IoT end-consumer products with smart functions and network connectivity are more adopted than they were before, which also leads to the rising cybersecurity risk. Therefore, security levels required for sufficient protection of the product are introduced by government bodies worldwide.
Riscure has over 20 years of experience in evaluating the security of these consumer products as well as perform independent studies into the state of security in various markets. During the security assessment of smart home devices, Riscure used standard security analysis techniques such as analyzing the internals, acquiring, and reverse engineering the firmware. Additionally, analysis of the device paired smartphone applications was also performed where possible. The results of these security assessments were mapped to ETSI TS103.645 to provide an easier depiction of the current state of the market compared with the European recommendations.
Compared to the development of functionality for modern connected sociality, Riscure sees potential developments needed to achieve the required level of security under the ETSI recommendations. This paper describes the research and results in detail, including how the vulnerabilities, such as runtime control, issues with firmware updates, protocol vulnerabilities, password issues, and insecure communication affect the device security, how they rate against the ETSI standard, and what can a vendor do about it.
In this paper, we present groups of issues found in smart home devices. Additionally, every issue is referenced to the specific ETSI standard requirement and followed with a recommendation for the developer. Some of such issues are related to:
- Open debug interface
- Fresh encryption and authentication
- Firmware updates
- Insecure communication and management