Choose another country to see content specific to your location

//Select a site

Cybersecurity for IoT devices

Delivering real business benefits across key segments

The Internet of Things (IoT) has gained importance in recent years. It is an umbrella term describing technologies that enable objects and machines to be networked and to communicate with each other, often involving wireless-enabled devices connected over Wi-Fi, Bluetooth or Zigbee. 

When assessing an IoT system, it is important to look at the entire system – from the device or smartphone application (app) to the back-end or cloud solution. In addition, more and more IoT devices are being installed in private households as part of a smart home.

The security of IoT products is paramount for consumers and users. Nobody wants to have their personal data hacked because of insufficient encryption between their smartphone and IoT device. This is where TÜV SÜD's cybersecurity tests come in. Our solutions are designed to reveal problem areas and potential security gaps and provide effective remedies. In addition, our tests pre-empt problems that may cause serious damage to a company's reputation.



certificationtesting for standardscustom services



  • Real manufacturer-independent certification (act as a seal of quality)
  • Based on the GS standard
  • Based on internationally recognized norms and standards (such as ETSI EN 303645)
  • There are three levels of testing: Basic, Substantial and High.
  • Testing of the IoT product and its development process
  • Continuous quality optimization via knowledge-sharing between TÜV organizations





In principle, the VdTÜV CloT certification programme is application to all consumer IoT devices



  • Routers
  • Personal fitness devices (trackers)
  • Smart home applications
  • Wearables
  • Smart TVs
  • Smart watches
  • Toys
  • White goods such as fridges, washing machines, ovens and dishwashers



  • Products for cars, air travel and local public transport
  • Medical devices
  • Products for military applications
  • Critical infrastructure products
  • Industrial products (IIoT) and products for power stations

Make a (non-binding) enquiry now



To improve the security of networked devices, the European Telecommunication Standards Institute (ETSI) has created a basic 303645 IoT standard within Europe. In the US, cybersecurity requirements for IoT devices are established by the NIST IR 8259 standard.

Here is TÜV SÜD's testing protocol for the NIST IR 8259 standard.



  • IoT security spot check
    • Lead time is 10 days (lead time)
    • Bilingual (German/English)


    goaltesting scope

  • Evaluating data transimission

    The overwhelming majority of retailers and importers of IoT devices do not design their products even if they are (in most cases) distributed under their own brands. But when it comes to what data is stored and sent to the cloud by more complex IoT devices, transparency is needed. Often, data analysing user behaviour and images is mistakenly transferred, without the user's consent.

    To help counteract this, TÜV SÜD uses Man in the Middle (MITM) procedures to analyse the transmission of data by IoT devices. This redirects and decrypts network traffic in order to get an insight into the content of the network traffic (known as the "payload").

    Note, however, that this cannot be used on IoT device apps with strong MITM protection technology.

  • Penetration test

    Penetration tests aim to uncover any potential weak points in an IoT device or system and assess its vulnerability to hackers. It works by enlisting an "ethical hacker" to infiltrate the system and look for weak points – without, of course, causing any damage to either the manufacturer or cloud operator. The testing process follows guidelines such as the OWASP IoT Top 10. Furthermore, there are three different types of checks:

    • Black Box Test: the manufacturer provides no information about the IoT system. The tester has to find a way into the system like a hacker.
    • Grey Box Test: certain types of document/information are provided – e.g. hardware plan, SW architecture, risk assessment – so that the tester can target their attacks and identify weak points faster.
    • White Box Test: as well as the information in the Grey Box Text, the source code is made available too. We fully understand how sensitive the source code is for manufacturers and how reluctant they are to give it to third parties like TÜV SÜD. However, we have solutions in place to mitigate these concerns
  • Training courses and workshops

    Our cybersecurity training courses look at basic cybersecurity problems, solutions and how to meet current standards.

    We are also happy to offer tailor-made workshops if you need support for a particular product/project.

    Request a (non-binding) quote now


Consumer Products and Retail Essentials

Consumer Products & Retail E-ssentials

Consumer trust is key when you manufacture or retail products that are part of everyone’s daily life

Learn more

Consumer IoT Security

Consumer IoT Security

How can we ready ourselves in the face of cyber attacks?

Learn more

Wearable Devices
White paper

Wearables: Safety beyond compliance

Understand the tests needed for the safety and reliability aspects

Learn more

TÜV SÜD Global Market Access for Electrical and Electronics E-book

Market access for electrical goods

Overview of compliance requirements worldwide for electrical and electronic goods.

Learn more

Cyber security threats of autonomous and connected vehicles

Cyber Security Threats of Connected Vehicles

Consequences and safety solutions

Learn more

Ensure the security of your wearable products

Ensuring security of wearables

Protecting customers and bring to market a safe and secure product.

Learn more


Next Steps

Site Selector





Middle East and Africa