A new smart home security standard is due to launch in the second half of this year. That’s according to a recent announcement by the Connectivity Standards Alliance (CSA), the organization behind the cross-platform “Matter” smart home technology.
This new, voluntary framework will allow smart home/IoT manufacturers to have their devices tested and certified for compliance against a common security standard. Devices that pass the certification testing will then be awarded the Product Security Verified (PSV) Mark.
Building trust in IoT
Security professionals have been warning about the potential risks associated with insecure smart home devices for several years. Indeed, the Panda Security blog has covered the issue of weak smart home security several times in the past.
This announcement from the Connectivity Standards Alliance is welcome news. Although the standard remains voluntary, it shows a willingness from manufacturers to take the issue of household security seriously. It also means that consumers will find it much easier to choose products that have been certified as meeting a certain standard of security.
What does the new standard mean?
In the US, there is already a ‘Cyber Trust Mark’ security standard that manufacturers can apply for. The new PSV mark seeks to go further by taking the US guidelines and combining similar requirements from other countries, such as Singapore and Europe.
In this way the CSA hopes to deliver a single security specification that can be quickly adopted and endorsed by governments across the world. Should this happen, manufacturers will have to complete only one certification process to sell their devices into multiple markets.
Encouragingly, the PSV mark has already been recognized by the government of Singapore. And the CSA has also announced they are in talks with authorities in the USA, EU and UK about endorsing the mark. Some reports suggest that these agreements are already almost complete.
What does the PSV Mark require?
Most of the basic PSV certification requirements are sensible – and much needed. To earn the mark, certified devices must:
- Have a unique identity for each IoT Device
- Not use hardcoded default passwords
- Ensure the device securely stores any sensitive data
- Security-relevant information communications must also secure/encrypt
- Throughout the support period, the provider must supply secure software updates
- Organizations must secure development processes against supply chain attacks, including vulnerability management
- Documentation regarding security and the manufacturer support period must be published publicly.
Most reputable vendors should already adhere to most of these requirements. However, the PSV Mark enables consumers to know exactly what they are getting when buying a new smart device.
As vocal advocates of increased privacy and security, Panda Security welcomes the new PSV Mark and look forward to its imminent release.