IoT (Internet of Things) security poses a major challenge to global cybersecurity. Many risks emerge, such as IoT device security, data security, and personal privacy protection, which necessitate enhanced security guarantees in terms of product design, technological standard, compliance certification and security governance. Simultaneously, IoT security is undermined by Sino- US technology decoupling, which intensifies with geopolitics, national security and other factors. These complex factors have impeded the improvement of global IoT security. In order to investigate the issue in a more comprehensive way, Research Center of Global Cyberspace Governance (RCGCG) in collaboration with ioXt (Internet of Secure Things Alliance), a research institution on cybersecurity policy and technological standard, has published White Paper on 2023 Global IoT Security; PSA Certified, a global partnership of security-conscious companies, also contributed to part of the content.
Members of the research group include Lu Chuanying, researcher from Shanghai Institutes for International Studies (SIIS); Wang Li, senior researcher from Xi ́an Jiaotong University Suzhou Academy Information Security Laws Institute; Hui Zhibin, researcher from Shanghai Academy of Social Sciences; Lang Ping, researcher from Institute of World Economics and Politics, Chinese Academy of Social Sciences; Xu Longdi, associate researcher from China Institute of International Studies (CIIS); Sun Xiantang, senior engineer from China Academy of Information and Communications Technology (CAICT); Craig Miller, director of Intellectual Property of ioXt; Dylan Liu, head of Business Development in Asia Pacific of ioXt, a leading organization in the field of global IoT standards; and Anurag Gupta, Director of Business Development of PSA Certified at Arm.
In the process of compiling the White Paper , the research group has initiated extensive academic exchanges with experts and scholars with profound insights in the fields of cybersecurity, Sino-US science & technology and cited their latest research achievements in this regard. Experts and scholars are Bruce McConnell, distinguished fellow at The Stimson Center; Paul Triolo, senior vice president from Albright Stonebridge Group (ASG); Graham Webster, senior researcher from Stanford University ́s Cyber Policy Center (SUCPC); and Samm Sacks, senior researcher from Yale Law School.
Additionally, the research group has co-organized relevant academic seminars with John C. Mallery, researcher from Massachusetts Institute of Technology (MIT)、 Joseph Nye, professor at Harvard Kennedy School, Melissa Hathaway, senior advisor at Harvard Kennedy School, and Charles Barry, former professor at National Defense University, attended seminars and discussed IoT security deeply. Their penetrating views possess great significance for better understanding global cybersecurity development and boosting global IoT security.
Tuya as Best Practice
After a full day of meetings on a business trip, you arrive at your hotel, tired and looking for a quick refresh and good nights rest. You are greeted first by a smart robot in the hotel lobby for a facial- recognition hotel check-in, avoiding the long line at the reception desk. Upon entering the elevator, it automatically identifies your floor. Within three minutes, and without fumbling with your hotel key you arrive at your room. You enter your room, equipped with over 20 intelligent devices powered by Tuya that combine together for various scenes and voice-applet wake-up and controls. Users are able to turn on room lights and close the curtains, all from the comfort of bed. In the hotel, various smart devices interconnect and organically integrate in private and public spaces.
After your business trip, you arrive at your apartment entrance, where lights automatically turn on as the system identifies you and unlocks. You no longer have to search for your keys in your bag at night. Since the residential community installed an intelligent lighting system inside and out, you have saved 20% of your monthly electricity bill. With the intelligent trash-thrown-from-high-window monitoring system installed in the community, you don ́t have to worry about whether children are hit by sudden objects when playing on the outdoor ground.
As you open the door to your apartment, warm yellow lights and your air purifier turn on automatically, while your water heater is activated to a comfortable temperature in advance according to personalized settings. Having taken a bath, you feel comfortable. Just say “good night,” and your lights switch off, curtains close, and doors and windows are locked for the evening. When you wake up in the morning, simply say “good morning,” and your curtains open and morning music plays automatically, starting the day with positive energy.
Many years ago, the above-mentioned scenes could only be imagined in movies. However, with the development and popularization of IoT, 5G, cloud computing, and other technologies, interconnected intelligent scenes are no longer difficult to achieve.
Be it smart communities, smart hotels or smart homes, all are linked with the security and well- being of thousands of households. Therefore, Tuya Smart designs multiple security-guarantee measures across its ecosystem to ensure the security and reliability of IoT devices in various scenes.
Intelligent hardware has long supply chains and diverse product types. Taking cost into account, product expenses can vary substantially, resulting in a large gap in the computing capacity of product chips. Traditional information-security standards are not fully applicable to intelligent hardware, which requires IoT manufacturers to organize strong professional information-security teams and participate in the design, execution, production, and upgrading of the entire IoT products. This significantly increases the security cost of intelligent hardware.
For example, in 2023, Tuya Smart launched WBR3N, a built-in IoT security module, which takes a security chip certified by “CC EAL6+” as a root of trust, with industry-leading security-capacity support. The module possesses a comprehensive security guarantee. In addition to the built-in ECC security certificate and device authentication information into SE in production, WBR3N actualizes two-way certificate authentication and device-activation authentication between device and cloud-end. In terms of communication, WBR3N adopts TLS two-way strong verification communication based on security authentication, which boasts the highest level of communication-security guarantee in the industry now.
In the protection of device-data security, WBR3N performs the process of data encryption and decryption via the built-in independent SE to fully ensure data security. Simultaneously, WBR3N provides independent physical security storage based on SE and has a built-in root of trust to encrypt the storage via it. Similarly, the built-in SE protects the core code, and OTA ensures process security based on secure communication process and firmware verification
WBR3N is equipped with multiple logical and physical protection layers like metal shielding, end-to-end encryption, memory encryption and tamper detection, which can effectively defend against various advanced attack means like power analysis and fault attack.
Tuya Smart is one of the earliest IoT platform service providers pursuing IoT information security solutions. Since its establishment, Tuya Smart has set information security as the core bottom line of its intelligent product solutions.
In order to control the security and quality of intelligent hardware products, Tuya Smart has established a professional information-security team of more than 20 people in-house to control the software development life cycle (SDLC). It strictly applies a secure SDLC to develop services and products at three ends, i.e. cloud, app and intelligent device, which incorporates information security into the lifecycle of software development. The lifecycle of software development of Tuya Smart comprehensively covers all stages of the system development lifecycle, aiming to guarantee the security of every line of code by controlling various processes and means.
Tuya Intelligent Security Team fulfills unified project-SDLC-implementation monitoring and management via a security-management platform, and realizes fully-automated process tracking and the whole-process security review, testing and delivery.
In order to ensure the foresight of technological practice in the security R&D of intelligent products, Tuya formulates security-classification standards of intelligent hardware devices that are internally developed based on global industrial information-security standards (including but not limited to ETSI EN 303645, NIST IR 8259A, ioXt Alliance Security Checklist, etc.) and implements mandatory security requirements based on different types of products.
In line with the security-baseline requirement and security-technology planning, the Team compiles corresponding security-test cases to ensure the enforceability of security-technology from planning to verification as well as the effective implementation of security planning.
Tuya Sage, an IoT security-operation platform of Tuya Smart, aims to help developers identify and eliminate potential security risks of the IoT system and ensure security compliance in the operation of the IoT system.
Sharing joint security responsibility is the core principle of IoT security. IoT platform service providers undertake the responsibility of security management and operation of services and data interaction on the cloud platform and of the security of cloud-service platform and basic architecture. When developers independently develop their apps or hardware-embedded software (including using SDK) and business systems to access cloud platforms via API, they need to ensure the security compliance of their apps and data, including hardware and apps. However, in practice, many developers lack the entire perception of the security and compliance state of global intelligent terminals, which forms a common problem in the IoT industry.
On Tuya Sage, developers can see all protected devices, including the state of basic security information and risks. Once devices are attacked, developers can complete risk-interception with one click. With real-time threat intelligence, Tuya Sage can timely and effectively identify local vulnerabilities of intelligent terminals, enabling developers to fully understand the compliance state of terminal security and privacy and discover the non-compliance flow of user data to deal with it at the first time.
For Tuya, protecting user data has always been one of its core missions.
Globally, Tuya owns six data centers, based in Oregon (the U.S.), Virginia (the U.S.), Frankfurt (Germany), Amsterdam (the Netherlands), Mumbai (India) and Shanghai (China). Simultaneously, in order to provide better services to customers in more countries and regions in the world, Tuya will continue to build more data centers in the future. Each data center deploys independently in the market segment. As a service provider and data processor, Tuya is the consignor of client-data processing. It signs strict data-processing agreements with clients, including responsibilities and obligations like data- processing scope and data-processing models. Tuya has strict internal access-control strategy and technological-guarantee architecture. Only with the authorization of clients can it access or process data.
In all Internet-based interactions, Tuya uses TLS for secure communication, and conducts additional AES128 encryption for data content. In data storage, Tuya uses AES256 encryption or SHA256 Hash to de-identify data before storing in cases of all users sensitive data.
Tuya carries out data collection in line with basic principles of protecting data and personal privacy rights. User consent to data collection is the most important legal basis. Tuya collects data by ensuring the user right to know and necessary service principles. In data collection, the R&D process follows a PIA/DPIA procedure to analyze the protection lifecycle of personal data and ensure the legitimacy and compliance of data collection.
In recent years, Tuya Smart has done its utmost in security and compliance for platforms and technologies and actively carried out third-party data-security assessment/certification/validation/- testing/audit to meet the needs of global clients. This is in tune with the development orientation of Tuya Smart, a global IoT development platform service provider.
So far, Tuya Smart has obtained some mainstream information security standards and compliance requirements in the market. Simultaneously, Tuya has been endorsed by a well-known international organization: ISO series of certification and CSA STAR of BSI. Now, Tuya has passed the validation report of GDPR, optimized the security protection and compliance requirement of personal data, and officially fulfilled CCPA privacy-compliance validation program and privacy laws in Canada, the PIPEDA/Québec Bill64, by cooperating with TrustArc, an international well-known privacy and compliance consulting institution. An annual external audit conducted by E&Y explains Tuya’s continuous effort in seeking an independent eye of Tuya internal security and compliance implementations. Besides, on the basis of intelligent hardware solutions, Tuya has obtained EN 303645 and NIST IR 8259A certification of TÜV SÜD, as well as the security certification of ioXt Alliance. All of these demonstrate that the existing product solutions of Tuya fully comply with industrial information security standards.
Additionally, Tuya has invited information security corporations inc luding Rapid7, Underdefense, ScienceSoft, Wizlynx Group, Chaitin Tech and DAS-Security to test the information security capacity of its products with their professional penetration tests.