网络攻击日益频繁,全球每天数百万次网络攻击,个人数据泄露风险加剧,安全防护不足致数据易被黑客窃取,严重威胁个人隐私、企业数据和国家安全。EN18031-2:专注于隐私保护,涉及数据加密存储和多层级访问控制。
EN 18031-1(3.3.e):针对隐私数据/个人数据传输
能够处理个人数据,流量数据和位置数据的无线电设备,包括:
(a) 联网无线电设备,除b.c.d外
(b) 玩具
(c) 儿童看护
(d) 可穿戴设备,包括人体穿戴或服装配饰
Better protect consumers' privacy (§3.3.e): Wireless devices and products will need to have features to guarantee the protection ofpersonal data. The protection of children's rights will become an essential element of this legislation. For instance, manufacturers willhave to implement new measures to prevent unauthorised access or transmission of personal data.
EN 18031-2: 11 Categories
ACM: Access control mechanism 访问控制机制
AUM: Authentication mechanism 授权认证机制
SUM: Secure update mechanism 安全更新机制
SSM: Secure storage mechanism 安全存储机制
SCM: Secure communication mechanism安全通信机制
LGM: Logging mechanism 日志机制
DLM: Deletion mechanism 删除机制
UNM: User notification mechanism 用户通知机制
CCK: Confidential cryptographic keys加密密钥机密性
GEC: General equipment capabilities通用设备要求
CRY: Cryptography 加密方法评估
EN 18031-2: 40 cases
[ACM-1] Applicability of access control mechanisms
[ACM-2] Appropriate access control mechanisms
[ACM-3] Default access control for children in toys
[ACM-4] Default access control to children’s privacy assets for toys and childcareequipment
[ACM-5] Parental/Guardian access controls for children in toys
[ACM-6] Parental/Guardian access controls for other entities’ access to managedchildren’s privacy assets in toys
[AUM-1] Applicability of authentication mechanisms
[AUM-2] Appropriate authentication mechanisms
[AUM-3] Authenticator validation
[AUM-4] Changing authenticators
[AUM-5] Password strength
[AUM-6] Brute force protection
[SUM-1] Applicability of update mechanisms
[SUM-2] Secure updates
[SUM-3] Automated updates
[SSM-1] Applicability of secure storage mechanisms
[SSM-2] Appropriate integrity protection for secure storage mechanisms
[SSM-3] Appropriate confidentiality protection for secure storage mechanisms
[SCM-1] Applicability of secure communication mechanisms
[SCM-2] Appropriate integrity and authenticity protection for secure communication mechanisms
[SCM-3] Appropriate confidentiality protection for secure communication mechanisms
[SCM-4] Appropriate replay protection for secure communication mechanisms
[LGM-1] Applicability of logging mechanisms
[LGM-2] Persistent storage of log data
[LGM-3] Minimum number of persistently stored events
[LGM-4] Time-related information of persistently stored dog data
[DLM-1] Applicability of deletion mechanisms
[UNM-1] Applicability of user notification mechanisms
[UNM-2] Appropriate user notification content
[CCK-1] Appropriate CCKs
[CCK-2] CCK generation mechanisms
[CCK-3] Preventing static default values for preinstalled CCKs
[GEC-1] Up-to-date software and hardware with no publicly known exploitable vulnerabilities
[GEC-2] Limit exposure of services via related network interfaces
[GEC-3] Configuration of optional services and the related exposed network interfaces
[GEC-4] Documentation of exposed network interfaces and exposed services via network interfaces
[GEC-5] No unnecessary external interfaces
[GEC-6] Input validation
[GEC-7] Documentation of external sensing capabilities
[CRY-1] Best practice cryptography
适用范围:
涉及个人数据、位置数据或流量数据的设备,包括:儿童设备:婴儿监视器、智能玩具(如带语音交互的玩偶)。可穿戴设备:健身追踪器、医疗手环。移动终端:TWS 耳机、便携式热点。安防设备:家庭摄像头、GPS 追踪器。
典型案例:支持视频通话的智能手表、记录运动轨迹的智能手环。