Qbit’s GDPR Device Testing Service tests the effectiveness of IoT device security and GDPR compliance for manufacturers. The test controls are based on the principles of personal data protection. From a technical point of view, they relate specifically to data minimization, privacy by design and default and transparency. The test results are reviewed by Qbit’s privacy and legal experts.
Core elements of the GDPR Device Testing Service:
- Testing the communication to and from devices.
- Conformance to security requirements.
- Analysis of the firmware of products to see whether it is possible to extract sensitive data.
When assessing the GDPR compliance, Qbit’s experts focus on providing answers to the following questions:
- Is it possible to gain (elevated) access from the device from the network?
- Is it possible to gain access to sensitive (user) information stored on the device from the network?
- Is the attack surface of the device kept minimal to prevent exploitation of (future) vulnerabilities?
- Testing the attack surface of the device, i.e. checking which network services are exposed by the devices. Next, these services are tested for publicly known vulnerabilities and hardening issues using a variety of testing tools.
- Testing the communication to and from the device. For instance, this can be an interaction the end-user has when installing the device or features and password setting. This includes the update mechanism and interaction with API’s that are used by apps running on the device. The use of encryption is specifically addressed in this topic.
- (basic) analysis of the device firmware to try and extract sensitive data (like default passwords or encryption keys) from the image, and whether the image is protected against manipulation.
What does the Qbit’s Device Testing Service provide?
- Insight in shortcomings in security measures.
- A risk and impact classification.
- Overview of technical and organizational (none)conformance to the GDPR.
- Specific recommendations that enable a manufacturer to implement conformance and increase the (quality of the) security wherever necessary.
From a technical perspective, all the findings that are reported consist of an explanation and proof, so the results can be reproduced. Risk and impact are quantified, to provide easy insight into the most notable findings. They are complemented by specific recommendations to remediate a vulnerability or risk and enabling easy prioritization of controls.
GDPR related testing results expose threats to data confidentiality, integrity and availability, that can be addresses to better safeguard the data affected. Notable findings include:
- Insight inadequate encryption of communication, resulting in:
- Interception of (sensitive) user data.
- Manipulation of (sensitive) user data.
- Standard settings and functionality that track a user by default, without providing notice and without any consent.
- A misalignment between privacy policies and (technical) reality, resulting in:
- Nonconformance to purpose-, use, and sharing limitations.
- Lacking transparency.
Knowledge base Device Testing
Qbit has built up a knowledge base consisting of a substantial amount of issues that expose users to threats (both from a security and privacy standpoint). Qbit is convinced that the findings accumulated represent the state of the wider industry and that a great deal of IoT devices poses equivalent and even worse risks and threats to users. When these risks and threats materialize through hacks or data breaches, this will negatively affect the manufacturers and directly impact their reputation and operations.
Preventing threats and risks to users also prevents negative impact on an organization. Qbit’s GDPR Device Testing Service addresses both user risks, as well as translating these into organizational risks.
Our GDPR Device Testing Service helps to ensure a secure and GDPR conformant handling of personal data. This leads to a secure service on the connected devices and will minimize the risk of personal data being exposed to hackers. Besides, the service helps to safeguard reputation and revenue streams related to the devices and their connected services. Moreover, it also helps to avoid penalties and liabilities. Depending on the complexity of a device a more compact or more extensive approach can be provided. Qbit appeals to the social responsibility of manufacturers and internet-connected service providers to take device security and user privacy more seriously.
Contact Qbit Cyber Security for a free quote for the GDPR Device Testing Service for your connected smart device.