Executive Q&A: Exploring IoT Security Standards
The ioXt Alliance is developing a new set of security and development standards for a variety of products, from smart homes to mobile apps. What are the benefits of these new standards? We spoke with the ioXt Alliance’s director of operations Grace Burkard to learn more.
- By Upside Staff
- December 8, 2022
Keeping data safe has never been more important. The ioXt Alliance’s standards are designed to protect IoT devices, an important need given how IoT device popularity is growing.
Upside: What are the challenges in the IoT space?
Grace Burkard: Three of the top challenges in the IoT space are the fragmentation of standards in the IoT ecosystem, the lack of transparency, and a need for one global standard for IoT security. IoXt is taking steps to address these challenges.
IoXt is mapping our standards with standards from multiple other industry alliances and government agencies to combat fragmentation. Other standards organizations and government regulators are starting to co-recognize each other’s certifications as well to help fill in the spaces of fragmentation.
IoXt is also working with the National Institute of Standards and Technology (NIST) and the National Security Council to define what is needed to effectively launch a robust IoT labeling program across the country and to put parameters in place for what that label looks like.
As for a global standard for IoT security, world leaders and technical experts must work together to align on basic security principles for the greater good of everyday consumers. We need alignment not just to fight back against hackers exploiting vulnerabilities in untested IoT devices, but also to fuel innovation. Without global, synchronized security standards, IoT won’t have the runway it needs to evolve.
For example, Singapore has signed Mutual Recognition agreements with Finland, and just recently, with Germany.
I personally saw the CEO of The National Cyber Security Centre (NCSC) of the U.K. and the Deputy National Security Advisor of U.S. National Security Council (NSC) both speak at the Singapore Cyber Security Week conference about harmonizing IoT standards. Many other countries were involved in panels and speaker opportunities regarding international cybersecurity.
See this recently published article about attendees at a White House workshop to work towards a national U.S. label.
What is the ioXt Alliance and what is its goal?
The ioXt Alliance is a group of manufacturers, industry alliances, labs, and government organizations dedicated to harmonizing security best practices and establishing testable standards. IoXt’s goal is to bring security, upgradability, and transparency to the market and directly into the hands of consumers. IoXt is actively helping to set the standards in the smart home, smart building, cellular IoT, and mobile application markets, and will continue to build standards in more areas in the future.
What are the IoT standards that the group is concerned about?
The ioXt standards are built on our Security Pledge, which is composed of eight principles:
1. No universal passwords: The product shall not have a universal password; unique security credentials will be required for operation
2. Secured interfaces: All product interfaces shall be appropriately secured by the manufacturer
3. Proven cryptography: Product security shall use strong, proven, updatable cryptography using open, peer-reviewed methods and algorithms
4. Security by default: Product security shall be appropriately enabled by default by the manufacturer
5. Verified software: The product shall only support signed software updates
6. Automatic security updates: The manufacturer shall act quickly to apply timely security updates
7. Vulnerability reporting program: Have a vulnerability disclosure policy in place and accept external submissions
8. Security expiration date: The manufacturer shall be transparent about the period of time that security updates will be provided
Our Pledge Booklet has more information about each of these points.
How often do these standards change?
Our standards are updated on a continuous basis. They are reviewed annually but updated as needed depending on new threats in the market or as international and national standards are updated. We are consistently plugged into the right networks to make sure we are as up to date and relevant as possible.
What is the value to a company of getting certified?
Certification provides a number of benefits to member companies.
Increased sales: Reducing security and privacy risks increases consumer confidence and is reflected in customers’ willingness to pay higher prices for secured products. Studies have shown consumers are willing to pay as much as 20 percent more for products they know are secure.
Regulation alignment: IoXt works closely with regulators to incorporate new policies into standards early on.
Consumer awareness: When manufacturers certify their products, they receive the ioXt SmartCert label, a live QR code that is updated in real time as manufacturers update their firmware or software versions. It can be placed on product boxes or on the product’s web page. Consumers can scan this QR code while in the store and will be directed to the product’s certification page, where they will find a nutrition-type label that provides more detailed information on the security levels the product meets.
Product reassurance: IoXt’s vulnerability program is a checks-and-balances system. Anyone can visit the ioXt website and report a vulnerability on the certified product’s page. Once the report is validated, ioXt will work with the manufacturer to make the necessary changes and the researcher receives a bug bounty.
Global standard: We continue to work with government agencies and other third-party standards organizations to map their standards to our own. The ioXt profiles incorporate parts of other standards in order to have expansive coverage and to reduce standards fragmentation in the industry. These partnerships allow for co-recognition of the various standards in use and help ioXt provide a fast path for manufacturers to meet certification.
Security profiles: IoXt’s security profiles are created by leading industry experts, starting with the base profile, which any IoT product can certify against. However, different types of devices come with different levels of security and different vulnerabilities. Therefore, specific profiles were created for specific device types, such as residential camera, speaker, network lighting controller, mobile app, and Android profiles. A building network controller and privacy profile are also in the works. There is always opportunity for new profiles to be made if there is enough industry interest and participation.
Earlier you mentioned risks. Can you give examples of these security and privacy risks? How are they different from, say, a hacker going after a database?
This is a very complex and potentially very technical answer. It fully depends on what type of product this is referring to. Not all devices have the same vulnerabilities and threats, and it also depends on what type of security manufacturers implement into their products.
Some manufacturers will go above and beyond to have the highest security, a large portion due to available resources or funds to do so. Others implement basic security but still leave the door open for more advanced threats. Then there are always the new threats that no one has seen before, and what matters is how quickly the manufacturers respond.
How does a company get certified?
There are two ways to get certified: through self-assessment or through an ioXt third-party lab.
Manufacturers can do a self-assessment by entering their device information in the ioXt membership portal and answering the security questions. An internal technical team reviews the certification submission and works with the manufacturer so it can make any necessary changes to the products or policies in order to pass certification. This option is typically less time-consuming, more affordable, and easier to update.
The other option is to work with a third-party lab to have products tested. This option has greater confidence from consumers, offers thorough vulnerability detection, and can broaden testing capabilities. Members can request a quote for an IoT device or mobile application by filling out a form on ioXt’s website.
Where is IoT headed in, say, the next 2-5 years?
IoT is continuing to grow and take on critical roles in many industries. New threats are popping up on a consistent basis and the attackers are only getting smarter. It is paramount for IoT manufacturers to incorporate security from the start and take responsibility to implement it. By coming together around harmonized IoT security guidelines, we can better contain risks, ensure transparency, and open the future potential of IoT.
[Editor’s note: Grace Burkard, director of operations at ioXt Alliance, spearheads ioXt’s overall efforts in setting baseline security requirements to build a safer IoT world. You can reach her on LinkedIn.]