All you need to know about ETSI EN 303 645

As we start to bring more smart devices into our lives, cybersecurity becomes a growing concern. For instance, Kaspersky honeypots revealed over 1.5 billion attacks against consumer IoT devices in the first half of 2019 alone. In order to minimize these cybersecurity risks, the ETSI (European Telecommunications Standards Institute) group created a standard in 2021 – the ETSI EN 303 645.

But what is ETSI EN 303 645 and what does it accomplish? We answer this question and more below.  

What is the ETSI EN 303 645 standard?

In a nutshell, the standard provides a global baseline for the security of connected consumer IoT devices to strengthen its predecessor – TS 103 645.

Numerous experts from academia, industry and government were engaged, resulting in 13 robust provisions designed to prevent large-scale cyber-attacks, such as the infamous Mirai botnet attack in 2016 which infected hundreds of thousands of devices.

Overview of the 13 provisions:

  1. No universal default passwords;
  2. Implement a means of manage reports of vulnerabilities;
  3. Keep software updated;
  4. Securely store sensitive security parameters;
  5. Communicate securely;
  6. Minimize exposed attack surfaces;
  7. Ensure software integrity;
  8. Ensure protection of personal data;
  9. Make systems resistant to outages;
  10. Examine system telemetry data;
  11. Make it easy for consumers to delete personal data;
  12. Make installation and maintenance of devices easy;
  13. Validate input data

Additionally, several provisions are in line with data privacy acts such as the GDPR. For example, manufacturers must provide consumers with clear information about what data is collected, how it is used and how it can be deleted.


Does ETSI EN 303 645 apply to all IoT devices?

The word ‘consumer’ is front and center of this standard. It extends to connected or ‘smart’ that any person can have at home nowadays.

For example, smart TVs, speakers, alarms systems, door locks, smoke detectors and baby monitors, among many others.

The standard also applies to connected gateways, hubs, and base stations. After all, a home now contains as many as 16 connected devices, each with an entry point into the home network. Thus ETSI EN 303 645 coverage extends to the centralized access point for various devices.

Why the need for this standard?

IoT manufacturers generally do not build their own operating systems (OS) as it is expensive and time-consuming. Global tech companies like Microsoft will provide OS updates to its millions of users compared to a generic Smart TV Manufacturer.

Additionally, the seller or manufacturer of the IoT device is often not the end-to-end builder of device hard or software, meaning the inner workings of the device are often obscured.

For anyone to obtain this information, their options would be to take a crystal box or black box approach.

  • Crystal box approach – Manufacturers proactively supplies the source code and design documentation. This is rare but allows for source code audits to determine how trust boundaries are set and maintained.
  • Black box approach – The more common approach where firmware has to be reverse engineered to get a solid understanding of what goes on inside a device.
What are the implications of ETSI EN 303 545?

Essentially, manufacturers have to prove that their consumer IoT device complies with ETSI EN 303 645 by passing an evaluation performed by a third-party testing laboratory.

Generally, the evaluation process consists of:

  1. Manufacturers filling out 2 key documents that provide information for device evaluation
    • The first is the Implementation Conformance Statement (ICS). This indicates which of the requirements in ETSI EN 303 645 that the IoT device does or does not meet
    • The second is the Implementation eXtra Information for Testing (IXIT), which provides design details for testing
  2. A testing laboratory will evaluate and test the product based on the two documents
    • A report will be provided to indicate if the product is ETSI EN 303 645-compliant
ZARIOT can provide guidance

While not comprehensive, the ETSI EN 303 645 sets an achievable baseline security standard for IoT stakeholders to attain.

The standard also boosts consumer confidence in the security of everyday ‘smart’ products. An accompanying compliance label will help consumers easily identify products they can buy with assurance.

Do you want to know more about ETSI EN 303 645? Contact one of our industry experts today.

Together with our ecosystem partners, 7Shift or, we’ll be able to analyse software components and configuration for vulnerabilities and guide you through to ETSI 303 645 certification.

Comments are closed.