Abstract

Consumer IoT devices are primarily used by people who have limited understanding of cybersecurity. For this reason, it is incumbent upon the manufacturer to set up the consumer IoT device securely. However, implementing such measures is costly and often not done voluntarily by manufacturers. Since regulation is necessary, several standardization organizations worldwide are working on security certification of Consumer IoT devices. This paper provides an overview of the current challenges in certifying consumer IoT devices according to the specifications based on the ETSI EN 303 645 and TS 103 701. We present the assessment of two Consumer IoT devices, which gives an insight into the different involved certification players and exposes challenges and weaknesses of the certification process. Furthermore, interviews were conducted with certification bodies that provide consumer IoT security certification. The interviews highlighted some further challenges and suggestions for improvement of the ETSI EN 303 645 ecosystem.