The consumer Internet of Things with all its connected cameras, smart household appliances and smart home applications will continue to grow unstoppably in 2023. Unfortunately, the development of security technology in this area is still far behind the numerical development. Reports about critical security flaws are increasing and concerns about security, data protection and privacy are also growing among end customers.
With the ETSI standard EN 303 645, attempts have been made for some years at European level to increase security for consumer IoT and to provide manufacturers with specifications with the aid of which it should be possible to develop and/or improve a secure IoT product. The AV-TEST institute welcomed the standard introduced back in 2020 and continue to emphasize the importance of a uniform (and at best even mandatory) security standard for the Internet of Things that stipulates at least basic security. Our in-house certification in this area has always been based on the same principles as EN 303 645 and even extends it in places.
For a short time now, the German Federal Office for Information Security (BSI) offers manufacturers of smart consumer devices the opportunity to acquire the so-called IT-Sicherheitskennzeichen (IT-SiK) for products in this area on a voluntary basis. Although we naturally very much welcome this step in everyone’s interest, we would like to take this as an opportunity to take a closer look at the processes and procedures for issuing the IT-SiK and to highlight the differences to our certification.
What is the IT-Sicherheitskennzeichen?
The IT-SiK acts as a voluntary award for IT products, giving manufacturers the opportunity to highlight the security features of their products and have them identified by a corresponding seal. Manufacturers undertake to ensure that their products meet certain security requirements, which are formulated in EN 303 645. The award of the IT-Sicherheitskennzeichen is based on a manufacturer’s declaration of product conformity with this standard. The BSI checks this declaration with regard to its completeness and plausibility, but no technical assessment is carried out. In a later process, market surveillance, additional checks can then be carried out on an ad hoc or occasion-related basis to determine whether the product features and requirements of the underlying standard confirmed in the manufacturer’s declaration are or remain fulfilled during a certain period. As it is a consumer label, the IT-SiK is also linked to a dynamic information source on the BSI website. This provides consumers with transparency regarding the product’s security features, can highlight existing security issues or updates, and provide recommended actions.
What weaknesses does it have from our point of view?
The basic idea of the IT-SiK is of course correct and important in any case. The advantages that labeling secure products brings for manufacturers and especially consumers simply cannot be denied – after all, these are what prompted us to launch our own certification process back in 2015. Nevertheless, we see some hurdles that make the IT-SiK less powerful than it could have been.
On the one hand, there is the enormous amount of work that the manufacturer has to do to successfully get the label for a product. Here, the willing manufacturer must be aware that, in principle, all the work for this has to be carried out by him: Before the application is submitted, two extensive documents have to be filled out – the Implementation Conformment Statement (ICS) and the Implementation eXtra Information for Testing (IXIT). In the ICS, all the safety features identified as relevant in EN 303 645 are gone through and flagged for the product in question to determine whether these security features are applicable to it and implemented by it. If a security feature is not applicable to the product, this must be justified. The IXIT must then explain for each relevant security feature how and in what form it is implemented. Here we can well imagine that this effort can be a deterrent for some manufacturers, because it is not the filling out of the forms themselves that is the hurdle here, but the information gathering and preparation for this can sometimes be massive, depending on the product. In addition, a deep technical understanding is absolutely necessary. The familiarization with EN 303 645 alone is anything but trivial.
Since the BSI explicitly does not perform any technical testing for the label itself, but only checks for completeness and plausibility, the actual assessment that now follows must be performed by a body formally designated as a Test Laboratory (TL). At this point, the real technical tests are to be carried out according to defined test cases in order to permit a final assessment. In principle, the manufacturer has three options for this: He can carry out the test in self-assessment (1st party), by a corresponding user organization (2nd party) or by an independent third party (3rd party).
It’s no secret that we’re not a big fan of self-assessment. In practice, we see products every day that like to declare themselves secure, i.e., that must have undergone some kind of self-assessment regarding security, and yet are often far from “secure”. Of course, a very precise framework is specified for the IT-SiK in which the assessment is to be carried out, and one or the other manufacturer will certainly be made aware of security features that he may never have considered before. In this respect, self-assessment is certainly better than no assessment at all. However, the best option here is undoubtedly an independent third party. This is the only way to ensure that the assessment has really been carried out objectively. In our view, the involvement of an independent test laboratory should have been mandatory; the other two options only soften the concept of the IT -SiK. In addition, the involvement of an independent, competent test laboratory could also keep the effort for the manufacturer lower from the outset.
What are the differences to AV-TEST’s IoT certification?
In principle, the IT-SiK differs from the AV-TEST certification, apart from some minor points (see following table), mainly in the two points described in the previous section: the effort for the manufacturer and the technical testing and support. Since AV-TEST certification is designed as a black-box test, the manufacturer basically only has to supply all the hardware and software to be tested and is in most cases already off the hook in terms of effort. All the tests and documentation that are then due are carried out in full by us as the testing laboratory. Also, the manufacturer does not have to determine which security features are relevant for his solution – this is adapted and determined by us in the test, from product to product. In addition, no forms, questionnaires or self-tests are required to be successfully certified. The only requirement is a secure product that can pass the tests.
However, it is accordingly also not possible for a manufacturer who can prove the security of his product to skip or shorten our tests by a self-assessment or self-disclosure – a technical examination of all security relevant areas by us is always and in every case necessary.
How do we rate it?
As already written, we are of course basically in favor of anything that improves security in the Internet of Things for everyone. The IT-SiK could have had this potential. However, in certain points, which have also already been described, the implementation should have been more straightforward and at the same time more consistent. From our point of view, the concession of “self-assessment” is the biggest weakness – in the end, the customer again has to rely on the manufacturer’s word. At least the IT-SiK shows that the manufacturer has dealt with the issue of security and has made quite a considerable documentation effort to obtain the label. Nevertheless, we consider the mandatory execution of the technical assessment by an independent third party to be absolutely essential for such a label.
In the future, AV-TEST will continue to rely on our proven certification concept, which is now appreciated by so many certified and satisfied manufacturers and which has led to the improvement of so many IoT products. But in our constant effort to improve the security of the Internet of Things by all means, we will also make our expertise available to willing manufacturers on the path to obtaining the IT-Sicherheitskennzeichen. Whether in the form of advice on EN 303 645, guidance on the path to application for IT-SiK, or as an independent test lab to perform the technical assessment, we are willing to help anyone interested in improving the security of their products and support them on the path chosen to do so.