US To Launch 'Labeling' Rating Program For Internet-Connected Devices In 2023 (techcrunch.com) 36
The Biden administration said it will launch a cybersecurity labeling program for consumer Internet of Things devices starting in 2023 in an effort to protect Americans from "significant national security risks." TechCrunch reports: Inspired by Energy Star, a labeling program operated by Environmental Protection Agency and the Department of Energy to promote energy efficiency, the White House is planning to roll out a similar IoT labeling program to the "highest-risk" devices starting next year, a senior Biden administration official said on Wednesday following a National Security Council meeting with consumer product associations and device manufacturers. Attendees at the meeting included White House cyber official Anne Neuberger, FCC chairwoman Jessica Rosenworcel, National Cyber Director Chris Inglis and Sen. Angus King, alongside leaders from Google, Amazon, Samsung, Sony and others.
The initiative, described by White House officials as "Energy Star for cyber," will help Americans to recognize whether devices meet a set of basic cybersecurity standards devised by the National Institute of Standards and Technology (NIST) and the Federal Trade Commission (FTC). Though specifics of the program have not yet been confirmed, the administration said it will "keep things simple." The labels, which will be "globally recognized" and debut on devices such as routers and home cameras, will take the form of a "barcode" that users can scan using their smartphone rather than a static paper label, the administration official said. The scanned barcode will link to information based on standards, such as software updating policies, data encryption and vulnerability remediation.
The initiative, described by White House officials as "Energy Star for cyber," will help Americans to recognize whether devices meet a set of basic cybersecurity standards devised by the National Institute of Standards and Technology (NIST) and the Federal Trade Commission (FTC). Though specifics of the program have not yet been confirmed, the administration said it will "keep things simple." The labels, which will be "globally recognized" and debut on devices such as routers and home cameras, will take the form of a "barcode" that users can scan using their smartphone rather than a static paper label, the administration official said. The scanned barcode will link to information based on standards, such as software updating policies, data encryption and vulnerability remediation.
yea I am not scanning (Score:4, Informative)
Scanning random crap with your phone taking you to a seemingly harmless link is the first step of causing a entry point, besides its not 2009, does anyone actually do that now?
cant we come up with some number ranking system with a short text link if you want to know more? Seems like most Joe 6 pack morons will understand 3 out of 10 in security when buying a product, and no one will ever look at it again until it needs replacing.
Re: yea I am not scanning (Score:2)
Depends how they do it. Like say if it just contained an identifier that you can simply append to say https://consumer.nist.gov/ [nist.gov] (for example) that would work. The code could simply come with a marker to indicate what it's for, and the camera apps included with smart phones recognize that marker, prepend the base URL, and then send it to the default browser.
Re: Wait for the lobbyists (Score:4, Insightful)
In this case the lobbying for this might just be the bigger players in this case, Amazon,Apple,Google etc as a way to keep the rival Chinese upstarts at bay. Anything from even big names like Xioami, Huawei and such will probably be flagged a bit risky no matter what due to CCP.
Re: yea I am not scanning (Score:2)
Everything under the sun has an energy star label. It isnâ(TM)t required to be accurate, you just print the label in China.
Re: (Score:2)
Yeah, I see this as doomed to failure. IMHO, the only reason Energy Star has any traction at all is because it boils the data down to a single number, and that number has a dollar sign in front of it. What's the annual operating cost? People just aren't going to care about anything more nuanced.
A single security score without a dollar amount attached might be used by the average consumer. But as soon as they have to weigh the pros and cons of multiple factors, it's game over. Cheapest wins.
Hot take: (Score:5, Insightful)
IoT plus IPv6 is a looming disaster.
Why IPv6? Because many (most?) of these devices will have their own routable IP address. Maybe some will be behind a stateful firewall, which will limit the possible damage, but we all know the first suggestion given when debugging some troublesome device or program: "turn off your firewall".
I know there is hatred in some quarters for NAT routers, but don't stateful firewalls break the same things NAT routers break?
Re: Hot take: (Score:1)
Honest network question, but if I put an IPv6 device with a routable unique IP statically assigned on a normal NAT home network will the firewall just let it act like its on the open net? Is it all about configuration?
I feel like even on a full IPv6 switchover most every home and business would still isa NAT, it feels like a compromise that ended up with more benefits than the intended protocol use case.
Re: (Score:3)
Honest network question, but if I put an IPv6 device with a routable unique IP statically assigned on a normal NAT home network will the firewall just let it act like its on the open net? Is it all about configuration?
It's not going to statically assigned. IPv6 NAT is possible (with or without private IPv6 addresses: fc00::/7), but so is autoconfiguration.
Re: (Score:2)
It depends on the router. On AVM routers, by default no incoming connections are allowed to IPv6 addresses behind the firewall, and you can open ranges to specific devices. On tp-link devices, the firewall always blocks incoming connections to IPv6 addresses behind the firewall, and there's no way to disable it at all. I suspect there are other routers that go the other way and allow incoming connections to IPv6 devices by default.
Re: Hot take: (Score:1)
No one has ever told me to turn off my firewall.
Re: Hot take: (Score:1)
And anyone who "hates" NAT routers doesn't understand routing or NAT.
Re: (Score:3)
The people who hate NAT routers probably understand routing and NAT better than you or me:
https://community.f5.com/t5/te... [f5.com]
Re: (Score:2)
Why IPv6? Because many (most?) of these devices will have their own routable IP address. Maybe some will be behind a stateful firewall, which will limit the possible damage, but we all know the first suggestion given when debugging some troublesome device or program: "turn off your firewall".
Both SPIs and NATs enforce the exact same policy. Saying that "firewall" is one but not the other seems to be more of a word game than an argument.
I know there is hatred in some quarters for NAT routers, but don't stateful firewalls break the same things NAT routers break?
1:m NATs cause breakage and are dangerous due to exploitable assumptions made by ALGs, unnecessary packet mangling codes and lack of correspondence between port and port range.
With an SPI it is trivial and predictable to prime state for direct connectivity between peers, with NATs the same can require unreliable statistical brute force methods or be impossible.
Average Consumer (Score:5, Insightful)
Things the Average Consumer doesn't think one thing about.
"What's the cheap one? No, this is for my fridge."
--
Sometimes the first duty of intelligent men is the restatement of the obvious. - George Orwell
Re: (Score:2)
It depends what is on the label.
Take the EU's efficiency labelling system as an example. It makes it very easy for consumers to compare devices. If one device comes with 1 year of security updates and another comes with 5 years, that's a pretty clear differentiation that can generate extra sales.
Before the EU labels the manufacturers would make all kinds of BS claims. Once they came in it was much harder to hide the product's true performance. For example, customers quickly noticed that the vacuum cleaners
Re: (Score:2)
Yeah, it reminds me of the late 90s and early 2000s when vacuum cleaner shopping. All of them said stuff like "10A Motor!" or "13A!".
I couldn't figure out why - there is no relation betwe
Re: (Score:2)
The high power ones mostly just waste energy creating noise and heat. In Japan most vacuum cleaners are 300-400W, and they clean really well. They developed the brush bar long before Western brands it seems.
That said our love of carpets doesn't do us any favours.
The problem is the people, not the device. (Score:3)
Security rating is a decent start. (Score:5, Insightful)
A security-related label is good, I suppose, since this has been a pretty big security headache for years, and it's not really improving.
But while we're at it, let's also require a mandatory warning label for any IoT device which requires a live server to operate that states something about how these devices will quit functioning if the company selling them decides to stop maintaining their servers for any reason, and at any time.
Accuracy Problem (Score:2)
A security-related label is good, I suppose
Only if it is accurate. The problem is going to be that someone will release a secure device and it's only later that a security flaw/bug that needs patching is discovered. So how are you going to update the rating for all the devices already sold? This might help with some devices that leave the factory flawed but for everything else, the labelling may well give a false sense of security.
Re: (Score:2)
Well, similar to how there's no absolute guarantee that a UL labeled device won't catch fire, there's similarly no absolute guarantee about security. It just means that a company followed best practices in the device design to minimize the chances of this occurring.
I'd hope this initiative takes into account industry best practices for security. Like, can the firmware be updated if a flaw is found? Can it be done automatically (because typical users will never do this)? Are any required passwords unique
It will be just as useless (Score:1)
Not as strong as the CRA? (Score:2)
Europe introduced a law last month intended to require things like firmware updates for connected consumer devices. Seems like a more robust approach than just requiring labeling.
https://www.euractiv.com/secti... [euractiv.com]
In case you forgot these people are idiots, (Score:2)
Really. "For cyber". And we are to believe that these are the people who will devise a meaningful security rating system? I find it hard to believe that they even know what they're talking about, let alone be capable of accomplishing this already-dubious goal.
Another marketing scam (Score:2)
This will turn out into another marketing scam, if it wasn't designed that way originally, that is. Or possibly a way to earn some extra money certifying as secure?
They will "keep it simple" they said. Which means that for most devices that are connected to the internet, they *still* won't be secure but they will have a new shiny sticker on it.
No Thanks ... (Score:1)
I will stick with assuming, until proven otherwise, that every network connected hunk of sh*t is exactly that, an insecure hunk of sh*t.
I will not be checking malicious bar codes, thank-you very much.
Go shove yourself where the sun does not shine, you bunch of totally useless dickwads.
How about mandatory secuity updates? (Score:2)
To, as a columnist wrote a couple years ago, the Internet of Gratuitously-Connected Insecure Things. (pronounced I-djit).
help me please (Score:1)
Rating vs ratting (Score:2)
I initially read the title as using labeling to assign fingerprints to devices so they can "rat" people out to the government for undesirable behavior. I guess I'm so used to the push to decrease privacy, that's where my mind's first thought lies.
These four aspects (Score:1)