Accepted 17.04.2024. Assessment of ESP32 microcontroller compliance with international standards of cyber security for internet of things

Abstract

Internet of Things becomes more and more accessible for ordinary people. This fact brings cybersecurity threats. Thus there is necessity to assess how microcontroller plat-forms that are quite popular for producing home IoT system are really secure. One of such platforms is ESP32. This study has an aim to asses ESP32 cybersecurity level. Meth-od of assessment is analyzing how international standard requirements are fulfilled by ESP32 microcontroller platform. The ETSI standard ETSI EN 303 645 V2.1.1 «Cyber Se-curity for Consumer Internet of Things: Baseline Requirements» is chosen as a base. In particular, the “Cyber security provisions for consumer IoT” requirements was consid-ered. First of all, those requirements are under analyze that depend only on platform (mi-crocontroller, OS, API, manufacturer support) performance and not on IoT-system de-signers or consumers. The following topics are covered: means to manage reports of vul-nerabilities, keeping software updated, securely storing sensitive security parameters, secure communication, and protecting personal data. Generally, it is concluded that the ESP32 microcontroller meets the cybersecurity standards of the Internet of Things, and ESP32 cybersecurity level should be considered as a quite high to produce a regular, household IoT system. The non-compliance with European standard ETSI EN 303 645 is only in relation to vulnerability reporting controls, as the ESP32 manufacturer does not publish its vulnerability disclosure policy. But on the other hand, the NIST database in-cludes a description of some recorded ESP32 vulnerabilities. Management of these vul-nerabilities is performed by the microcontroller manufacturer in the usual procedure and it is completed by the release of a new version of the software. Thus, the real cybersecu-rity level of home IoT system on the base of ESP32 will depend on how correctly hardware and software design is, and does an IoT system operation is provided in accordance with the cybersecurity standards.