The standard provides a security baseline for internet-connected consumer products and provides a basis for future IoT certification schemes.
The standard is based on ESTI technical specification TS 103 645 and is a result of collaboration and expertise from industry, academics and government. ETSI said.
Compliance with the standard will restrict the ability of attackers to take over control of devices from across the globe – known as botnets – to launch distributed denial of service (DDoS) attacks, use resources to mine cryptocurrency and spy on users in their homes.
EN 303 646 specifies 13 provisions for the security of Internet-connected consumer devices and their associated services. IoT products in scope include connected children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances (e.g. washing machines, fridges) and smart home assistants. The EN also includes 5 specific data protection provisions for consumer IoT.
“We launched the Finnish IoT label in November 2019; it was a world first and it attracted a lot of global interest,” said Juhani Eronen from Traficom. “Our labels are awarded to networking smart devices that meet certification criteria based on EN 303 645; this help consumers identify IoT devices that are sufficiently secure.”
The ETSI Technical Committee CYBER (TC CYBER) is continuing to work on IoT security, with the development of a test specification and an implementation guide to complement EN 303 645.
Related links and articles: