ETSI EN 303 645 / Consumer IoT

For most of the time, consumer products have been regarded and rated only based on their functionalities, and of course their price.


However, recently discovered security vulnerabilities and attacks on such products such as the Mirai botnet are making users more aware about the cybersecurity risks. Moreover, the fact that these products are connected to the same network to which other sensitive services or data is being stored or processes, makes their security impact much larger. Developers and architects determine the security of these products, and international standards and best practices are the best ways to guide security implementations.


LCIE Bureau Veritas can support with testing and certification based on the most relevant international publications in the domain of consumer products.


Consumer IoT products need to have a very well-thought-out approach towards security assessments and certification. It requires efficient and effective testing, with limited effort and costs. Moreover, such a certification program needs to take into account the high-paced software update process associated with these products. Certification for IoT products (based on Common Criteria or ETSI EN 303 645) is currently voluntary. On the other hand, there are international discussions on mandating (by regulation) a minimum of security features linked to these connected products. For example, in the EU, the Radio Equipment Directive (RED) will shortly incorporate requirements linked to cybersecurity. These requirements will ask for protection of software updates, confidentiality of personal data, as well as protection against malicious impact on the other components connected to the same network. Bureau Veritas can support with consumer IoT certification based on ETSI EN 303 645 and Common Criteria, as well as tailored testing in line with the security requirements of the RED.


Support and Preparation

– Design Reviews – Security Requirements Development – Threat Modeling – Vulnerability Assessments and Penetration Testing of Hardware, Software and Infrastructure

Compliance and Testing

– ETSI EN 303 645 – P-SCAN (product vulnerability scanning)


– BV IoT Class 1 (CTIA 1) – BV IoT Class 2 (OWASP) – BV IoT Class 3 (ETSI EN 303 645) – OWASP – IoXT – CTIA – ETSI EN 303 645 – Common Criteria Certification – Radio Equipment Directive (RED) – EUROSMART IoT Certification