Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Government Security The Internet United States

US To Launch 'Labeling' Rating Program For Internet-Connected Devices In 2023 (techcrunch.com) 36

The Biden administration said it will launch a cybersecurity labeling program for consumer Internet of Things devices starting in 2023 in an effort to protect Americans from "significant national security risks." TechCrunch reports: Inspired by Energy Star, a labeling program operated by Environmental Protection Agency and the Department of Energy to promote energy efficiency, the White House is planning to roll out a similar IoT labeling program to the "highest-risk" devices starting next year, a senior Biden administration official said on Wednesday following a National Security Council meeting with consumer product associations and device manufacturers. Attendees at the meeting included White House cyber official Anne Neuberger, FCC chairwoman Jessica Rosenworcel, National Cyber Director Chris Inglis and Sen. Angus King, alongside leaders from Google, Amazon, Samsung, Sony and others.

The initiative, described by White House officials as "Energy Star for cyber," will help Americans to recognize whether devices meet a set of basic cybersecurity standards devised by the National Institute of Standards and Technology (NIST) and the Federal Trade Commission (FTC). Though specifics of the program have not yet been confirmed, the administration said it will "keep things simple." The labels, which will be "globally recognized" and debut on devices such as routers and home cameras, will take the form of a "barcode" that users can scan using their smartphone rather than a static paper label, the administration official said. The scanned barcode will link to information based on standards, such as software updating policies, data encryption and vulnerability remediation.

This discussion has been archived. No new comments can be posted.

US To Launch 'Labeling' Rating Program For Internet-Connected Devices In 2023

Comments Filter:
  • by Osgeld ( 1900440 ) on Thursday October 20, 2022 @07:51PM (#62984443)

    Scanning random crap with your phone taking you to a seemingly harmless link is the first step of causing a entry point, besides its not 2009, does anyone actually do that now?

    cant we come up with some number ranking system with a short text link if you want to know more? Seems like most Joe 6 pack morons will understand 3 out of 10 in security when buying a product, and no one will ever look at it again until it needs replacing.

    • Depends how they do it. Like say if it just contained an identifier that you can simply append to say https://consumer.nist.gov/ [nist.gov] (for example) that would work. The code could simply come with a marker to indicate what it's for, and the camera apps included with smart phones recognize that marker, prepend the base URL, and then send it to the default browser.

    • Everything under the sun has an energy star label. It isnâ(TM)t required to be accurate, you just print the label in China.

    • Yeah, I see this as doomed to failure. IMHO, the only reason Energy Star has any traction at all is because it boils the data down to a single number, and that number has a dollar sign in front of it. What's the annual operating cost? People just aren't going to care about anything more nuanced.

      A single security score without a dollar amount attached might be used by the average consumer. But as soon as they have to weigh the pros and cons of multiple factors, it's game over. Cheapest wins.

  • Hot take: (Score:5, Insightful)

    by whoever57 ( 658626 ) on Thursday October 20, 2022 @08:12PM (#62984479) Journal

    IoT plus IPv6 is a looming disaster.

    Why IPv6? Because many (most?) of these devices will have their own routable IP address. Maybe some will be behind a stateful firewall, which will limit the possible damage, but we all know the first suggestion given when debugging some troublesome device or program: "turn off your firewall".

    I know there is hatred in some quarters for NAT routers, but don't stateful firewalls break the same things NAT routers break?

    • Honest network question, but if I put an IPv6 device with a routable unique IP statically assigned on a normal NAT home network will the firewall just let it act like its on the open net? Is it all about configuration?

      I feel like even on a full IPv6 switchover most every home and business would still isa NAT, it feels like a compromise that ended up with more benefits than the intended protocol use case.

      • Honest network question, but if I put an IPv6 device with a routable unique IP statically assigned on a normal NAT home network will the firewall just let it act like its on the open net? Is it all about configuration?

        It's not going to statically assigned. IPv6 NAT is possible (with or without private IPv6 addresses: fc00::/7), but so is autoconfiguration.

      • by _merlin ( 160982 )

        It depends on the router. On AVM routers, by default no incoming connections are allowed to IPv6 addresses behind the firewall, and you can open ranges to specific devices. On tp-link devices, the firewall always blocks incoming connections to IPv6 addresses behind the firewall, and there's no way to disable it at all. I suspect there are other routers that go the other way and allow incoming connections to IPv6 devices by default.

    • No one has ever told me to turn off my firewall.

    • And anyone who "hates" NAT routers doesn't understand routing or NAT.

    • Why IPv6? Because many (most?) of these devices will have their own routable IP address. Maybe some will be behind a stateful firewall, which will limit the possible damage, but we all know the first suggestion given when debugging some troublesome device or program: "turn off your firewall".

      Both SPIs and NATs enforce the exact same policy. Saying that "firewall" is one but not the other seems to be more of a word game than an argument.

      I know there is hatred in some quarters for NAT routers, but don't stateful firewalls break the same things NAT routers break?

      1:m NATs cause breakage and are dangerous due to exploitable assumptions made by ALGs, unnecessary packet mangling codes and lack of correspondence between port and port range.

      With an SPI it is trivial and predictable to prime state for direct connectivity between peers, with NATs the same can require unreliable statistical brute force methods or be impossible.

  • Average Consumer (Score:5, Insightful)

    by Arzaboa ( 2804779 ) on Thursday October 20, 2022 @08:15PM (#62984487)

    Things the Average Consumer doesn't think one thing about.

    "What's the cheap one? No, this is for my fridge."

    --
    Sometimes the first duty of intelligent men is the restatement of the obvious. - George Orwell

    • by AmiMoJo ( 196126 )

      It depends what is on the label.

      Take the EU's efficiency labelling system as an example. It makes it very easy for consumers to compare devices. If one device comes with 1 year of security updates and another comes with 5 years, that's a pretty clear differentiation that can generate extra sales.

      Before the EU labels the manufacturers would make all kinds of BS claims. Once they came in it was much harder to hide the product's true performance. For example, customers quickly noticed that the vacuum cleaners

      • by tlhIngan ( 30335 )

        Before the EU labels the manufacturers would make all kinds of BS claims. Once they came in it was much harder to hide the product's true performance. For example, customers quickly noticed that the vacuum cleaners with "3000W ultra suction" on the box usually performed worse than the lower power but better designed models.

        Yeah, it reminds me of the late 90s and early 2000s when vacuum cleaner shopping. All of them said stuff like "10A Motor!" or "13A!".

        I couldn't figure out why - there is no relation betwe

        • by AmiMoJo ( 196126 )

          The high power ones mostly just waste energy creating noise and heat. In Japan most vacuum cleaners are 300-400W, and they clean really well. They developed the brush bar long before Western brands it seems.

          That said our love of carpets doesn't do us any favours.

  • by Frobnicator ( 565869 ) on Thursday October 20, 2022 @08:17PM (#62984493) Journal
    People who know and care about the security already know EVERYTHING is a vulnerability. People who put the box behind the desk and forget about it will not be any safer with a barcode that is never scanned, they already have firmwares that are never updated. This maybe makes it easier for security minded people to figure out where to get an update (if it exists) but will likely do nothing for actual security.
  • by Dutch Gun ( 899105 ) on Thursday October 20, 2022 @08:21PM (#62984499)

    A security-related label is good, I suppose, since this has been a pretty big security headache for years, and it's not really improving.

    But while we're at it, let's also require a mandatory warning label for any IoT device which requires a live server to operate that states something about how these devices will quit functioning if the company selling them decides to stop maintaining their servers for any reason, and at any time.

    • A security-related label is good, I suppose

      Only if it is accurate. The problem is going to be that someone will release a secure device and it's only later that a security flaw/bug that needs patching is discovered. So how are you going to update the rating for all the devices already sold? This might help with some devices that leave the factory flawed but for everything else, the labelling may well give a false sense of security.

      • Well, similar to how there's no absolute guarantee that a UL labeled device won't catch fire, there's similarly no absolute guarantee about security. It just means that a company followed best practices in the device design to minimize the chances of this occurring.

        I'd hope this initiative takes into account industry best practices for security. Like, can the firmware be updated if a flaw is found? Can it be done automatically (because typical users will never do this)? Are any required passwords unique

  • by Anonymous Coward
    ENERGY STAR labels are endorsement labels. Products don't undergo any testing to earn their ENERGY STAR labels, the manufacturers self-report the numbers to the EPA and then pay proportionally more for the right to apply higher star rating labels to their kit.
  • Europe introduced a law last month intended to require things like firmware updates for connected consumer devices. Seems like a more robust approach than just requiring labeling.

    https://www.euractiv.com/secti... [euractiv.com]

  • ...described by White House officials as "Energy Star for cyber".

    Really. "For cyber". And we are to believe that these are the people who will devise a meaningful security rating system? I find it hard to believe that they even know what they're talking about, let alone be capable of accomplishing this already-dubious goal.

  • This will turn out into another marketing scam, if it wasn't designed that way originally, that is. Or possibly a way to earn some extra money certifying as secure?

    They will "keep it simple" they said. Which means that for most devices that are connected to the internet, they *still* won't be secure but they will have a new shiny sticker on it.

  • I will stick with assuming, until proven otherwise, that every network connected hunk of sh*t is exactly that, an insecure hunk of sh*t.

    I will not be checking malicious bar codes, thank-you very much.

    Go shove yourself where the sun does not shine, you bunch of totally useless dickwads.

  • To, as a columnist wrote a couple years ago, the Internet of Gratuitously-Connected Insecure Things. (pronounced I-djit).

  • Hi, could you clearly show me how to do it correctly on a video example, I think I will make a bunch of mistakes without learning. For example, you can capture your screen using this site [movavi.com] and upload the video to YouTube or vimeo without any problems
  • I initially read the title as using labeling to assign fingerprints to devices so they can "rat" people out to the government for undesirable behavior. I guess I'm so used to the push to decrease privacy, that's where my mind's first thought lies.

  • These four aspects were defining for me. But after I placed an order and got my paper done, it turned out that this company has many more benefits to brag about. Skilled writers, fast turnaround time, and excellent quality of writing are the main benefits you'll notice after your very first cooperation with buy thesis online [bestcustomwriting.com].

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...