With a now almost unmanageable number of networked devices and services, the Internet of Things is an absolute boom sector in the development of IT markets. However, in the race for lucrative market shares, the IoT industry continues to develop masses of Internet-connected products without an adequate security concept and often ignores even absolute minimum standards of IT security. This must change. A new minimum standard for IoT security should help to achieve this.
AV-TEST guarantees IoT security for over 7 years
The AV-TEST seal for secure IoT and smart home products was one of the first IoT test seals worldwide 7 years ago and has since then enjoyed industry-wide acceptance by manufacturers and the trust of users. Accordingly, AV-TEST has been involved from the outset in the active development of IoT security standards, researching, testing and certifying future-oriented products from responsible manufacturers and has long been advising companies and government institutions on the security of IoT products. This includes the German Federal Office for Information Security (BSI). AV-TEST regularly consults with the BSI in the IT Security Expert Council on current research results in the area of malware and IoT security.
Better late than never: EN 303 645
With the European Standard EN 303 645 there is now at least an official minimum requirement for the security of networked devices in the smart home and recommendation for the secure development of IoT devices. The standard is based on the previous guideline TS 103 645 and the German security standard DIN SPEC 27072, which was co-developed by the BSI, has also been included in the creation of the new European standard.
In principle, IoT devices and services offer a wide range of attack vectors: the main targets of criminals are the end devices themselves, connected apps and the mobile devices on which the applications for controlling IoT devices usually run. Nevertheless, IoT devices with inadequate IT security continue to conquer the market. Accordingly, adequate security of IoT devices is becoming increasingly important.
AV-TEST has been calling for the development described in the EN 303 645 standard for years and has never tired of advising the BSI in the expert council IT-Security. AV-TEST therefore welcomes the current measure. It corresponds to a necessary minimum standard for IoT security, which all devices certified by AV-TEST have long since fulfilled and regularly prove this in extensive tests.
The AV-TEST promise to IoT users
Security tests of networked devices require a complex approach. It is essential to reflect the overall picture of data security of Smart Home and IoT devices as well as connected online services. In order to receive the status label “Approved Smart Home Product” or “Approved IoT Product”, devices and services must meet the minimum standard set by AV-TEST in the following categories
- Communication
- Data protection
- Application security
Smart Home products that carry the AV-TEST certificate thus guarantee their customers fully tested security according to the latest state of the art. The security analysis covers both data generated when using smart home products and connected services and their secure transmission and storage. In addition, potential weaknesses and approaches for attackers are tested under realistic operating conditions. All components of an offered IoT solution must prove themselves in the test, from the device to the app to the connected cloud services. Of course AV-TEST also checks the secure communication between all these components. Only when these conditions are completely fulfilled for an IoT product do we award the AV-TEST seal.
This will not change in the future.
With best regards,
Maik Morgenstern, CTO AV-TEST