In April 2023, Netgear and Bitdefender presented the “2023 IoT Security Landscape Report”. For this report, they analyzed 2.6 million households worldwide that contain smart home devices protected by Netgear Armor and powered by Bitdefender security applications. The result: Roughly 3.6 billion security events were recorded in 2022 on a total of around 120 million IoT devices. Every day, an average of eight smart homes are impacted by cyberattacks. Registering a whopping 52 percent, smart TVs were by far the most popular gateway into the home network (Fig. 1). Smart sockets (13 percent) followed at a considerable distance, followed by routers (9 percent), and smart video recorders (8 percent).
The report clearly demonstrates the enormous security risk posed by IoT devices in the smart home sector. Add to that the fact that the home office drive during the COVID-19 pandemic often resulted in a laptop full of company data now being part of the network alongside smart TVs, and it becomes clear that this is also a huge security risk for companies. This is also shown by the CONCORDIA report (Cyber security cOmpeteNCe fOr Research anD InnovAtion), for which a European consortium of universities and companies investigated how COVID-19 has impacted cyber security. According to the report, cyber criminals are resorting to proven modi operandi and malware families to exploit the societal developments, emergency services, and supply shortages caused by the pandemic. This includes increased use of digital services and weakly protected personal IT devices such as WLAN routers in smart home environments. The report by the German Federal Office for Information Security (BSI), “The State of IT Security in Germany 2022”, comes to a similar conclusion: Overall, the already tense situation worsened further during the reporting period (June 1, 2021 – May 31, 2022). The threats in cyberspace are now higher than ever. This increases the responsibility of suppliers of devices connected to the Internet to integrate sufficient security mechanisms into their products.
Requirements of the Radio Equipment Directive
The Radio Equipment Directive 2014/53/EU applies to almost all devices that transmit – regardless of whether they are transmitters or receivers. It provides the regulatory framework for making radio equipment available on the market and putting it into service, with the aim of enabling the free movement of goods within EU member states. The requirements include “an adequate level of electromagnetic compatibility” and “effective and efficient use of radio spectrum so as to avoid harmful interference”. In addition, the health and safety of users must not be endangered. However, these basic requirements of the RED previously only applied to devices that are not actually connected to the Internet.
For this reason, the EU Commission expanded the RED in January 2022 to include Articles 3.3 d), e), and f), which address network protection, user protection, and fraud protection for the following products:
3.3 d) Any equipment that can communicate with the Internet, either directly or indirectly
3.3 e) Any equipment that processes personal data:
- Equipment connected to the Internet
- Radio equipment for childcare or toys (Directive 2009/48/EC9)
- Portable equipment with radio function (wearables)
3.3 f) Any equipment that is connected to the Internet and which can be used for transferring money, monetary values, or virtual currencies.
A number of security requirements are defined for these product groups. Here are some examples: Products covered by Article 3.3 d), for instance, must be secured by default and by design, and must be equipped with the most current software and hardware at the time they are placed on the market. For all equipment defined in Article 3.3 e), such as software and firmware, integrity checks must be performed during system startup to provide timely warning to users in the event of degradation. For equipment covered by Article 3.3 f), it must be ensured, among other things, that only the appropriate access rights to financial data are assigned.
For all products belonging to one of these three categories, any access data that is stored, transmitted, received, or otherwise processed must be protected against unauthorized storage, processing, access, or disclosure. However, there are devices to which these RED articles do not apply: Medical equipment and in vitro diagnostics, civil aviation, electronic road toll systems, and motor vehicles and trailers, including systems, components, and autonomous technical units for the safety and protection of vehicle occupants and road users, are all covered by other EU regulations.
Although it was decided in April 2023 to postpone enforcement of the RED by one year, suppliers of affected products should still prepare for its deployment in good time. This is because all products that are newly approved or enter the EU market on or after August 1, 2025, must be tested for the new cyber security requirements as formulated in the RED articles. All approved testing bodies in the EU are publicly listed.
In addition, suppliers must declare compliance with Delegated Regulation EU 2022/30 (which supplements the European Parliament’s Directive 2014/53/EU). According to the classification described above, this applies in particular to smartphones and laptops but also to various smart home and smart building equipment, such as alarm systems and cameras, as well as to devices for monitoring babies or wearables with sensitive data on the user’s location or health.
Security ICs enhance security
Most devices are equipped with protection mechanisms and encryption technologies implemented through software. Additional protection with increased security against cyberattacks is provided by integrating a hardware security IC (Figure 2). These ICs are tamper-proof and reinforced against physical attacks through active shielding, a random layout, and mechanisms that immediately interrupt operation in the event of unusual events. They also enable secure booting and firmware updates, thus contributing to endpoint security. In addition, the separate security chips ensure higher performance of the MCU, as it no longer has to perform complex decryption and encryption processes.
Rutronik offers such hardware security chips through the Optiga product families from Infineon. The supplier is also involved in the working group of the Comité Européen de Normalisation Electrotechnique (CENELEC, European Committee for Electrotechnical Standardization), which is responsible for standardizing RED security and data protection functions. As a result, Infineon is already well equipped to comply with the regulations. The company will also support its customers in this process through the Optiga product families. Moreover, Infineon’s commercial products sold in the EU, such as WLAN and Bluetooth modules, will also meet the RED requirements in time for the change in legislation.
The Optiga Trust series includes turnkey products for smaller platforms as well as programmable solutions that meet individual embedded authentication and brand protection requirements. The Optiga Trusted Platform Module (TPM) series includes standardized security controllers that protect the integrity and authenticity of devices and systems on embedded networks. The controllers are based on proven technologies and support the latest TPM 2.0 standard from the Trusted Computing Group (TCG) as well as special embedded certificates, security certificates (CC and FIPS), and various encryption algorithms. They are also tamper-proof, ensuring secure storage of security keys, certificates, and passwords and providing dedicated security key management.
The Optiga Connect series consists of turnkey embedded SIMs (eSIMs) for both consumer devices and for IoT devices with cellular connectivity. Optiga Connect Consumer is an eSIM specifically designed for small devices, such as smartwatches or fitness trackers. It securely authenticates them to the subscribed network operator. Remote SIM provisioning (RSP) allows users to change or add their mobile operator wirelessly, provided the device is equipped with a local profile assistant (LPA). The consumer product is fully compliant with the latest specifications of the Global System for Mobile Communications Association (GSMA) (SGP.22 V2.2.2) and the Trusted Connectivity Alliance (eUICC Profile Package V2.3.1). The Optiga Connect IoT series comes with a pre-installed GSMA-compliant operating system and pre-integrated connectivity features. Through Infineon’s collaboration with Tata Communications, it offers global cellular network coverage (2G, 3G, 4G, CATM, and other LTE services) with more than 640 networks in 200 countries. In addition, the Optiga Connect IoT series includes Common Criteria EAL5+ certified eSIM hardware.
For contactless payment by credit card, smartphone, smartwatch, and even wristband or ring, which has been booming ever since the COVID-19 pandemic, Infineon has secure near-field communication (NFC) products in its portfolio thanks to the Secora product family (Fig. 3). The family includes four variants: a Java card with world-class security for blockchain system implementation as well as a ready-to-use Java card optimized for electronic identification (eID) applications, a system for smart wearables with contactless secure payment, ticketing, or access applications via NFC, and a complete portfolio for everything from contact cards to smart payment accessories. With this product portfolio, Infineon meets all RED 3.3 d), e), and f) requirements.
For more information and a direct ordering option, please visit our e-commerce platform at www.rutronik24.com.
Subscribe to our newsletter and stay updated.
