CTA Tackles Smart Home Cybersecurity Issues at Spring Standards Forum
Cybersecurity led the issues at the CTA Technology & Standards Spring Forum last week in San Diego. New CTA standards projects included battery backup requirements for VoIP systems, a list of deprecated cybersecurity methods, and an update to CTA Technical Report #12, Securing Connected Devices for Consumers in the Home, CTA said. Sponsors of the event, which drew 130 attendees, were the Custom Electronic Design & Installation Association, Kavi and the Personal Connected Health Alliance.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
CTA’s Consumer Technology Networking Committee began updating the CTA report on Securing Connected Devices for Consumers in the Home, which provides guidance for product development to help ensure end products are as secure from hackers as possible, it said. Interested parties can join the R07 WG18 Home Networking Security and Privacy Working Group.
The report, targeted to smart home device developers, covers engineering best practices on managing development and deployment of smart home devices, Mike Bergman, CTA senior director-technology and standards, told us. Citing the numerous media reports on smart home devices as “less secure than they should be,” Bergman said the best practices are designed to help the smart home industry “up its game.” Top-down best practices are developmental, while bottom-up practices are techniques on an individual product level down to a specified encrypted link, Bergman said.
The original report came out a year and a half ago and is being updated based on the rapid changes in the smart home industry, Bergman said. The industry has been increasingly stepping up efforts to address the threat and reality of hackers, he said. A panel last week discussed the industry’s response to cybersecurity threats, and presentations covered cloud, platform and device-level security, plus encrypting links and overall best practices for integrating all of the elements, he said. “There’s a lot happening,” Bergman said, and the group will meet every few weeks to review the existing document and look for areas of improvement. The group will solicit input from CTA members and cybersecurity experts around the industry, he said.
On the catchall term “smart home,” Bergman said for the purposes of the report smart home refers to devices that provide home automation and security, but “we would be happy for anyone making a connected device to review this document.” The principles of making a safer, more secure connected thermostat, refrigerator or vacuum cleaner would “apply equally to things that are not intended for the home,” he said. Wearables are not included because they typically connect to a smartphone or other device that provides the connection to the Internet. The group welcomes input from smartphone makers, who “are quite concerned about the security of phones and are doing quite a bit to protect them,” Bergman said.
In addition, CTA’s Consumer Technology Networking Committee has begun developing a list of cybersecurity methods that should no longer be used because they’ve been hacked. The deprecated methods for consumer technology devices, once recommended, have been “replaced by something better,” Bergman said. He cited the Heartbleed virus in OpenSSL cryptographic software that exposed user passwords in 2014 as an example. Bergman also called out the RC4 (Rivest Cipher 4) stream cipher, whose exposed vulnerabilities rendered it insecure, prompting the Internet Engineering Task Force to warn in February against its use.
“The problem is, a number of these methods can be selected when using someone’s encryption package or Web service or security methods like SSL or TLS,” Bergman said. “If you select the wrong option or choose the wrong part of [the] software tool that you’re using, you’ll get one of these deprecated methods.” The R07 WG18 Home Networking Security and Privacy Working Group has taken on ownership and maintenance of the list of deprecated cybersecurity methods to provide better awareness for software developers and website maintenance providers, Bergman said. Experienced cybersecurity professionals are generally aware of the methods on the list, “but not everybody has switched over,” he said. By publishing the list, CTA hopes to boost voluntary adoption of more secure methods, he said.
To address new backup power requirement rules set by the FCC, CTA is developing standards that will define methods and specifications for providing backup power for up to 24 hours in the event of a local or national disaster, Bergman said. The current regulation, which took effect in February, requires eight hours of backup power, he said. The CTA group defining methods and specs for VoIP backup power is the R07 WG20 VoIP Battery Backup Working Group.