Strong appetite in Singapore for secure smart devices, survey finds

The voluntary scheme shows consumers how secure Internet-connected devices are against cyber-security threats. PHOTO: ST FILE

SINGAPORE - The people's appetite for secure Internet-connected devices is strong, with half of adults in Singapore saying they will consider buying such gadgets under a new labelling scheme.

This was what a survey found even as nearly seven in 10 respondents here say they are not aware of the Cyber Security Agency of Singapore's (CSA) relatively new Cybersecurity Labelling Scheme for Internet of Things (IoT) devices such as Wi-Fi routers and Internet Protocol (IP) cameras.

The voluntary scheme, launched over six months ago, shows consumers how secure Internet-connected devices are against cyber-security threats.

Nearly three in five people were also not aware of past IoT breaches here, such as a report in October that home IP cameras here were hacked and the footage uploaded on pornographic websites, according to the poll that ended early last month.

Cyber-security firm McAfee, which commissioned the survey of about 1,000 adults in Singapore, told The Straits Times that having half the population consider products under CSA's Cybersecurity Labelling Scheme "is an achievement and speaks to Singaporean tech savviness".

But being used to giving their personal data online could also mean that many people underestimate the risks of buying unsecured IoT devices, or do not appreciate the dangers of a security breach, said McAfee. The limited number of CSA-labelled devices - 12 to date - might also be a factor.

But as more device makers join the scheme in future, and as people have more time to understand the security concerns, more consumers could go for labelled IoT devices later, said the company.

This is amid mounting concerns that hackers will increasingly target IoT devices. Research firm Statista said the number of IoT devices worldwide is expected to hit 30.9 billion by 2025, a sharp jump from 13.8 billion forecast for this year.

McAfee noted that with the rapid surge in unsecured IoT devices with work and study from home due to the pandemic, these gadgets have become an easy target for hackers.

The firm found that the number of new IoT malware grew globally by 58 per cent from the fourth quarter of 2019 to the first quarter of last year.

Beyond hacked IP cameras, other threats include crooks hacking a home router to access data, including sensitive ones, that victims send over the Internet, as well as files on computers and devices connected to the home network, said McAfee.

To mitigate some of these risks, CSA in October launched the labelling scheme to help consumers better judge how exposed the smart devices they buy are to cyber risks.

It has four rating levels, with Level 1 meaning the device maker has ensured there is a unique log-in password and software updates are pushed automatically to the products.

The highest Level 4 rating requires products to be sent for structured penetration tests conducted by CSA-approved third-party labs.

The products labelled so far include Wi-Fi routers, smart switches, smart lights and smart home hubs, from Aztech, BroadLink, HomeAuto Solutions, Prolink and Signify.

Major router brands such as D-Link, Linksys, TP-Link, Asus and NetGear do not have their products labelled yet. Printer brands are also missing, including Canon, HP and Epson.

When contacted, many brands either declined to comment or could not reply by press time.

But one industry player that declined to be named said one problem was that time was needed to prepare products for labelling, with Covid-19 delaying processes. Other challenges include costs and approvals needed.

Linksys said the routers it sells will comply with CSA's scheme, in line with the Infocomm Media Development Authority's (IMDA) timeline for security requirements for new home routers, such as using unique log-in passwords.

New routers must be compliant from April 13 to be sold here, while those previously approved by IMDA can continue to be sold until Oct 12.

Aztech, which has two smart home hubs labelled, said it will consider having its new IoT products, such as IP cameras and wearables, labelled.

The scheme "allows us to differentiate ourselves" from others with similar products in the market, the company added, despite the costs involved.

CSA said the scheme has gained momentum in the last few months and it has received about 60 applications.

International manufacturers have expressed interest in the scheme too.

The agency noted that some manufacturers still have concerns about what other jurisdictions and markets will introduce as alternative schemes.

But CSA said it has been engaging like-minded international partners for mutual recognition of its scheme, to eliminate duplicated assessments for products across different countries and reduce the cost of compliance. And it has received indications of interest from international partners to implement the scheme in their respective countries, including the United States.

For makers seeking higher levels of the four-level rating scheme, CSA said the labelling process takes some time.

McAfee noted that for several manufacturers, if security was not considered from the very beginning, it could be quite expensive to add it later.

Some device makers' products might also have been ready to ship to market and could not meet labelling requirements in time, McAfee said.

It added that as with any new initiative, like energy efficiency labels for home appliances, "it will take some time for (the scheme) to gain mass awareness".

It said as more countries look to encourage similar schemes - Britain introduced one last year - there will be pressure on makers to certify their devices.

CSA could consider making the scheme compulsory in the future, for example by 2025, said McAfee. "This would give manufacturers ample time to ensure future IoT devices are developed with robust security protocols that meet (the scheme's) requirements," it said.

The agency's scheme is voluntary, but CSA said it will monitor take-up and effectiveness before deciding on the next steps, "which might include making the (scheme) mandatory for IoT consumer devices in future".

In the meantime, McAfee gave these tips that consumers can follow to protect themselves from IoT device cyber-security threats:

- Practise proper online security habits. This includes using a strong password, putting IoT devices on their own, separate network, and using two-factor authentication when possible.

- Do your research. Before buying a new IoT device, take the time to look into its security features and understand the associated security risks.

- Change your device's factory security settings. By doing so, you are instantly upgrading your device's security.

- Use a firewall. Even if a device is infected, a firewall can keep a potential attacker from accessing all the other devices on the same network. When looking for a comprehensive security solution, see if a firewall is included to ensure that your devices are protected.

- Always update. Software and firmware patches are always being released by companies and are made to combat newly discovered vulnerabilities, so be sure to update every time you are prompted to.

Join ST's Telegram channel and get the latest breaking news delivered to you.