cybersecurity for iot devices

Cybersecurity for IoT devices

Delivering real business benefits across key segments

Delivering real business benefits across key segments

The Internet of Things (IoT) has gained importance in recent years. It is an umbrella term describing technologies that enable objects and machines to be networked and to communicate with each other, often involving wireless-enabled devices connected over Wi-Fi, Bluetooth or Zigbee. 

When assessing an IoT system, it is important to look at the entire system – from the device or smartphone application (app) to the back-end or cloud solution. In addition, more and more IoT devices are being installed in private households as part of a smart home.

The security of IoT products is paramount for consumers and users. Nobody wants to have their personal data hacked because of insufficient encryption between their smartphone and IoT device. This is where TÜV SÜD's cybersecurity tests come in. Our solutions are designed to reveal problem areas and potential security gaps and provide effective remedies. In addition, our tests pre-empt problems that may cause serious damage to a company's reputation.



 Certification for cybersecurity IoT Testing for standards  Customised services 


TÜV SÜD Cybersecurity Certified (CSC) Certification

 3 levels of testing
(Basic, Substantial, High)
 Product and process tests
 Applicable to almost all CIoT devices

Testing for standards

 ETSI EN 303 645 V2.1.1.
 NIST IR 8259
 IEC 60335-1 Ed. 6 Annex U

 Customised services

 IoT security spot check
 Penetration tests
 IoT security training and workshops




TÜV SÜD Cybersecurity Certified (CSC) Certification - Basic TÜV SÜD Cybersecurity Certified (CSC) Certification - substantial TÜV SÜD Cybersecurity Certified (CSC) Certification - high
  • Real manufacturer-independent certification (act as a seal of quality)
  • Based on the GS (Geprüfte Sicherheit) scheme
  • Based on internationally recognized norms and standards (such as ETSI EN 303 645)
  • There are three levels of testing: Basic, Substantial and High
  • Testing of the IoT product and its development process
  • Continuous quality optimization via knowledge-sharing between TÜV organizations




• Documentation check and technical tests including safety

• Testing internal processes

• Penetration test
• Cloud test
• Includes suppliers and sub-contractors
• All ETSI EN 303 645 mandatory requirements
• More extensive testing (additional testing criteria)

• TÜV SÜD own penetration test (including source code test)
• More extensive testing (additional testing criteria)




In principle, the TÜV SÜD Cybersecurity Certified (CSC) Certification is applicable to all consumer IoT devices and routers.



  • Personal fitness devices (trackers)
  • Smart home applications
  • Wearables (smart watches)
  • Smart TVs
  • Toys
  • White goods such as fridges, washing machines, ovens and dishwashers



  • Products for cars, air travel and public transport
  • Medical devices
  • Products for military applications
  • Critical infrastructure products
  • Industrial products (IIoT) and products for power stations

Make a (non-binding) enquiry now



To improve the security of consumer IoT devices, the European Telecommunication Standards Institute (ETSI) has created a standard for such device, the ETSI EN 303 645. In the US, cyber security requirements for IoT devices are established by the NIST IR 8259 standard.




  • IoT security spot check
    • Lead time is 10 days (lead time)
    • Bilingual (German/English)




    Testing scope

    • Minimize vulnerabilities/risks
    • Protect against reputational damage


    • IoT device, mobile app and cloud
    • User manual and privacy policy
    • Password protection/authentication
    • Updates, IoT and app design
    • Wifi and Bluetooth standard
    • (Wireless) interfaces and network protocol
    • Evaluation of the "Man in the Middle" protection

  • Penetration test

    Penetration tests aim to uncover any potential weak points in an IoT device or system and assess its vulnerability to hackers. It works by enlisting an "ethical hacker" to infiltrate the system and look for weak points – without, of course, causing any damage to either the manufacturer or cloud operator. The testing process follows guidelines such as the OWASP IoT Top 10. Furthermore, there are three different types of checks:

    • Black Box Test: the manufacturer provides no information about the IoT system. The tester has to find a way into the system like a hacker.
    • Grey Box Test: certain types of document/information are provided – e.g. hardware plan, SW architecture, risk assessment – so that the tester can target their attacks and identify weak points faster.
    • White Box Test: as well as the information in the Grey Box Text, the source code is made available too. We fully understand how sensitive the source code is for manufacturers and how reluctant they are to give it to third parties like TÜV SÜD. However, we have solutions in place to mitigate these concerns.
  • Training courses and workshops

    Our cybersecurity training courses look at basic cybersecurity problems, solutions and how to meet current standards.

    We are also happy to offer project-specific workshops if you need support for a particular product/project.

    Request a (non-binding) quote now




Consumer Products and Retail Essentials

Consumer Products & Retail Essentials

Consumer trust is key when you manufacture or retail products that are part of everyone’s daily life

Learn more

Internet of Things (IoT) for a connected world
White paper

Internet of Things (IoT) for a connected world

Learn about IoT cyber security threats and regulations and how TÜV SÜD can support in ensuring safe and secure Consumer Internet of Things (CIoT) devices

Learn More


TÜV SÜD CyberSecurity Certified (CSC) Certification for Consumer IoT

Helps IoT device manufacturers develop products based on international cybersecurity standards

Learn More


ETSI EN 303 645 Cybersecurity for Consumer IoT

Find out what the ETSI EN 303 645 standard is and why it’s important for consumer IoT products and devices.

Learn More

New EU security legislation

New EU security legislation under the Radio Equipment Directive (RED)

Learn more about Article 3.3 of the RED 2014/53/EU for certain categories of radio equipment.

Learn More

ETSI EN 303 645 Cybersecurity Standard for Consumer IoT Products

ETSI EN 303 645 cybersecurity standard

Learn more about the first global cybersecurity standard for consumer IoT products.

Learn More


Next Steps

Site Selector