It may surprise you to learn there is a certified braintrust that aims to make life on the internet better for us all. This group, the Connectivity Standards Alliance (CSA) is made up of basically every big company in the “internet of things,” and its goal is to create standards that all smart tech manufacturers will adhere to. In theory, this should result in better, more stable experiences for consumers.
For example, the CSA is the group responsible for the Zigbee and Matter standard, which is a set of parameters that smart tech can and should subscribe to in order to make all products compatible with all multi-system hubs, and hopefully, eliminate the need for separate hubs and apps for each system.
In addition to making smart tech work better, the CSA is working to make it more secure. To that end, this week the CSA announced a new international security standard for smart home tech.
Smart home products battle stigma over security in the face of attacks
It’s hard to ignore the bad reputation smart security systems have taken on in the last few years. Breaches have been reported at major brands like Eufy and Wyze, and in the last month, wifi jammers have been reported to present a additional challenges to wireless security systems.
It’s not just security devices that are at risk, either: If your wifi can be hacked, so can your robot vacuum, and your smart speakers, and your smart toaster (you might say that’s an argument against having a smart toaster, but that’s only because you don’t have one yet). If a bad actor can remotely turn on your smart heater or turn off your smart fridge, they can cause some serious havoc. Uniform security standards should, in theory, make that harder.
Certification standards can help reassure consumers
In a press release, CSA head Tobin Richardson made the argument that by stitching together and streaming disparate international standards, “the Product Security Certification Program…provides manufacturers with a singular, respected avenue for certifying their devices globally.” If all goes according to plan, that should result in better, more secure smart home devices across the board.
That said, the new standards appear to cover only the U.S. and U.K. for now, so calling them “global” feels like a stretch. The press release offers specs for Matter, Zigbee, and Product Security, and demands the following compliance to meet certification:
-
Unique identity for each device
-
No hardcoded default passwords
-
Secure storage of sensitive data on the device
-
Secure communications of security-relevant information
-
Secure software updates throughout support period
-
Secure development process, including vulnerability management
-
Public documentation regarding security, including support period
Manufacturers can submit to a certification process if they adhere to the standard, and if they pass, their products will receive a “Product Security Verified Mark” that will tell consumers the device can be trusted to be relatively secure.
The Participation of major brands will hopefully lead to widespread adoption
The CSA has assembled a Product Security Working Group made up of more than two hundred member companies, including Amazon, Arm, Comcast, Google, Infineon Technologies AG, NXP Semiconductors, Schneider Electric, Signify (Philips Hue and WiZ), and Silicon Labs. What’s notable about the group, and the standard they created, is that while the Matter and Zigbee guidelines include security for the protocols themselves, the new security standard applies to the products themselves, and can be adopted by products that don’t have Matter or Zigbee.
The new standards are a good start
These standards appear to be a pretty basic set of requirements, and notably, feel like the security standards version 1.0 they’re labeled as. It’s good to have a foundation and recognize the problems the industry has faced, not to mention the stigma smart tech has developed with some consumers. My hope is that this announcement is just the start of a process that deliver truly strong, actually global standards that address product security in a real way.
At the same time, I can’t ignore the rough rollout of Matter, which also sought to standardize smart tech security across manufacturers. They were originally touted as almost precisely the same kind of global standard, but for connectivity protocols rather than products, and you would be hard-pressed to find anyone in the tech world who has been impressed by the adoption rate.
Instead of fulfilling the promise of removing the need for multiple hubs and extraneous apps, the companies who originally pledged to support the Matter standard have been slow to roll it into actual product releases. Just this week, I reviewed a light that requires a Zigbee hub to provide Matter support, negating the entire point of Matter, which is supposed to free you from hubs altogether. I hope this new security standard fares better.