People’s appetite for secure internet-connected devices is increasing, with half of the adults in Singapore saying they will consider buying such gadgets under a new labelling scheme. However, a survey found that only half of the adult respondents are aware of the Cyber Security Agency of Singapore’s (CSA) relatively new Cybersecurity Labelling Scheme for Internet of Things (IoT) devices such as Wi-Fi routers and Internet Protocol (IP) cameras.
In recent years, there has been an exponential increase in the number of connected IoT devices in the world. It is estimated that there will be some 50 billion IoT devices in use around the world by 2030. Amid the growth in the number of IoT products in the market, and because of the short time-to-market and quick obsolescence, many consumers IoT products have been designed to optimise functionality and cost over security. As a result, many devices are being sold with poor cybersecurity provisions, with little to no security features built-in.
This poses cybersecurity risks such as the compromise of consumers’ privacy and data as hackers generally look for the easiest systems to attack that will net the most damage and returns. Compromised IoT devices can also be used by threat actors to form a botnet to launch Distributed Denial of Service (DDoS) attacks which could bring down Internet services.
Currently, information on the amount of security that is built into these devices is not made readily available by the manufacturers. Thus, consumers are unable to make informed decisions towards purchasing more secure devices.
The CSA has launched the CLS for consumer smart devices, as part of efforts to improve IoT security, raise overall cyber hygiene levels and better secure Singapore’s cyberspace. The CLS is the first of its kind in the Asia-Pacific region. Under the scheme, smart devices will be rated according to their levels of cybersecurity provisions. This will enable consumers to identify products with better cybersecurity provisions and make informed decisions.
The CLS also aims to help manufacturers stand out from their competitors and be incentivised to develop more secure products. Currently, consumer smart devices are often designed to optimise functionality and cost. They also have a short time-to-market cycle, where there is less scope for cybersecurity to be incorporated into product design from the beginning.
The CLS was first introduced to cover Wi-Fi routers and smart home hubs. These products were prioritised because of their wider usage, as well as the impact that a compromise of the products could have on users. It has since been extended to include all categories of consumer IoT devices, such as IP cameras, smart door locks, smart lights and smart printers.
But as more device makers join the scheme in future, and as people have more time to understand the security concerns, reports say that more consumers could go for labelled IoT devices later, said a tech company. This is amid mounting concerns that hackers will increasingly target IoT devices. A research firm said that the number of IoT devices worldwide is expected to hit 30.9 billion by 2025, a sharp jump from the 13.8 billion forecasts for this year. They also noted that with the rapid surge in unsecured IoT devices with work and study from home due to the pandemic, these gadgets have become an easy target for hackers.
Beyond hacked IP cameras, other threats include crooks hacking a home router to access data, including sensitive ones, that victims send over the Internet, as well as files on computers and devices connected to the home network, added the tech firm.
Notably, CSA said the scheme has gained momentum in the last few months and it has received about 60 applications. International manufacturers have expressed interest in the scheme too. The agency noted that some manufacturers still have concerns about what other jurisdictions and markets will introduce as alternative schemes.
But the CSA said it has been engaging like-minded international partners for mutual recognition of its scheme, to eliminate duplicated assessments for products across different countries and reduce the cost of compliance. And it has received indications of interest from international partners to implement the scheme in their respective countries, including the United States. For makers seeking higher levels of the four-level rating scheme, CSA said the labelling process takes some time.
The agency’s scheme is voluntary, but the CSA said it will monitor take-up and effectiveness before deciding on the next steps, which might include making the CLS mandatory for IoT consumer devices in future.