Now you understand the STAR levels.But what do you actually need to do?Knowing you’re STAR‑1 or STAR‑2 is not enough.The real pain point is:What security requirements must I meet?

Below we translate the official JC‑STAR requirement list into actionable, implementable steps for manufacturers.

I. What is the JC‑STAR Security Framework?

It consists of four pillars:

• Device Security
• Communication Security
• Cloud / Backend Security
• App / User Security

Key takeaway:JC‑STAR does NOT test only your hardware.It audits the entire chain: device + communication + cloud + app.

II. Device Security – Baseline for Hardware & Firmware

Broken down into official, focused clauses:

1. Firmware Integrity Protection

• Firmware must be digitally signed
• Anti-rollback (downgrade attack) protection required
• OTA updates must be secured

2. Secure Boot

• Bootloader signature verification
• Secure key storage location

3. Local Storage Security

• Private keys must NOT be stored in plaintext
• Sensitive parameters must be encrypted
• Unique device identifier (Device ID / CCK) required

4. Debug & Interface Management

• UART / Telnet ports must NOT be open by default
• Default root passwords are strictly prohibited
• Debug ports must be disabled in mass production

III. Communication Security – The more connected, the stricter the test

Core requirements:

1. Encrypted Communication

• TLS 1.2 or higher is mandatory
• Self-signed certificates must be properly managed
• MQTT communications must use TLS

2. Identity Authentication

• Device → Cloud: certificate-based or token-based auth
• App → Cloud: OAuth / JWT
• App → Device: no weak passwords allowed

3. Replay Attack Protection

• Use nonce / timestamp mechanisms
• Session key rotation required

Honest reminders for manufacturers:

• This is where most companies fail.
• Don’t use plaintext MQTT just to save development time.
• Don’t rely on fixed passwords for device authentication.
• Self-signed certificates will be flagged in review.

IV. Cloud Security – Most overlooked, easiest to lose points

STAR‑1 has minimal cloud requirements,but STAR‑2 is very strict.

Key items:

1. Cloud Interface Authentication

• No unauthenticated open APIs
• Security by “hiding URLs” is NOT acceptable

2. Logging & Auditing

• Log login failures
• Log administrator operations
• Log critical configuration changes

3. Data Minimization & Sensitive Field Protection

• Phone numbers must be masked
• Encryption keys must never be uploaded to the cloud
• User data lifecycle management required

4. Permission Isolation

• No “all-access super admin” for operation consoles
• Clear separation between test and production environments

V. App & User Security – A weak app can force a full retest

1. No User Enumeration

• Unified error messages for invalid username/password

2. Login Security

• Rate limiting
• Anti-brute-force protection
• Secure CAPTCHA
• Token expiration

3. Minimal Privacy Permissions

• Bluetooth
• Location access
• Background location (especially for IoV/telematics products)

4. Local Data Protection

• Encrypted app cache
• No plaintext token storage
• No user credentials in logs

VI. Practical 4‑Week JC‑STAR Preparation Roadmap

Week 1 – Kick‑off

• Confirm product type and target STAR level
• Collect existing architecture documents
• Conduct self-inspection using a compliance checklist

Week 2 – Rectification Design

• Fix weak passwords, missing TLS, default credentials
• Finalize OTA and secure key storage schemes
• Upgrade cloud authentication logic

Week 3 – R&D Integration & Testing

• Implement device‑cloud certificate authentication
• Fix app login security flaws
• Disable debug ports
• Enable MQTT TLS

Week 4 – Pre‑assessment & Documentation

• Prepare internal test reports
• Organize security design documents
• Write API permission descriptions
• Document OTA signing mechanism

JC‑STAR may look complicated, but its core logic is simple:Get the basics right, and don’t break the full security chain.Early preparation helps you pass smoothly and genuinely improve product security.