In addition, from 2024 onwards smart consumer electronics have to be tested for security vulnerabilities and must no longer be supplied with a weak default password. Updating the software should be as simple as possible. This also applies to managing, protecting and deleting personal data. And the supplier must have a responsible disclosure policy so that a security hole in the software can be reported responsibly. These minimum safety requirements are also laid down in the ETSI EN 303 645 standard.

“It is legislation that everyone has asked for and that everyone was waiting for,” Nijhuis says. According to the EVP Internet of Things, the cyber security of IoT devices is still something that is unfathomable to most users. “They simply have to trust that the smart thermostat, interactive doorbell or connected coffee maker is secure. There is no quality mark by which secure devices can be recognized. The new legislation will change that. Devices that do not meet the minimum security requirements are not eligible for CE marking.”

Security not built-in

According to Nijhuis, the new legislation is the right response to the popularity of the Internet of Things. The popularity of the IoT is rising at a phenomenal rate. There are already some 35 billion devices connected to the internet. That number is expected to rise to 125 billion in 2030. “We live and work in a cloud of IoT devices that collect and process data about our lives with the best of intentions. They make life easier, more fun or more sustainable.”

This spectacular growth also has a significant downside, however. The “building in” of security from the start is often forgotten when IoT devices are being developed. “IoT devices can collect highly sensitive personal data and provide insight into aspects such as someone's heart rate or current location,” says Erno Doorenspleet, CTO of KPN Security, “But without protective measures, privacy is at stake and serious cyber incidents can occur.”

So there’s a risk that cybercriminals will eavesdrop on conversations or peek into the bedroom via baby monitors, children's toys or smart TVs. An unsecured smart doorbell can give hackers access to the home network and the data that can be found there. With a copy of that data they can commit identity fraud. And unsecured IoT consumer electronics can be incorporated into a botnet such as Dark Nexus that enables criminal organizations to carry out DDoS attacks.

Kiwa and KPN help

The new legislation is therefore good news for the users of the IoT but, according to Doorenspleet, this does not mean that it is easy to comply with the legislation. “As KPN, we help manufacturers with this by means of certification and advice, by jointly developing a product, and by applying the security during development and not afterwards. In our state-of-the-art lab we can also test the security of a working prototype thoroughly to see whether the product complies with the ETSI EN 303 645 standard."

In the field of the certification of IoT consumer electronics KPN Security has entered into a cooperation agreement with Kiwa, which specializes in testing, inspection and certification. As part of this agreement, Kiwa accepts the test results of KPN Security's test lab for the purpose of issuing a product certificate. With this certificate the manufacturer can be sure that the product may be sold in Europe. For the consumer, the certificate is proof that the product is safe to use.

Una società più sicura possibile

Secondo Nijhuis, è naturale che Kiwa e KPN siano partner. “Lo slogan di Kiwa è ‘Creiamo fiducia in tutto il mondo’”. E questo concetto si sposa perfettamente con i valori di KPN. I costruttori di elettronica di consumo IoT possono contare sulle conoscenze e sull’esperienza che KPN IoT ha acquisito sul mercato. Ora stiamo collaborando per risolvere il problema sociale rappresentato da prodotti IoT non sicuri”.

“La sicurezza è nel DNA di KPN”, conclude Doorenspleet. “I consumatori devono essere certi della sicurezza dei nostri servizi e prodotti. Ecco perché investiamo molto tempo e denaro nella sicurezza informatica. Le conoscenze da noi maturate rientrano anche nella nostra KPN Security Policy (KSP) e rappresentano per noi uno standard minimo per ogni nuovo sviluppo. Insomma, racchiude le nostre “norme di sicurezza”. Mettiamo a disposizione la nostra KSP gratuitamente, è il nostro contributo alla transizione verso una società digitale che sia la più sicura possibile”.

Vorresti saperne di più di Kiwa e KPN Security, un unico punto di riferimento per la valutazione indipendente, i test e la certificazione dell’elettronica di consumo IoT? Scrivici attraverso il nostro modulo di contatto.