In February 2019, positive advancements were made regarding security standards in consumer Internet of Things (IoT) devices: The European Telecommunications Standards Institute (ETSI) published a standard numbered TS 103 645, more appealingly named “Cyber Security for Consumer Internet of Things”. Under this new standard, compliant products will be expected to have unique passwords, a vulnerability disclosure policy, and fulfil a range of requirements on software integrity and minimised attack surfaces.
As an added benefit, the ETSI Cyber committee has demanded an end-of-life policy to be published for devices that explicitly states the minimum length of time for which a device will receive software updates, and the reasons for the length of the support period.
This ups the benefits for consumers in relation to the router standard by the German Federal Office for Information Security (BSI) which was adopted in autumn 2018, and subsequently criticised by the OpenWRT community and EDRi member Chaos Computer Club (CCC) in November 2018.
The European consumer standards organisation, ANEC, has engaged on the development of this standard. Having an institutional right to be represented in the meeting, ANEC continuously monitors both European and international standards processes, especially in those standards bodies (such as ETSI and International Organization for Standardization – ISO) that typically fall under the radar from the perspective of the internet community.
A drawback of the ETSI framework is the lack of guarantees about consumer possibilities to install custom firmware on devices whose end-of-life has expired. Those working on open source alternatives to industry firmware and software will have to continue engaging with standards groups to ensure consumer choice.
Still, this ETSI standard, if enforced, will provide greater benefits than equivalent guidelines at national level. It shows both the needs and advantages of European cooperation on technical standards.
ETSI TS 103 645 V1.1.1 (2019-02), Cyber Security for Consumer Internet of Things
CCC and OpenWrt: BSI’s technical guideline on safe routers is insufficient (only in German, 19.11.2018)
(Contribution by Amelia Andersdotter, EDRi-member Article 19, and Rusnė Juozapaitienė, ANEC)