At the National Assembly's Science. ICT. Broadcasting. and Communications Committee audit on the 21st, security gaps in Internet of Things (IoT) devices such as robot vacuums came under scrutiny. Critics said IoT security certification is voluntary rather than mandatory, undermining its effectiveness.
Rep. Lee Jeong-heon (Democratic Party of Korea) cited a Chinese-made robot vacuum used at home during questioning on the 21st, noting, "A device equipped with a camera, microphone, and Bluetooth collects and transmits data from inside the home. There is also a possibility that a hacker could remotely control the camera." Lee said, "The Chinese company (Roborock) states on its website's privacy policy that it collects and processes personal information in China and may retain it for a long period if for public-interest or research purposes," pressing, "What use is the government's IoT security certification in such a situation?"
Citing the Korea Internet & Security Agency (KISA)'s IoT security certification operations, Lee said, "There are some 3,000 related companies in Korea and the market size reaches 25 trillion won, but only 13 corporations applied for security certification in the first half of this year." Last year's applications were only 33, and "Not a single overseas company exporting to Korea obtained certification," Lee said. As for cases obtaining the highest-level "Standard" certification, he added, "There were only four Samsung Electronics products (two robot vacuums and two refrigerators)." He argued that certification expense (a minimum of 6 million won to a maximum of 20 million won) and time burden—and above all, the fact that the system is voluntary rather than mandatory—are blocking wider adoption.
In response, KISA President Lee Sang-jung acknowledged, "The current system is voluntary certification," while showing caution about making it mandatory, saying, "There are concerns about trade frictions."
Lee pressed, "Overseas corporations simply ignore it, and domestic corporations also turn away, saying 'others aren't doing it either.' Don't use a toothless system merely as a talking point." Overseas trends were also compared. Citing the U.S. cybersecurity labeling program, Europe's first labeling system in Finland, and rating and labeling certification cases in Germany and Singapore, Lee urged, "We need to introduce a system that clearly shows consumers the security level at a glance and works in the market."