Connect with us

Technology

We’re one step closer to a global cybersecurity standard for smart home devices

Published

on

We’re one step closer to a global cybersecurity standard for smart home devices

As useful as connected devices like video doorbells and smart lights are, it’s wise to exercise caution when using connected tech in your home, especially after years of reading about security camera hacks, fridge botnet attacks, and smart stoves turning themselves on. But until now, there hasn’t been an easy way to assess a product’s security chops. A new program from the Connectivity Standards Alliance (CSA), the group behind the smart home standard Matter, wants to fix that.

Announced this week, the CSA’s IoT Device Security Specification is a baseline cybersecurity standard and certification program that aims to provide a single, globally recognized security certification for consumer IoT devices.

Device makers who adhere to the specification and go through the certification process can carry the CSA’s new Product Security Verified (PSV) Mark. If that security camera or smart lightbulb you’re buying carries the mark, you’ll know it has met requirements to help secure it from malicious hacking attempts and other intrusions that could impact your privacy. 

“It’s a huge step forward to have a global consumer IoT security certification. It’s so much better than not having one,” Steve Hanna, Infineon

“Research continually shows that consumers rate security as an important device purchase driver, but they don’t know what to look for from a security perspective to make an informed purchase decision,” Eugene Liderman, director of mobile security strategy at Google, tells The Verge. “Programs like this will give consumers a simple, easily identifiable indicator to look for.”

Advertisement

Liderman is part of the CSA working group that defined the 1.0 spec for the program, which has been developed by over 200 member companies of the CSA. These include (along with Google) Amazon, Comcast, Signify (Philips Hue), and several chipmakers such as Arm, Infineon, and NXP.

According to Tobin Richardson, CEO of the CSA, products carrying the PSV Mark could start to appear as soon as this holiday shopping season.  

The CSA’s new product security verification mark.
Image: CSA

One cybersecurity mark to rule them all

The CSA’s announcement on March 18th follows last week’s news that the FCC has approved implementing its new cybersecurity labeling program for consumer IoT devices in the US. Both programs are voluntary, and the CSA’s label doesn’t compete with the US Cyber Trust Mark. Instead, it goes a step further, taking all of the US requirements and adding cybersecurity baselines from similar programs in Singapore and Europe. The end result is a single specification and certification program that can work across multiple countries (see sidebar). 

Advertisement

Richardson says the goal is for the CSA’s PSV Mark to be recognized by governments, so manufacturers can go through just one certification process to sell in all the major markets. This could reduce cost and complexity for manufacturers and potentially bring more choice to consumers. 

The PSV Mark has been recognized by the Cyber Security Agency of Singapore, and the CSA says it is working on mutual recognition with similar programs in the US, EU, and the UK. “It’s very likely, and with some [countries], it’s a certainty,” says Richardson. “It’s mainly a matter of tying up some paperwork.”

To get the PSV Mark, devices must comply with the IoT Device Security Specification 1.0 and go through a certification program that involves answering a questionnaire and providing accompanying evidence to an authorized test laboratory. Highlights of the requirements include:

Advertisement
  • Unique identity for each IoT Device
  • No hardcoded default passwords
  • Secure storage of sensitive data on the device
  • Secure communications of security-relevant information
  • Secure software updates throughout the support period
  • Secure development process, including vulnerability management
  • Public documentation regarding security, including the support period

According to the CSA, the voluntary program applies to most connected smart home devices — including lightbulbs, switches, thermostats, and security cameras — and can be applied retroactively to products in the market. Along with the PSV Mark, “A printed URL, hyperlink, or QR code on the mark gives consumers access to more information about the device’s security features,” the CSA says in its press release.

The program is focused specifically on device security — making sure the physical device itself can’t be accessed — rather than privacy. “But there is a close linkage in that you can’t have privacy without security,” says Richardson. While security impacts privacy, this program doesn’t offer many requirements around how a manufacturer uses the data a device collects. The CSA has a separate Data Privacy Working Group dealing with that can of worms.  

Better security, but still not perfect

The current iteration of the program isn’t a silver bullet to solve IoT device security concerns. Steve Hanna of Infineon Technologies, a 25-year cybersecurity researcher and chair of the CSA working group for the program, told The Verge there’s still more he’d like to see incorporated. “But we have to crawl, walk, and then run,” he says. “It’s a huge step forward to have a global consumer IoT security certification. It’s so much better than not having one.”

Google’s Liderman also points out that meeting the minimum security standard doesn’t guarantee a device is vulnerability-free. “We greatly believe that the industry needs to raise the bar over time, especially for sensitive product categories,” he says.

The CSA plans to keep the specification updated, requiring companies to recertify at least every three years. Additionally, Richardson says there will be a requirement for an incident response process, so if a company encounters a security issue — such as Wyze’s recent problems — it must fix those before it can be recertified. 

Advertisement

An API could allow a smart home platform app to alert you to a device’s security status before it can join your network

To address concerns about misuse of the label, Hanna says the CSA will have a database of all certified products on its website so you can cross-check a company’s claims. He also says there are plans to make the information available in an API, which could allow your smart home platform app to alert you to a device’s security status before it can join your network.

Hanna cautions against setting expectations too high. “Some companies are excited about it to recognize the work they have already done, but we shouldn’t expect every product to have this,” he says. Some may find they have problems that mean they can’t get certified, he says. “If or when these become required by governments, that’s where the rubber hits the road.”

A voluntary program may seem like a finger in the dam, but it does solve two basic problems. For manufacturers, it makes it simpler to comply with regulations from multiple countries in one step, while for consumers, it opens an avenue to information about what type of security practices a company adheres to.

“Without a label or a mark, it can be difficult as a consumer to make a purchasing decision based on security,” says Hollie Hennessy, an IoT cybersecurity expert at tech analyst firm Omdia. While the program being voluntary could be a barrier to adoption, Hennessy says her firm’s research indicates people are more likely to purchase a device with privacy and security labeling.

Advertisement

Ultimately, Hennessy believes that a combination of standards and certifications like this, along with regulations and legislationis needed to solve consumer concerns about privacy and security in connected devices. But this move is a big step in the right direction.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Technology

Meta’s glasses will turn off the camera if you tamper with the privacy light

Published

on

Meta’s glasses will turn off the camera if you tamper with the privacy light

Amid public backlash over its smart glasses, Meta announced that it will be updating its glasses with a new feature that will disable the camera when it detects that someone has tampered with or destroyed the glasses’ privacy LED light. The update is meant to address modders who have taken actions such as physically drilling into the LED light.

Meta has previously tried to discourage tampering with the LED light. For example, starting with its second generation glasses, blocking the light with tape or other objects will trigger a prompt asking users to uncover the recording light. However, many modders have found various workarounds for that particular measure.

Meta’s VP of wearables Alex Himel told The Verge that the privacy-focused update was on the way a few weeks ago after launching cheaper Meta Glasses without Ray-Ban branding. At the time, Himel acknowledged that the company was aware of increasing misuse alongside wider adoption of the devices.

Continue Reading

Technology

Discord accidentally banned over 8,000 people for posting grids and other ‘benign’ images

Published

on

Discord accidentally banned over 8,000 people for posting grids and other ‘benign’ images

Stanislav Vishnevskiy, Discord co-founder and chief technology officer, writes that the bug impacted around 200 users who posted “grid-like” pictures, in addition to about 8,000 people who posted “other benign images” since May 2026. “Everyone affected has now been unbanned,” Vishnevskiy says.

In a thread on X, Discord writes that its safety system is designed to flag content by “matching it against known harmful material.” This system can produce “false positives,” Discord explains, which is when an employee would step in to review the flagged content. But instead of just temporarily preventing the account from uploading content during the review, a glitch led its system to ban users entirely.

“When our staff reviewed and cleared those accounts, the same bug prevented the ban from being lifted automatically, so it just stayed in place,” Discord says.

Continue Reading

Technology

Hoto’s PixelDrive screwdriver is down to $60, matching its best price

Published

on

Hoto’s PixelDrive screwdriver is down to , matching its best price

If your Prime Day purchases included a new desk, TV stand, bookshelf, or other furniture you still haven’t assembled, Hoto’s PixelDrive cordless screwdriver can help speed up the process. It’s currently on sale for $59.99 ($20 off) at Amazon, matching its best price to date.

From tightening loose screws on furniture to repairing electronics, the PixelDrive is designed to handle a wide range of household projects. Hoto includes 30 screwdriver bits that cover many of the most common screw types, all neatly organized in a small cylindrical case. It also offers six adjustable torque settings, allowing you to use less power when working with fragile electronics or increase it when putting together a desk, bookshelf, TV stand, or other furniture. You can also switch between a slower 80RPM mode for more precise work and a faster 200RPM mode with the press of a button.

Hoto also added several features that make assembling projects a little easier. A built-in display lets you quickly check your current torque setting and remaining battery life, while an integrated LED light helps illuminate dim spaces, whether you’re working under a desk or inside a cabinet. The rechargeable 2,000mAh battery also charges over USB-C, so you won’t need to keep buying disposable batteries.

Continue Reading
Advertisement

Trending