"Who Will Obtain the 20 Million Won Domestic Security Certification?" [AI Era Warning] ③

As the era of hyper-connectivity, where people and objects are linked through networks, arrives, incidents of everyday Internet of Things (IoT) devices being hacked are becoming increasingly common. In the United States, there was a case where a Chinese-made robot vacuum emitted profane language, and allegations have been raised that applications (apps) linked to air fryers collect personal information. In September, it was revealed that hundreds of videos showing ordinary people's bodies, filmed in Korean obstetrics delivery rooms, swimming pools, and waxing shops, were posted on a Chinese adult website, causing widespread shock. Last month, the government hastily announced that security-certified IP cameras would be mandatory in multi-use facilities, but analysts say that a wide range of IoT devices in homes remain defenseless against hacking.

Photo of AIoT international exhibition.

Experts warn that most IoT devices connected to the internet or linked with smart devices, and equipped with microphones or cameras, are at risk of being hacked. Cho Youngmin, CEO of the IoT security company GN, said, "If a hacker attaches a QR code to a public electric bicycle, scanning it with a smartphone can install a malicious app, potentially leading to financial damage or leakage of personal information." He emphasized, "Once an IoT device is hacked, there is little users can do to resolve the issue. Manufacturers must develop and release products with enhanced security from the design stage." A representative from the cybersecurity company Cqvista suggested, "Import regulations and certification systems should be strengthened to restrict the import and use of products that fail to pass security verification."

In Korea, the Korea Internet & Security Agency (KISA) has been operating a legal 'IoT Security Certification System' since 2021. However, industry response has been lukewarm. The number of IoT security certifications issued was 4 in 2018, 24 in 2019, 41 in 2020, 73 in 2021, 83 in 2022, and 82 in 2023. According to the National IT Industry Promotion Agency (NIPA)'s survey on the IoT industry, as of last year, there were 3,055 companies engaged in IoT business in Korea, with total sales reaching 25 trillion won. Compared to the IoT market, which is growing by about 2 trillion won annually, the achievements in IoT security certification remain minimal.

IoT security certification is divided into Light (10 items), Basic (29 items), and Standard (43 or more items) depending on the test evaluation criteria. The only case of obtaining the Standard type, which provides a security level capable of responding to advanced hacking attacks, is Samsung Electronics' AI robot vacuum. Certification fees also range from 6 million to 20 million won depending on the items, which is a significant burden for companies. IoT security certification is neither recognized overseas nor mandatory, so it is effectively meaningless. The head of an IoT specialist company said, "We are strengthening our defenses against hacking, but since we are considering entering the U.S. market, it is difficult to invest time and resources in a certification evaluation used only in Korea."

The European Union (EU), the United Kingdom, the United States, and other countries are implementing strong regulations to protect consumers from IoT device hacking. Since the end of April, the UK has enforced the Product Security and Telecommunications Infrastructure (PSTI) regulation for products that can connect to the internet or networks. All companies that manufacture, import, or distribute IoT devices must comply, and manufacturers who repeatedly violate PSTI may be fined up to 20,000 pounds (about 36 million won) per day. The regulation sets a maximum fine for companies at 10 million pounds (18.2 billion won) or 4% of global sales, whichever is greater. Failure to comply with PSTI makes it virtually impossible to do business in the UK.

Starting next year, the EU plans to include cybersecurity requirements in the CE mark for wireless devices. The CE mark indicates that products sold in the European Economic Area (EEA) meet health, safety, and environmental protection standards. Obtaining the CE mark is essential for entering the European market. From August 1 next year, managing cybersecurity vulnerabilities will be required to obtain the CE mark.

The United States is running a cybersecurity labeling program for consumer IoT products, allowing consumers to scan a QR code to access security-related information when purchasing IoT products. A representative from Nemko, a European safety and environmental certification agency, said, "Manufacturers must take a proactive approach to cybersecurity and apply it to product design and development," adding, "It is time to actively comply with cybersecurity regulations to protect both consumers and brands."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.