With the rapid growth of internet-enabled devices in our homes the question of their security arises. How dangerous is the insidious rise of IoT? Are modern households creating a gateway for hackers? What can consumers do about it? A new TÜV certification aims to provide direction.
For some time now, the Internet of things (IoT) is no longer an abstract buzz word but is increasingly becoming a reality in our daily lives. Many people do not know what devices now feature online interfaces and what IoT equipment is lurking in their own homes. It usually starts right outside the door to our house with our car. If it is a newer model, it will now be listening to our conversations as standard (for speech recognition) and maintain a Wi-fi connection to the manufacturer, among other things, to transmit data on driving behaviour in the event of an accident. It continues inside the house: heating, Thermomix, TV and a modern door locking system are now connected online almost as standard. In addition, we now have devices that are deliberately created for data collection: speech recognition technologies, such as Alexa or Siri, smart watches and webcams, to name but a few.
However, the question of their security arises with the rapid growth of internet-enabled devices in our homes. How dangerous is the insidious rise of IoT? Are modern households creating a gateway for hackers? What can consumers do about it?
The German TÜV Association has also been considering these and similar questions. As a certification and testing body, the Technical Monitoring Associations (TÜV) are concerned about responding to the current digitalisation trends and offering appropriate certification. Marc Fliehe, Director of Digitalisation and Cyber Security, explains what is behind the new IoT product certification mark that TÜV companies have launched and what their aim is: “Of course, any device with an interface to the internet is a potential gateway for hackers, viruses and the like. Whereas up until about ten years ago, it was our personal data that was in danger, the consequences of hacking attacks on household appliances can be far greater. For instance, burglars can have access to our homes if the door locking system can be opened. The refrigerator will fail if the power supply is interrupted. It is very important that these devices are really secure.”
TÜV companies are trust service providers that can provide guidance and direction to consumers. Marc Fliehe continues: “It was important for us to be represented in the field of IoT – and in future in relation to AI as well – and to use our certificates to contribute to transparency in this new market.”
“The idea of developing a test mark for the IoT came about around the time that I joined the TÜV Association in 2017/18,” recalls Marc Fliehe. “We have a long history of dealing with software and IT certification. For many years we have been certifying software, either fully or partially. At the same time, the individual TÜV centres started thinking about the issue of the Internet of Things – also because of increasing demands from customers. The certification is now on the market.” TÜV companies currently offer a relevant product, but there are also a number of competitors offering similar test products. In 2019, the Cyber Security Act put in place a legal framework for digital certification at a European level.
“We would also like to issue security statements for internet-connected devices. The focus is on cyber security. The aim is to minimise weak points and risks and protect users, but also to protect manufacturers from damage to their reputation.” In response to the question about manufacturers’ interest in certification, the expert explains: “The companies that offer IoT devices have very differing opinions. Some are very interested in our tests and concerned about the quality and security of their products. Then there are other companies launching inexpensive products onto the market which are not spending much on security. Unfortunately, it is so often the case that the companies who approach us are already well on their way. And the companies that really need it are not even trying.”
The “Information Security for IoT Devices” test procedure currently mainly covers end users’ products for smart homes and wearables. “This does not cover the entire gamut of the Internet of Things, but covers the essential devices in our homes, such as consumer electronics or household appliances,” explains Marc Fliehe. Vehicles or medical devices are not included in this certification.
The scope of the certification varies according to the customer's requirements. We offer “Substantial” and “High” levels in addition to a “Basic” level. There are different test methods in all three levels, some of which partly relate to the products themselves, and others to the manufacturing process. The Humanities graduate and security expert, Marc Fliehe, explains: “We test all security levels of devices. A key focus is production: Are there security checks? Are there processes in place to ensure quality and security? Are suppliers or the software components used checked in terms of their security? These are questions that we take into consideration in our certification. But, of course, we also test the device itself: Are there any software updates? What does the user manual say and what interfaces are used? These are also questions that we address in our tests.”
Even a basic test could therefore take a few days. The individual test time depends on how good the existing processes and documentation are. “Certification always goes hand in hand with testing and takes a certain amount of time. That is in the nature of the matter. However, once certification has been completed, it is valid for three years. Once this period has expired, recertification requires much less work,” explains Marc Fliehe.
Voluntary certification is still the case, although the relevance of the security of IoT products is undisputed. There is no obligation for the IT security of companies to be certified in this market and, according to Marc Fliehe, the issue is still not yet relevant enough for customers: “There is not a lot of money available for security as long as low-cost products continue to dominate the market and are bought casually by consumers. Users themselves have considerable influence here as well: every critical request and every demand for certification puts pressure on the manufacturers and helps to make things more secure.”
Marc Fliehe has been working on IT security since 2000. From the former Bitkom employee’s point of view, IoT and AI are just two of the extremely security-related topics to which we should devote appropriate attention: “Older IoT devices that sit around unused in the house are an easy target for hackers. And as all devices are networked to each other, it is theoretically possible to carry out a systematic cyber-attack on the critical infrastructure. The safety standards that will shape the market in future are therefore of crucial importance.”
In his work, Mark Fliehe experiences, time and time again, that not every company is aware of their responsibility in terms of data security. “As I said, some manufacturers think very little about it, while others are considering it at length. Having said that, buyers also need to develop an awareness of IT security. For example, when it comes to children's toys, consumers need to ask themselves whether they would risk strangers easily gaining access to cameras or microphones in their children's playroom. Or with household appliances, such as ovens. Do we want the appliance to be externally accessible and operable?”
Marc Fliehe assumes that these issues will continue to grow in importance in future, and that the awareness and knowledge of IT security will also increase among manufacturers, consumers and politicians. “But digitalisation is continuing to take off at a rapid pace. Our current crucial issue is the use of AI. We also need certification options here. That will be our next task.”
Text: Sabine Haas