You should soon have yet another logo to look for when you go shopping for connected lock or thermostat or other smart-home device: a new security certification for the Matter connected-device standard. This new Product Security Verified Mark, announced Monday by the Connectivity Standards Alliance, will certify a device’s compliance with a set of requirements laid out in a 32-page specification. Among the key points:Devices can’t have hardcoded universal default passwords, a common and easily-exploited target of hackers;Devices must encrypt sensitive data, both in transmission and when stored;Devices must validate inputs to catch buffer-overflow attacks;Device vendors must provide security patches for a support period that they publicly document;Device vendors must conduct vulnerability tests before every major release and maintain a vulnerability-disclosure program through which security researchers can report bugs.This voluntary program, however, leaves some decisions up to developers. For example, it doesn’t specify a minimum duration for a security support period and classifies automatic software updates as a “should” item instead of a “shall” task. And they can choose whether to have CSA conduct the required testing or do that themselves.The blue verified logo that compliant devices can use in their packaging and presentation can include a QR code that links to details about the product.
(Credit: Connectivity Standards Alliance)
CSA aims to have this new security specification interoperate with government security-label programs and announced the first such “mutual recognition” agreement with Singapore Monday.“The group is effectively creating a superset of requirements from different government bodies and programs,” said Tobin Richardson, CSA’s president and CEO, in a Zoom call from Singapore.Last July, the U.S. government announced its own voluntary Cyber Trust Mark program, to be run by the Federal Communications Commission; Thursday, the FCC voted to adopt rules implementing the program.That step follows other moves by the Biden administration to promote better security practices, such as documenting the software bill of materials in a product and doing away with standard default passwords. The European Union, meanwhile, is considering a Cyber Resilience Act that would set security standards for connected devices.Saying CSA has had “great interaction and engagement” with the U.S. and EU governments, Richardson pronounced himself optimistic about obtaining mutual-recognition deals in Washington and Brussels: “We believe there’s going to be a very good alignment there.”But for this new option to align well with security-minded shoppers, Matter will need to get more visible at retail. That situation isn’t as awful as it was last summer. For instance, at least some connected-device listings on Amazon let you specify Matter as a “connectivity protocol”—but it remains far too easy for a customer to have no idea that this standard exists unless individual devices tout their Matter compliance.“One of the things we’re working on is channel education,” Richardson said. Richardson advised companies in this increasingly crowded product category not to wait to take advantage of this certification program once it becomes available–“as early as next week,” he said.“It’s up to the manufacturers,” he said. “For those that care about product security, this gives them some way to differentiate.”
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.