Consumer IoT security

How can we ready ourselves in the face of cyber attacks?

How can we ready ourselves in the face of cyber attacks?

Designing a holistic security for consumer IoT products 

"Proactive holistic security planning enables a manufacturer to manage cybersecurity risk and regulation while avoiding costly recalls, design changes and heavy penalties."

There is good reason why sales of cyber security products are growing at twice the rate of GDP. In the age of the Internet of Things (IoT) every connected consumer device, from homecare monitors to kids’ toys, is a potential threat to data security and privacy.

Gartner estimates that over 7 billion consumer IoT devices have been installed by 2018, and the number is projected to grow to nearly 13 billion by 2020. For manufacturers, the growth of consumer IoT markets is a unique opportunity to develop new software and service-based revenue models. Unfortunately, the market’s growth is being matched by the cost of cybercrime which is projected by Cybersecurity Ventures to reach $6 trillion globally in 2021.

The cost of cybercrime extends far beyond stolen money. It includes the destruction and theft of data or intellectual property, as well as fraud or lost productivity due to the disruption of business, worsened by lengthy forensic investigation, complex restoration of compromised systems, and subsequent brand damage.

The question then is: Are manufacturers doing enough to mitigate the risk of cybercrime and embed data protection? Preventative security measures should be both end-to-end across the technology stack and integrated across the product life cycle and IoT ecosystem, from design and manufacturing through to implementation and product obsolescence. GDPR has heightened the importance of taking such measures due to the implications of not complying to the regulatory framework. Previously your brand’s reputation may have been on the line for not taking such measures; now the most serious violations of GDPR can lead to fines of up to €20 million or 4 percent of revenue (whichever is greater) as well.

As such, proactive holistic security planning enables a manufacturer to manage cybersecurity risk and regulation while avoiding costly recalls, design changes and heavy penalties.

Are you ready to combat the latest IoT cyber attacks?

Every coin has two sides. The same technologies that enable value creation in an IoT product also create attack vectors. Common attack vectors include weak passwords, vulnerabilities in sub-components or integrated libraries, lack of encryption, Internet exposure, and hidden “backdoors” that are designed in by device manufacturers. These vectors are used to carry out several common types of cyber attacks. 

IoT botnets have been used in some of the most prominent Distributed Denial of Service (DDoS) attacks. A DDoS attack overloads a network with traffic. Hackers create botnets from IoT products ranging from connected cameras to baby monitors by scanning the internet for devices with easily compromised passwords. DDoS has become so pervasive that the software can be rented hourly on the dark web to carry out attacks using IoT botnets.

Ransomware is another attack that is growing in frequency. In a traditional ransomware attack, hackers encrypt critical data. The decryption key is shared after the victim has paid a ransom, typically in Bitcoin. White hat hackers from security firms Senrio and Pen Test Partners recently showed that they could remotely infect a smart thermostat with ransomware. Imagine being on a business trip and being told that your thermostat was hacked and set to the maximum temperature. Would you pay a ransom to save your heating bill, cat, and house plants? Device availability can be critical in many such scenarios. Although devices can be reset, it is often a challenging process for a typical customer, and the loss of data and settings can be annoying at best and quite problematic. If the attack is not noticed soon enough, the encrypted data will be backed up (if any backup exists) and the relied upon backup will eventually be rotated out, preventing any data recovery. 

There is a third type of attack that is exclusively in the IoT domain - device remote control. Imagine hearing a stranger’s voice coming from your 2-year-old daughter’s room and realising that your baby monitor had been hacked. Dr. Yossi Oren, a lecturer at Ben-Gurion University in Israel, found that many baby monitors remain easy to hack in 2018 despite publicity following numerous prior incidents. As device connectivity becomes pervasive, there is a growing risk of physical harm caused by remote control of vehicles, ovens, healthcare devices, and other consumer products.

Knowledge will help you to prioritise

End-to-end cyber security decisions entail trade-offs between security level, system complexity, time-to-market and cost. This process begins with an assessment of the business impact and probability of risks. Without clearly understanding and prioritising risks, it is not possible to determine the security requirements of individual technology components or of the IoT system as a whole.

After risks are understood, the next step is to evaluate the technology stack. Testing of the individual components against requirements determined by the risk assessment is the foundation of a secure product. Security cannot be installed as a software add-on after product development. Every level of the stack must be assessed for vulnerabilities, including device hardware (chipsets, sensors and actuators), wireless communication modules and protocols, device firmware (OS and embedded applications), cloud platforms and applications. Following component testing, an end-to-end assessment should be performed to determine how the components interact in diverse situations across the entire product lifecycle management (PLM) process, including after the point of sale. Finally, a process of security validation for updates during the lifecycle of the product can be embedded.

Mature consumer IoT companies go beyond embedding security into their products, they study customer behaviour to identify and minimise user-generated risks. Product companies cannot pass sole responsibility for security to their customers. Thinking through the mistakes that your customer can make, or the best practices that your customer can neglect, will go a long way towards building a product that is ‘secure by default’.

Who are your cyber security partners?

Many consumer product manufacturers, whilst having internal security capabilities, will nevertheless benefit from working with external advisors who have wider exposure to assessing various types of organisations, systems and IoT products and are therefore better equipped to help manage threats. Building a network of trusted partners is a strong first step towards planning cost effective end-to-end security.

TÜV SÜD is a technology agnostic partner of choice for testing and ensuring safety and security of consumer products. We help manufacturers and partners with consumers to evaluate and secure your IoT ecosystem and technology requirements by running software and penetration tests and certifying products to mitigate legal liability. We can help you test the security of your IoT product as well as the complete IoT ecosystem, including:

  • Embedded devices
  • Firmware
  • Wireless Communication Protocols
  • Web and mobile applications
  • Cloud services
  • APIs
  • Back-end network infrastructure
  • Regulatory requirements, including GDPR and other data privacy requirements around the world

Tackling the problems of cyber security risks can, after all, only be realised by comprehensive planning, periodic evaluation, updates and monitoring - from design through to obsolescence. 


Internet of Things (IoT) for a connected world
White paper

사물 인터넷 (IoT) 사이버 보안 위협 및 규정

IoT 사이버 보안에 대한 위협요인과 규정, 소비자 사물 인터넷(CIoT) 장치의 안전성 및 보안성을 위한 TÜV SÜD 서비스를 확인하세요.

더 알아보기


TÜV SÜD 소비자 IOT 사이버 보안(CSC) 인증

TÜV SÜD는 IoT 디바이스 제조업자가 가장 관련성 높은 국제 표준에 기반한 시험 및 인증 서비스를 제공하여 제조업체가 보안성 높은 제품을 개발할 수 있도록 지원하고 있습니다.

자세히 알아보기


소비자 사물인터넷(CIoT)을 위한 ETSI EN 303 645 사이버보안 표준

TÜV SÜD 전문가들은 ETSI EN 303 645 시험을 통해 특정 시장에 대한 사이버 사기 및 데이터 보안규정을 정확하게 파악하고 있으며 사이버 위협 분야에 대한 심도 깊은 이해를 바탕으로 전세계 고객들이 디지털 미래의 잠재력을 완전히 구현할 수 있도록 지원합니다.

자세히 알아보기

View all resources


Site Selector