About IoT Security Testing
The majority of internet-connected devices don’t clearly tell you how to change your default password, which then allows for possibly thousands of devices using the same default password and compromise the IoT Security. Sometimes default passwords are as basic as ‘admin’, ‘password’, ‘1111’ or no password at all. These types of security weaknesses can help to lower the overall security of devices.
A recent report from the Internet Society which surveyed global consumers identified many concerns but also ‘the trust opportunity’. The opportunity exists for manufacturers to differentiate themselves by offering proof of trustworthy behaviour and demonstrating steps have been taken to design security into their processes and products.
Working with experts from the IoT Security Foundation, IASME has defined a set of 30 checks which can be verified by a national network of certifying bodies such as ourselves. Some of these checks look for changing the default password, allowing the device to be updated, ensuring there is a vulnerability disclosure process in place and ensuring that credentials are sent securely over HTTPS/TLS.
If you go for the self-assessment, similar to the Cyber Essentials and the Cyber Essentials Plus schemes, and you satisfy those checks, a certificate is issued to you, and you can use the Basic checkmark on marketing materials.
Why should you look at certifying your IoT product with this certification? By achieving this certification, it helps your business ensure that you are implementing the best practices to secure your device as well as giving your customers peace of mind that their product and home/business networks are going to stay as safe as possible.
This certification also helps ensure that businesses can help verify the IoT security of their internet-connected devices in their supply chain.
The IoT certification scheme is aligned against the ETSI technical standard for IoT security, EN 303 645, and with the proposed UK IoT security legislation and guidance. It is also mapped to the IoTSF Security Compliance Framework.