Digital consumer protection: Numerous security gaps in IoT devices, routers & health apps

It was only at the beginning of the year that a study by the TÜV association revealed the security concerns of many German citizens regarding smart home devices. According to the study, 66 per cent of respondents believed that there was a very high risk of smart devices becoming the target of a hacker attack. The new BSI study makes it clear that the scepticism among the population is justified. Security incidents increased in 2020, particularly in the area of IoT applications. Security gaps in specific products and vulnerabilities in the central security architecture of IoT devices and hardware in general were discovered. Networked doorbells and smart toys were among those affected.

For example, a company specialising in IoT security analyses reported over 7,000 vulnerabilities in 6 randomly selected products, including children's toys, in the run-up to Christmas. Outdated software with known security vulnerabilities, insecure remote maintenance access or inadequate encryption threatened the intimacy and privacy of consumers, especially children.

The dangers associated with such insecure products in the Consumer Internet of Things (CIoT) are now being countered by the TÜV association with the new test mark CyberSecurity Certified (CSC). This is intended to label corresponding CIoT products according to the Basic, Substantial and High test levels, ensure greater consumer confidence in future and provide better guidance.

Shortcomings in the IT security of WLAN routers

As the centrepiece of every networked household, the Wi-Fi router - and above all its IT security - is of particular importance. Nevertheless, Stiftung Warentest found in March 2020 that almost half of all routers tested had security flaws. This was also confirmed in the "Home Router Security Report 2020" published by the Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE). The experts found vulnerabilities in all 127 devices tested. Some of them even had hundreds. In addition, 46 routers had not received any security updates for at least a year.

In order to improve and standardise the security of Wi-Fi routers in the future, the BSI published the test specification for the technical guideline for broadband routers last year. In doing so, the authority created the formal requirements for the testing and certification of routers. The aim is to make the complex security requirements transparent and visible to consumers so that the aspect of IT security can be factored into the purchasing decision alongside other aspects.
 

Health apps: Need to catch up in terms of IT security

In particular health appsthat work with sensitive data generally have an increased need for protection. However, the BSI's market observation revealed that despite the actually high need for data protection, there is still a lot of catching up to do in terms of IT security. For example, the authority came across a lack of processes for updates and dealing with vulnerabilities or insufficient implementation of technical and organisational measures.

How can manufacturers of IoT devices or routers and developers of health apps protect themselves against security vulnerabilities?

For manufacturers of smart home devices or CIoT products, we recommend the new cyber security scheme "CyberSecurity Certified (CSC)", which supports them in implementing and objectively verifying a minimum standard of security measures. Depending on the desired scope and depth of testing, the security levels Basic, Substantial and High (from 2022) can be achieved.

The BSI provides manufacturers of broadband routers with an effective guideline in the form of TR-03148, which defines a minimum level of IT security measures in the form of criteria to be fulfilled. Through successful testing and certification in accordance with BSI TR-03148 router manufacturers can prove that their products are protected against possible hacker attacks and equipped with state-of-the-art security measures.

Developers of digital health apps should have their application tested by means of penetration tests - especially if they are seeking authorisation from health insurance companies. As part of these tests, qualified IT security experts identify potential security vulnerabilities that can then be rectified by the manufacturer. In addition, assessments on data protection and data security provide information on the current status quo of an application.

In each of these three cases, manufacturers and developers increase the security level of their products, identify and eliminate vulnerabilities and benefit from competitive advantages thanks to objective proof of trust. In addition, the principle of "security by design" is taken into account from the outset - and therefore as early as the development process - in order to prevent security gaps later on and achieve a holistically secure product.