Current challenges of implementing ETSI EN 303 645 as a baseline
security standard for consumer IoT security certification
- Felix Körner ,
- Pascal Schäfer,
- Holger Zwingmann,
- Bettina Schnor ,
- Samim Ahmadi
Abstract
Consumer IoT devices are primarily used by people who have limited
understanding of cybersecurity. For this reason, it is incumbent upon
the manufacturer to set up the consumer IoT device securely. However,
implementing such measures is costly and often not done voluntarily by
manufacturers. Since regulation is necessary, several standardization
organizations worldwide are working on security certification of
Consumer IoT devices. This paper provides an overview of the current
challenges in certifying consumer IoT devices according to the
specifications based on the ETSI EN 303 645 and TS 103 701. We present
the assessment of two Consumer IoT devices, which gives an insight into
the different involved certification players and exposes challenges and
weaknesses of the certification process. Furthermore, interviews were
conducted with certification bodies that provide consumer IoT security
certification. The interviews highlighted some further challenges and
suggestions for improvement of the ETSI EN 303 645 ecosystem.