affect their environment.

It is generally expected that the IoT will become more prominent in the coming years in our daily life. Physical things and digitalisation will continue to intertwine.

The IoT will have an impact on many sectors, from health care, mobility to smart homes, smart wearables to smart vacuum cleaners, solar panels, locks and self-driving vehicles. 

Why we need a Cyber Security standard for IoT?

Besides the advantages of IoT, there are also risks. The data obtained from IoT (sensors) may have a negative effect if the data falls into the wrong hands. IoT-devices are often badly secured and are therefore a threat to the safety and security.

The impact of a hacked IoT-device can be great, as was recently shown in the case of the Miri-botnet. Even one hacked device can give a hacker access to your entire connected environment. Also, the risk of ransomware and denial-of-service is great. In addition, hacked devices themselves can be used for attacks on other services, for example on hospitals or banks. his risk will probably only increase in the future³. According to a position paper of consumer rights organisations ANEC⁴ and BEUC⁵:
'In order to trust the Internet of Things, consumers must be assured that the connected products they purchase or services they use are secure and protected from software and hardware vulnerabilities. For this to happen security by design and by default must become a priority.'

What is the content of the new standard?

ETSI standard TS 103 645 addresses the issue for the security of IoT consumer devices: consumer devices that are connected to network infrastructure, such as the Internet or home network, and its associated services.

Scope

The scope of standard ETSI TS 103 645 includes⁶:

• Connected children's toys
• Connected safety devices (such as smoke-alarms and door locks)
• Smart camera's, TV's and speakers
• Wearable health trackers
• Connected appliances
• Smart Home Assistants

Objectives

The objective of the standard is to provide support to all parties involved in the development and manufacturing of consumer IoT on securing their products.

Subjects covered by standard ETSI TS 103 645 are:

• no default passwords;
• implementing means of reporting vulnerability's;
• keeping software up-to-date;
• securely storing data;
• communicating securely
• minimising exposed attack surfaces;
• ensuring software integrity and personal data;
• making systems resilient to power outages;
• examine telemetry data;
• deleting personal data;
• making installations and maintenance of devices easy and to validate input data.

Compliance to the standard gives a presumption of conformance to applicable legislation, such as General Data Protection Regulation (GDPR)⁷.

Example 1 - My friend Cayla:

The toy called 'My Friend Cayla' was pulled from the EU market after it was shown that this 'connected toy' violated children's privacy and other EU consumer laws.

The toy is also subject to investigation by the US Federal Trade Commission because it may violate the Children's Online Privacy Act. For example, the Bluetooth connection that My Friend Cayla uses is not secured. A stranger can easily connect to the doll and communicate. Everything that children say to the doll goes to the company 'Nuance Communications' that may share this information with third parties and use it for personalised adverts. The company was also free to change the Terms and Conditions without any notice.

Example 2 - ENOX Safe-KID-One:

This smartwatch was published as a serious alert on RAPEX (link). European authorities ordered a mass recall of all smartwatches due to severe privacy issues:
"The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data. As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed.
A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS."

Conclusion:

With the newly released standard fabricators that produce a connected device, now have a standard to which they can comply. Compliance to the standard gives a presumption of compliance to applicable legislation.

¹ ETSI is one of three official European Standards Organizations. ETSI develops regional standards for dealing with telecommunications, broadcasting and other electronic communications networks and services.
³ See for example the 'Internet Organised Crime Threat Assessment 2018' by EUROPOL
⁴ ANEC, The European Association for the Co-ordination of Consumers Representation in standardisation
⁵ Bureau Européen Des Unions de Consommateurs AISBL
⁶ Not in scope are products to be employed in manufacturing, other industrial applications and healthcare
⁷ Because many IoT devices and services process and store personal data, TS 103 645 can help in ensuring that these in compliance with the GDPR.