Singapore widens security labelling to include all consumer IoT devices

Introduced last October as a voluntary programme, the Cybersecurity Labelling Scheme rates devices according to their level of cybersecurity features and will now be extended to include all consumer smart devices such as smart lights and smart printers.

Singapore has widened a cybersecurity labelling initiative to include all consumer Internet of Things (IoT) devices such as smart lights, smart door locks, smart printers, and IP cameras. The scheme, which initially applied only to Wi-Fi routers and smart home hubs, rates devices according to their level of cybersecurity features. 

The Cybersecurity Labelling Scheme was first introduced last October as part of the government's efforts to enhance IoT security, boost general cyber hygiene, and better safeguard the country's cyberspace. Then, only Wi-Fi routers and smart home hubs were included in the programme because of these devices' wider usage and impact on users if there was a security breach. 

Global pandemic opening up can of security worms

Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.

Read More

While voluntary, the labelling programme aimed to motivate manufacturers to develop more secure products, moving beyond designing such devices to optimise functionality and cost, the Cyber Security Agency of Singapore (CSA) had said. Consumers also would be able to identify products with better cybersecurity features.

The initiative assesses and rates smart devices into four levels based on the number of asterisks, each indicating an additional tier of testing and assessment the product has gone through. Level one, for instance, indicates a product has met basic security requirements such as ensuring unique default passwords and providing software updates, while a level four product has undergone structured penetration tests by approved third-party test labs and fulfilled level three requirements.

CSA on Thursday said it had expanded the labelling programme to encompass "all categories" of consumer IoT devices. It added that this would provide consumers with information of the level of security that had been built into these devices -- something that was not made readily available by manufacturers. 

The government agency noted that IoT devices were expected to see increased adoption over the next few years. With their short time-to-market and quick path to obsolescence, many of these consumer products were designed to optimise functionality and cost over security, CSA said. "As a result, many devices are being sold with poor cybersecurity provisions, with little to no security features built-in," it said, adding that this posed security risks to users, whose privacy and data could be compromised. 

Compromised IoT devices also could be used to form botnets, from which Distributed Denial of Service (DDoS) attacks could be launched to bring down online services, the government agency said. It pointed to the Mirai botnet attack in 2016, which was carried out via IoT devices such as home routers and IP cameras. 

To drive adoption of the Cybersecurity Labelling Scheme amongst manufacturers here, CSA said application fees for the programme would be waived until October 6. 

While this initiative remained voluntary, manufacturers of Wi-Fi home routers, however, soon would have to meet mandatory security requirements before putting up their devices up for sale in Singapore. These would include unique login credentials and default automatic downloads of security patches. 

Slated to kick in from April 13 this year, the new mandate was first announced last October with the aim to enhance the security of home routers, as these were popular targets of malicious hackers looking to breach home networks. Detailed under the Infocomm Media Development Authority's (IMDA) Technical Specifications for Residential Gateways, Wi-Fi home routers that complied with these requirements would qualify for the first level of the Cybersecurity Labelling Scheme. 

Home routers previously approved by IMDA would be permitted to remain on sale until October 12 this year. 

RELATED COVERAGE