ICSA Labs offers IoT certification

Security is hard, this much is apparent from the major breaches regularly reported by major corporations around the world. In the IoT space, this drives many vendors to do little about it when developing cheap, short cycle volume products. Vendors who have built a business around their device tend to be more thorough, but still run a very good chance of missing something.

The problem for us as consumers is that it is difficult, if not impossible, to make a determination about the security of a given product before purchase. There is little published by vendors about their security architecture, and independent assessment it left entirely to independent security researchers. Given the proliferation of individual device models, most of them are unlikely to ever get that sort of attention.

There has also been no formalized standard or certification that vendors could pursue for their IoT offerings to provide some assurance to prospective buyers until now.

As of late 2016, security assurance company ICSA Labs has added an IoT security certification to their stable of offerings. Who are ICSA Labs? According to their website:

CSA Labs, an independent division of Verizon, has been providing credible, independent, third-party product assurance for end-users and enterprises since 1989. ICSA Labs provides third-party testing and certification of security and health IT products, as well as network-connected devices, to measure product compliance, reliability and performance for most of the world’s top technology vendors.
— https://www.icsalabs.com/about-icsa-labs

Their first, and only, customer for this service to date has been Canary, whose home security device I reviewed earlier. They've published a video from Chris Rill, CTO and co-founder of Canary discussing how they see this as an advantage for vendors. Chris concludes with this:

I’m hopeful that products in the future will have, perhaps, a nutrition label of security and privacy so that all products, whether it be a toaster oven that connects to the internet, or a security camera, that the consumer can be well informed about the products that they’re buying and what those products do, and do not do, as it relates to secutiry.
— Chris Rill, CTO Canary Connect, Inc.

Having an independent third party assessment, with formally published findings like this one does, would be a great thing in terms of allowing consumers to be better informed when buying IoT devices. It's unfortunate that there have been no other products assessed under this standard since 2016, but we can still hope this initiative, or others like it, will gain traction as a market differentiator to help drive better security practices in the future.

ICSA Labs: https://www.icsalabs.com/