News

LEADING BRAND IN SECURITY ASSESSMENT - ONWARD

Introduce the latest IoT device certification processes to deal with the frequent information security attacks

2020 / 07 / 14

Whenever emerging technologies and applications appear in the market, problems sometimes arise that were not thought of when they were originally planned. This is just like the launch of Internet of Things (IoT) products. They are accompanied by some security attacks such as the Mirai Botnet in 2016 [1]. When we discuss the security attacks on the IoT products, we often find that the attacks are because users have not changed the default password of the IoT product login page. Moreover, users do not fully understand and are unfamiliar with the functions provided by IoT products, so that these products with remote login functions are exposed on the Internet. In addition, manufacturers are not paying attention to security issues and trends, and use insecure software design such as using software packages with known vulnerabilities, no specific settings for password length and complexity required for user accounts, or even turning on debug mode by default, etc. These security design vulnerabilities are all targeted by malicious programs, when cyberattackers want to attack and spread to IoT products.

In response to the security issues of IoT products, many organizations at home and abroad have actively developed the related product security regulations. The Industrial Development Bureau (IDB) of Ministry of Economic Affairs (MOEA) and National Communications Commission (NCC) as the competent authorities has entrusted the Association of Information and Communication Standards (TAICS) to formulate the security inspection standards and certification systems. Currently, TAICS has completed the industry information security standards and certification systems for video surveillance system, smart bus and smart street lamp. Manufacturers can entrust an accredited laboratory to conduct security testing on their IoT products, and can get the qualified certification mark after product passed the tests and audits [2].


Video Surveillance Product Certification Program

In the United States, the Cellular Telecommunication Industry Association (CTIA) developed the IoT Cybersecurity Certification Program [3]. IoT product manufacturers who want to get the IoT Cybersecurity Certification Program certificate established by CTIA can first choose a CTIA Authorized Testing Laboratory (CATL) for pre-certification operation, and then submit certification request through the CTIA certification website. The CTIA accredited laboratory would conduct testing and submit test reports to CTIA for review, helping the product to get CTIA's security certification.

CTIA IoT Cybersecurity Certification Program認驗證制度

CTIA IoT Cybersecurity Certification Program

In addition to governments, industry associations or other organizations, large enterprises also require that products manufactured by their suppliers need to meet their security requirements. For example, Amazon requires that all products using Alexa Cloud services must undergo security testing by authorized security laboratories [4]. The laboratory would submit the test report to Amazon for review. Only after the review is passed, the product can be released [5].

Alexa產品認證流程

Alexa Product Certification Procedure

By passing different information security certifications, IoT products have the ability to resist different attacks from hackers. The information security certifications must be carried out by a qualified certification laboratory. The report issued by the certification laboratory is the only way to apply for a certificate of conformity to the administrations. To become an accredited laboratory, applicants must first pass the ISO 17025 laboratory certification and be familiar with the testing items of security standards and certification systems. They also need to develop standard operating procedures for testing items, and have to comply with the requirements of ISO 17025 in terms of personnel, tools, environment, and testing practices. Onward Security has an ISO 17025-certified security testing laboratory and has been authorized by TAICS, CTIA and Amazon. As an accredited security testing laboratory, it can conduct security certification testing for IoT products, smart phones, webcams, Amazon Alexa products, etc. The laboratory assists manufacturers to get security certificates or marks, thus meeting buyer requirements and entering the international marke.

Reference:
[1]  https://en.wikipedia.org/wiki/Mirai_(malware) 
[2]  https://s.itho.me/cybersec/2019/slides/twpavillion/0319_臺灣物聯網產品資安認驗證制度介紹_TAICS_黃雅琤副處長.pdf
[3] https://www.ctia.org/about-ctia/certification-resources
[4] https://developer.amazon.com/en-US/docs/alexa/alexa-voice-service/avs-security-reqs.html
[5] https://developer.amazon.com/en-US/docs/alexa/alexa-voice-service/product-testing-overview.html