Product Compliance Resources provided by ProductIP

2021-02-24

ETSI privacy standard for IOT

Disclaimer: This document provides guidance and is not a legally binding interpretation and shall therefore not be relied upon as legal advice.

Privacy standard ETSI TS 103 645 on Cybersecurity for Consumer Internet of Things.

ETSI has published a standard for Cybersecurity for Consumer Internet of Things (IoT).

The IoT is a network of 'smart' devices, sensors and other objects (often connected to the internet), that collect data about their environment, can exchange the data collected and can take, based on this data, (semi)autonomous decisions and/or actions that affect their environment.

It is obvious that the IoT will become even more prominent in the coming years in our daily life. Physical things and digitalisation will continue to intertwine.

The IoT will have an impact on many sectors, from health care, mobility to smart homes, smart wearables to smart vacuum cleaners, solar panels, locks and self-driving vehicles. 

Why we need a Cyber Security standard for IoT?

Besides the advantages of IoT, there are also risks. The data obtained from IoT (sensors) may have a negative effect if the data falls into the wrong hands. IoT-devices are often badly secured and are therefore a threat to the safety and security.

The impact of a hacked IoT-device can be great, as was recently shown in the case of the Miri-botnet. Even one hacked device can give a hacker access to your entire connected environment. Also, the risk of ransomware and denial-of-service is great. In addition, hacked devices themselves can be used for attacks on other services, for example on hospitals or banks. his risk will probably only increase in the future. According to a position paper of consumer rights organisations ANEC and BEUC:
'In order to trust the Internet of Things, consumers must be assured that the connected products they purchase or services they use are secure and protected from software and hardware vulnerabilities. For this to happen security by design and by default must become a priority.'

android phone

What is the content of the new standard?

ETSI standard TS 103 645 addresses the issue for the security of IoT consumer devices: consumer devices that are connected to network infrastructure, such as the Internet or home network, and its associated services.

Scope

The scope of standard ETSI TS 103 645 includes:

  • Connected children's toys
  • Connected safety devices (such as smoke-alarms and door locks)
  • Smart camera's, TV's and speakers
  • Wearable health trackers
  • Connected appliances
  • Smart Home Assistants

Objectives

The objective of the standard is to provide support to all parties involved in the development and manufacturing of consumer IoT on securing their products.

Subjects covered by standard ETSI TS 103 645 are:

  • no default passwords;
  • implementing means of reporting vulnerability's;
  • keeping software up-to-date;
  • securely storing data;
  • communicating securely
  • minimising exposed attack surfaces;
  • ensuring software integrity and personal data;
  • making systems resilient to power outages;
  • examine telemetry data;
  • deleting personal data;
  • making installations and maintenance of devices easy and to validate input data.

Compliance to the standard gives a presumption of conformance to applicable legislation, such as General Data Protection Regulation (GDPR).

Example 1 - My friend Cayla:

my friend cayla doll image

The toy called 'My Friend Cayla' was pulled from the EU market after it was shown that this 'connected toy' violated children's privacy and other EU consumer laws.

The toy is also subject to investigation by the US Federal Trade Commission because it may violate the Children's Online Privacy Act. For example, the Bluetooth connection that My Friend Cayla uses is not secured. A stranger can easily connect to the doll and communicate. Everything that children say to the doll goes to the company 'Nuance Communications' that may share this information with third parties and use it for personalised adverts. The company was also free to change the Terms and Conditions without any notice.

Example 2 - ENOX Safe-KID-One:

Watch ENOX safe-kid-one

This smartwatch was published as a serious alert on Safety Gate (link). European authorities ordered a mass recall of all smartwatches due to severe privacy issues:
"The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data. As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed.
A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS."

Conclusion:

With this standard manufacturers that produce a connected device, have a standard to which they can comply. Compliance to the standard gives a presumption of compliance to applicable legislation.


 

Follow us
ProductIP App