After figuring out your product’s JC-STAR grade, the next burning question arises: “What exact security requirements do I need to meet?” Knowing whether you fall into Star 1 or Star 2 is not enough—manufacturers truly struggle with translating JC-STAR’s “requirement list” into actionable steps.

This guide breaks down JC-STAR’s security mandates into practical, implementable measures for manufacturers.

I. What Constitutes the JC-STAR Security Framework?

The framework consists of four core pillars:

1. Device Security
2. Communication Security
3. Cloud/Backend Security
4. App/User Security

Key Takeaway for Manufacturers: JC-STAR is not just a hardware test—it audits the full link of device + communication + cloud + app simultaneously.

II. Device Security – Baseline Requirements for Hardware & Firmware

Below are the key requirements broken down per official JC-STAR guidelines:

1. Firmware Integrity Protection

• Implement firmware signing
• Deploy anti-rollback mechanisms
• Ensure OTA updates have security protection

2. Secure Boot

• Conduct Bootloader verification
• Secure key storage locations (avoid vulnerable storage)

3. Local Storage Security

• No plaintext storage of private keys
• Encrypt sensitive parameters
• Assign unique Device ID/CCK (Cloud Connection Key) for each device

4. Debug & Interface Management

• Prohibit factory-default open UART/Telnet ports
• Ban default root passwords
• Disable debug ports before production delivery

III. Communication Security – Stricter Rules for Multi-Network Products

Core Requirements

1. Encrypted Communication

   • TLS 1.2+ is mandatory
   • Define handling protocols for self-signed certificates
   • Mandate TLS encryption for MQTT connections

2. Identity Authentication

   • Device-to-Cloud: Use certificates or secure tokens for authentication
   • App-to-Cloud: Adopt OAuth or JWT standards
   • App-to-Device: Eliminate weak passwords entirely

3. Replay Attack Protection

   • Deploy Nonce/Timestamp verification
   • Implement regular session key rotation

Manufacturer Warning: This section is the most common source of non-compliance. Ensure end-to-end encryption and strict authentication for all communication links.

IV. Cloud/Backend Security – The Most Overlooked Yet High-Risk Area

Requirements are minimal for Star 1 but rigorous for Star 2. Key focus areas:

1. Cloud Interface Authentication

   • Eliminate unauthenticated open APIs
   • Avoid relying on hidden URLs as a security measure

2. Logging & Auditing

   • Record critical events:
     • Failed login attempts
     • Administrator operations
     • Key configuration changes

3. Data Minimization & Sensitive Field Protection

   • Desensitize sensitive data (e.g., mask phone numbers)
   • Never upload private keys to the cloud
   • Establish a complete user data lifecycle management system

4. Permission Isolation

   • Avoid overprivileged admin accounts for operation & maintenance (O&M) backends
   • Strictly separate test and production environments

V. App & User Security – App Vulnerabilities Can Force Full Retesting

Critical Requirements

1. User Enumeration Prevention

   • Use uniform error messages for login/account verification failures

2. Login Security

   • Implement rate limiting
   • Deploy brute force attack protection
   • Secure verification code transmission and validation
   • Set reasonable token expiration timelines

3. Privacy Permission Minimization

   • Request only necessary permissions (Bluetooth, location, etc.)
   • Restrict background location tracking (especially for connected vehicle products)

4. Local Data Protection

   • Encrypt app-side cached data
   • No plaintext token storage
   • Avoid logging user credentials

VI. 4-Week JC-STAR Compliance Roadmap for Manufacturers

JC-STAR may seem complex, but its core logic is simple: get basic security right and ensure no weak links in the full chain. Early preparation not only guarantees smooth certification but also genuinely elevates your product’s security posture.