On August 26th the Dutch Radiocommunications Agency “Agentschap Telecom” issued a press release stating that a set of eight requirements for smart devices will ensure consumers are better protected against cyber-attacks, this according to a study they commissioned. It also mentioned that they are using the results of the study to establish the introduction of digital security requirements for smart devices within Europe. According to them, these requirements are suitable for enforcement through legislation and will significantly improve consumer IoT cybersecurity when implemented.
As a European Smart Home solution provider, i4Things values security and privacy very much and we even consider it as one of our USP’s compared to other solutions available in the market. Particularly when protecting our end-customer’s most precious things – their beloved ones and their home(s) – security and privacy cannot be compromised with and need to be guaranteed, always. So we embrace this strive for better consumer protection and legislation and intention to enforce this on suppliers of smart home devices and solutions.
We have therefore checked all 8 requirements and are proud to report that our solutions for Smart Home products and services are compliant to all eight. Below we will explain in short how we comply to each of the 8 requirements:
1. All passwords must conform to the industry standard NIST SP800-63b Digital Identity Guidelines
We at i4Things are supporting this requirement by using high security standards and identity servers for any authentication. For user authentication i4Things is using a JWT token mechanism. Any API call to the Consolomio® platform is only possible with a valid access token, which are under sole control of i4Things (to prevent any unwanted access). In case of failed attempts, a timeout is used for additional prevention. Passwords are stored encrypted and communication is using TLS level security.
2. After initial setup, passwords must be unique for each device, or defined by the user.
All devices that carry i4Things Firmware have a unique randomly generated device ID and access secret to access the Consolomio® platform. The device access secret can be revoked and devices can be blacklisted if compromised. We have clear rules in place on what topics the device can subscribe to and publish over MQTT. In case of an inappropriate behavior the device is immediately disconnected.
All 3rd party cloud user accounts created by the Consolomio® platform have unique and randomly generated username and passwords.
3. Access to device functionality via a network interface in the initialised state must only be possible after authentication on that interface.
The devices carrying the i4Things firmware expose only the essential ports via authentication with the cloud platform or with a localised secret key that encrypts the data exchange between the device and the mobile apps.
4. All exposed ports and interfaces must be necessary for the normal and intended use of the device.
See Point 3. Same applies for this requirement
5. All network traffic must be encrypted and authenticated using best practice encryption protocols, such as TLS.
All communication of the Consolomio® platform is carried out with TLS level security. For video streaming, an encrypted session is created between the Consolomio® Server and the device. Video footage is stored secure and encrypted.
6. Vendors must be able to initiate firmware updates in IoT devices, either by automatic updates or by actively informing the user about availability of updates.
Any IoT / Smart Home device carried out by i4Things is designed and developed for secure OTA upgrades in field. The Consolomio® platform supports both automated updates / upgrades, as well as triggered updates / upgrades of specific devices, managed via the i4Things Operator Cockpit backend system.
7. The device must verify the authenticity and integrity of firmware updates before installing them.
The i4Things Consolomio® platform is supporting this requirement. Only known / whitelisted devices & devices that carry i4Things Firmware are allowed to connect to the platform. Security is ensured by an unique randomly generated device ID and access secret to access the Consolomio® platform.
8. The vendor must provide clear and understandable information about the end user’s responsibilities to set up and maintain the device’s privacy and security.
i4Things cares about the well-being of its customers. Our terms & conditions provide detailed information about the responsibility of the end customer with regard to their responsibility for device’s privacy and security. i4Things explicitly asks users for permission and only does so where it is absolutely necessary for the use of the service (e.g. use of the microphone for intercom with a smart doorbell).
If you are a service provider intending to offer a secure smart home solution to your customers; or if you are a consumer product manufacturer interested not only in making your device smart and connected but also want to do this in a secure way; we have a proven solution to get you started in no-time and at limited startup cost with your smart home product or service.