Comparative assessment of observable CRA readiness in resource-constrained IoT devices
Ladataan...
1.1 MB
suljettu
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
Lataukset18
Pysyvä osoite
Verkkojulkaisu
DOI
Tiivistelmä
This thesis examines how the vulnerability handling and lifecycle security obligations of the Cyber Resilience Act (CRA) can be assessed for resource-constrained consumer IoT devices by using publicly available information. The aim of the study is to turn selected CRA obligations into observable evaluation criteria and apply them in a comparative case study. The case study focuses on three battery-powered consumer motion sensors sold in Finland.
The thesis first examines the topic through a literature review research methodology and secondly derives a CRA-based evaluation framework consisting of five criteria. The empirical part of the study applies these criteria using comparative case study and document analysis principles to manufacturer documentation and other publicly available sources.
The results show clear variation between the selected devices. One device met most of the criteria, while the other two showed several gaps or insufficient public evidence, especially in relation to verifiable vulnerability handling, update delivery properties, and lifecycle transparency.
The thesis concludes that publicly observable CRA readiness among selected consumer IoT devices remains uneven before the CRA becomes fully applicable. Manufacturers should improve the consistency and traceability of public security documentation, especially in vulnerability handling, update practices, and support period communication.