IoT devices and Mirai botnet attacks

Germans wade in the battle for smart device standards

Have you heard of SPEC 27072? This set of numbers might come up in the future when you go shopping for a new smart device such as a light bulb or security camera.

SPEC 27072 is a set of standards for smart devices from the German Institute for Standardization(DIN) which has just been approved by the German Federal Office for Information Security (BSI).

Yes, the German penchant for order might finally becoming to the market for smart devices and the BSI stated goal is to have a minimum set of security standards for smart devices in the home.

It’s about time. Currently, there are no such standards. In addition, there have been millions of devices already placed on the market which are essentially insecure by design with hard-coded passwords, communicate insecurely online, and which are difficult to update. Insecure devices are vulnerable to Mirai and  being drafted into botnet armies and misused to launch DDoS attacks.

“This specification can significantly increase the IT security level of these devices. In this way, we are systematically continuing the path we have taken with the Router-TR (“Technical Guideline”) to better protect end users and the Internet infrastructure,”stated BSI President Arne Schönbohm.

Buy the secure label

In addition, he added that this would “create a valuable basis for designing the IT security label introduced by the Federal Government in the course of the IT Security Act 2.0.” Yes, it sounds like smart devices may get a security sticker somewhat similar to the energy efficiency that comes on your refrigerator, dishwasher, or even your car

Let the standards battle begin

Schönbohm also added that there is the possibility that they would transfer their new specs over to a European standardization project. This statement raises a few questions. Germany is already a bit behind on setting smart device standards. Earlier this year, the Technical Committee on Cybersecurity of the European Telecommunications Standards Institute released ETSI TS 103 645, 16 pages of security standards for the Internet of Things. This built on an earlier effort by a UK government agency. It is certain that there will be an overlap on much of the new specs with those of  the 13 suggested guidelines in the ETSI proposal. For example,  for making IoT smart devices more secure such as “no default passwords” and “communicate securely.”

“It is not going to be a fast implementation of either standard, but it is certainly a start and a good move for really everyone.” said Andrei Petrus, IoT Director at Avira. “I’m especially interested in their efforts to promote security-by-design and security-by-default. So far, we’ve seen that IoT device manufacturers are ready to overlook the security basics in their rush to market. It’s time for recognizable standards.”

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.