Chinese equipment maker Xiaomi has published a new set of proposed global standards to support and reassure consumers about the security of their data while using IoT products.
The guideline entitled “Cyber Security Baseline for Consumer Internet of Things Device Version 2.0” aims to protect security and user privacy with a comprehensive set of requirements covering guidelines from device hardware, device software to device communication. It also states the requirements on data security and privacy, which include communication security, authentication and access control, secure boot, data deletion, etc. It is a security baseline that all Xiaomi smart devices should follow.
The Xiaomi guideline meets the need of the consumer IoT industry as there is no such general standard that can be publicly queried and implemented. Now companies can use this guide to avoid some basic security and privacy protection risks, and to quickly improve the security and privacy protection capabilities of their IoT products.
As of November 2021, Xiaomi’s AIoT platform has connected more than 400 million devices, excluding smartphones and laptops, and there are more than 8 million users with 5 or more Xiaomi IoT devices around the world. Xiaomi offers the most comprehensive security protection to its users and explores the best industry solutions and common standards for other stakeholders.
The guideline comes as the British Standards Institution (BSI) confirmed that Xiaomi Mesh System AX3000 has obtained the BSI IoT Kitemark Certificate, which shows the consistency between the Cyber Security Baseline for Consumer Internet of Things Device of Xiaomi and the international IoT security standards held by BSI.
“Users’ security and privacy is the top priority of Xiaomi, and we promise that this applies to all markets where we operate. I’m delighted to see that Xiaomi Mesh System AX3000 has also successfully joined the BSI Kitemark certification. Over the years, we have made great efforts to protect users’ security and privacy. Xiaomi is in the leading position of IoT security policies and practices in the world, and we will continue to work hard to build a better IoT ecosystem for our users.” said Cui Baoqiu, Xiaomi Vice President and Chairman of Xiaomi Security and Privacy Committee.
David Mudd, BSI Global Digital and Connected Product Certification Director, said, “Connected devices can bring huge benefits to society, but it is imperative that their function and security can be trusted throughout the required device life. By achieving the BSI Kitemark for IoT Devices for its product and having its systems regularly and independently tested and monitored, Xiaomi is demonstrating to consumers their commitment to safeguarding information.”
The BSI IoT Kitemark is a product and service quality certification owned and operated by BSI. It conducts technical testing and security audits for IoT systems, giving consumers reassurance and confidence of secure and trust-worthy devices under the highest standards. Obtaining the BSI IoT Kitemark Certificate means that Xiaomi products are in compliance with multiple cybersecurity standards, including the ETSI/EN303645 standard issued by European Telecommunications Standards Institute (ETSI), as well as the Open Web Application Security Project (OWASP) Top 10 security requirements.
Xiaomi says it will keep improving its IoT security framework, while strengthening its security management and technical testing capabilities.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.