Why a Global Standard for Consumer IoT Security Is Essential

As the Internet of Things (IoT) expands, everyday objects in our homes are increasingly connected to the web, creating new entry points for cyber‑attacks and potential privacy breaches.

Alex Leadbeater, chairman of ETSI’s Cyber Security Technical Committee (TC CYBER), notes a rising tide of consumer‑IoT incidents in recent years. For instance, security researchers uncovered that the smart‑home hub ZipaMicro reused the same private key across all units and hard‑coded passwords, allowing attackers to unlock devices that were thought to be secure.

Risks extend beyond home hubs. Connected toys can house cameras and microphones that may be accessed remotely; many now rely on Bluetooth, a known vulnerability. Smart speakers such as Amazon’s Echo also expose private conversations to potential eavesdropping.

Vendors typically patch new devices swiftly, but delays can leave existing units exposed, and recall practices remain inconsistent. Governments are stepping in with legislation: the UK is consulting new laws that could mandate product labelling and minimum security standards, while California has already prohibited generic default passwords. Data‑protection regulations—like the EU’s GDPR—also apply to any stored personal information.

For manufacturers, reconciling disparate international requirements in a fast‑moving market is challenging. A unified, outcome‑focused framework would streamline compliance and foster innovation.

ETSI TS 103 645: A Global Benchmark for Consumer IoT Security

ETSI has released TS 103 645, the first global standard specifically for consumer‑IoT security. Rather than prescribing exact methods, the standard defines security outcomes, giving companies the flexibility to choose the most effective solutions for their products.

It covers a wide array of devices—connected toys, wearable fitness trackers, smart assistants, TVs, door locks, and home‑automation systems—setting a common baseline for protection.

Key Device Requirements

• Unique, non‑default passwords that cannot be reset to a factory setting.
• Secure storage of all sensitive data, both on the device and in associated cloud services.
• No hard‑coded credentials that could be extracted easily.
• Clear, user‑friendly instructions for data deletion when requested.
• Comprehensive documentation for installation and everyday use.
• End‑to‑end encryption of all data in transit, with safeguards against encryption attacks.

Additional engineering practices include closing unused ports and software, validating all inputs to prevent exploitation of out‑of‑range values, implementing a hardware‑based secure boot, and ensuring graceful handling of power or network interruptions.

Vendor Responsibilities

Manufacturers must proactively identify and remediate vulnerabilities, and facilitate secure, over‑the‑air updates for their device firmware and software.

Building Consumer Confidence

By adhering to ETSI TS 103 645, vendors can demonstrate expertise, protect customer privacy, and mitigate the risk of costly breaches and reputational damage. The standard offers consumers reassurance that their connected devices meet stringent security and privacy criteria.

You can read the ETSI standard here

The author is Alex Leadbeater, chairman, ETSI Cyber Security Technical Committee (TC CYBER).