Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Government Technology

White House Launches 'Cyber Trust' Safety Label For Smart Devices 28

Posted by BeauHD from the stamp-of-approval dept.
BleepingComputer's Sergiu Gatlan reports: "Today, the White House announced the launch of the U.S. Cyber Trust Mark, a new cybersecurity safety label for internet-connected consumer devices. The Cyber Trust Mark label, which will appear on smart products sold in the United States later this year, will help American consumers determine whether the devices they want to buy are safe to install in their homes. It's designed for consumer smart devices, such as home security cameras, TVs, internet-connected appliances, fitness trackers, climate control systems, and baby monitors, and it signals that the internet-connected device comes with a set of security features approved by NIST.

Vendors will label their products with the Cyber Trust Mark logo if they meet the National Institute of Standards and Technology (NIST) cybersecurity criteria. These criteria include using unique and strong default passwords, software updates, data protection, and incident detection capabilities. Consumers can scan the QR code included next to the Cyber Trust Mark labels for additional security information, such as instructions on changing the default password, steps for securely configuring the device, details on automatic updates (including how to access them if they are not automatic), the product's minimum support period, and a notification if the manufacturer does not offer updates for the device. "Americans are worried about the rise of criminals remotely hacking into home security systems to unlock doors, or malicious attackers tapping into insecure home cameras to illicitly record conversations," the Biden administration said on Tuesday.

"The White House launched this bipartisan effort to educate American consumers and give them an easy way to assess the cybersecurity of such products, as well as incentivize companies to produce more cybersecure devise [sic], much as EnergyStar labels did for energy efficiency.

White House Launches 'Cyber Trust' Safety Label For Smart Devices More | Reply

White House Launches 'Cyber Trust' Safety Label For Smart Devices

Comments Filter:

  • I imagine .. (Score:5, Funny)

    by PPH ( 736903 ) on Wednesday January 08, 2025 @06:33PM (#65073863)

    .. that Chinese manufacturers have already re-purposed some of the presses they used for making CE labels [hqts.com] to making these.

    • Bingo. They'll duplicate it with no problem.

    • In any case it's kinda worthless because it's only valid between the time it's issued and when the next vuln pops up. So the text on it should say "NIST Certified At One Point Possibly Secure Device".

      • unless support and some form of auto update is in the label specs, of which I know nothing thanks to the inadequate summary.

        • Other NIST stuff, most famously FIPS 140, is a one-off thing, once you're certified you don't get un-certified even if there's a dozen remote root 0days for your super-secure device.

          There may well be some requirement to provide updates for x months but I doubt there's anything saying your magic certification will be withdrawn if your product turns out to be full of unpatched security holes.

    • Re:I imagine .. (Score:4, Insightful)

      by AmiMoJo ( 196126 ) on Wednesday January 08, 2025 @11:11PM (#65074409) Homepage Journal

      The CE thing was never true. It appears to be a Wiki Myth. Some MEP in the EU claimed it happened, Wikipedia cited them as a source, and it became accepted truth.

      It would be pointless to do it. There is no CE certification, you apply it to your own product as an oath that it meets certain standards and design rules. There are consequences if you lie and get caught, but if you were willing to create a fake CE logo then you wouldn't be worrying about that anyway.

  • No such thing for cloud only devices (Score:5, Insightful)

    by rtkluttz ( 244325 ) on Wednesday January 08, 2025 @06:35PM (#65073873) Homepage

    As long as they ONLY function with cloud there is no such thing as trust. The zero trust model is the most robust security model in cybersecurity. Everything else is a farce. If you are forced to trust the maker of the device and don't have the ability to lock them out and still use all your devices features, then there is no trust. Cloud devices outside of your control where you have to authenticate to someone else's servers and ask their permission to control a device behind your firewall is the type of trust that only idiots give.

    • Re: (Score:1)

      by dfghjk ( 711126 )

      And yet here you are posting on /. Did you make your own computer, or are you trusting the manufacturer? I'm sure you're using an air-gapped device to run your browser.

      • Re:No such thing for cloud only devices (Score:5, Interesting)

        by rtkluttz ( 244325 ) on Wednesday January 08, 2025 @06:58PM (#65073959) Homepage

        Oh yea, I build my own machines, I run linux, I run rooted android that has been de-googled running island. I am root of my domain and no company is or ever will be. Even my chamberlain garage door opener which is cloud ready with an app, is not being used like that. I will NEVER allow a company to control my devices for me. My garage door opener uses a set of dry contact wired to the button in the house that I can control remotely via a tiny web server on a raspberry pi zero. If I am outside my home I use VPN to get access. I realize most people will not go to these extremes, but no one should be allowing that cloud controlled crap in their house if they even remotely value security and privacy.

        • Amen to this! Right approach on security. But requires a bit of electronics knowledge, as most smart devices are kind of black boxes that work only with server in China or wherever, to which you start by giving them your wifi password. Hell no to that! So my not yet hacked smart energy meter sits so far in a grounded metal cable box without required wifi and phone app access. Just because it has a screen and one day it will be reverse engineered to decouple and add it to some Raspi or Arduino.

    • Re: (Score:2)

      by SirSlud ( 67381 )

      That's adorable.

    • When I got my new fiber-to-the-home internet service the modem I got required me to set up some kind of account with the manufacturer to make any changes to the system. I can't trust this modem, I have no true ownership of the device if I can't set my own password and such to where it can lock out the manufacturer.

      This is new to me since I've had different internet access devices in the past that let me set a local password and such without some registration with the manufacturer.

      I don't trust the governme

  • SCOTUS (Score:3)

    by dfghjk ( 711126 ) on Wednesday January 08, 2025 @06:43PM (#65073901)

    Can't wait for SCOTUS to usurp NIST's authority to establish standards. The Cyber Trust Mark can sit along side Full Self Driving, just another line of bullshit.

    But hey, at least there's a QR code so you can set a password, no doubt that's gonna help security. Wonder if there will be one to disable the back doors?

  • what about an min update lifetime? (Score:3)

    by Joe_Dragon ( 2206452 ) on Wednesday January 08, 2025 @06:57PM (#65073955)

    what about an min update lifetime?

    • Re: (Score:2)

      by AmiMoJo ( 196126 )

      Products should have an end of life date on the box, like a food use by date. Consumers understand those. Once updates end, once the cloud server goes offline, it should be treated like expired milk.

  • Certified == safe?! (Score:1)

    by Anonymous Coward

    It is extremely hard to believe that complying with a certification causes something to be "safe." Please please please, just call it "safer." Or say "it complies with several best practices."

    Calling it "safe" is asking for trouble and is 100% likely to end up undermining the reputation of the certification, since certified devices are still going to get caught going things against the interests of their owners.

  • "approved by NIST" (Score:3)

    by ffkom ( 3519199 ) on Wednesday January 08, 2025 @07:05PM (#65073993)
    "approved by NIST" meaning:

    We guarantee there is at least one back-door in this device, for US agencies to use them as surveillance devices. No guarantees are made on how many additional back-doors were installed by those cheapest overseas manufacturers who were involved in building this device or its components. Adversaries or data brokers who missed to inject their back-door into our supply chain will need to pay for your data, or employ their own hackers to steal our back-door credentials.

    • Re:"approved by NIST" (Score:4, Insightful)

      by leonbev ( 111395 ) on Wednesday January 08, 2025 @09:57PM (#65074293) Journal

      It's probably going to be more like we paid an auditor to send us a form to fill out with basic security practice questions, and we then gave them the answers that they wanted to hear. Then they send us a certificate saying that we could put their logo on our product.

      You know, it will be pretty much like every other SOC audit you've done before. Other than having to provide a few screenshots of some select cherry picked functions where the senior engineers actually did what they were supposed to do, there isn't any real third party verification. Nobody is going to let them dig into that crap back-end code that we outsourced to Bulgaria that's probably filled with security holes.

      • It's probably going to be more like we paid an auditor

        It's "we paid an auditor a fuckton of money". Nothing NIST does is ever remotely cheap, which means only the most overpriced products will get the trust mark, and as with web trust marks most of them will be with dodgy vendors who use the trust mark to lure in suckers (this is an actual fact, it was studied quite a bit back when web trust marks were popular).

  • Will Amazon allow non-certified devices to be sold on its site?

    • Hopefully it will set better standards for 'cheap shit made in China' sold by discount retailers.

      I'm looking at you, Allwinner. But according to Tom Cubie they're cleaning up their act and planning to commit their kernel source to mainline. So one might eventually get some OS updates through Google Play on that $AU75 Android tablet you saw advertised...

      https://groups.google.com/g/li... [google.com]

    • Re: (Score:2)

      by Alumoi ( 1321661 )

      Only after they'll add the sticker in their warehouses.

  • "Vendors will label their products with the Cyber Trust Mark logo if they meet the National Institute of Standards and Technology (NIST) cybersecurity criteria."

    And the next logical step is that the counterfeiters and scammers will faithfully duplicate the 'Cyber Trust Mark logo', and update their labels, logos, and boxes.

    IMHO this Cyber Trust Mark logo will just give people a false sense of security; it shouldn't reassure anyone for one second.

  • More likely US backdoors will be in there, but whether there are any others as well is unclear. Dark times.

    I will regard this a "mark of shame" and treat it as a strong "do not buy under any circumstances".

  • We never would have thought to create a security certification that listed a value that will change the moment you set up the device (firmware version), or security practices that users may disagree with.

    Perhaps next time work on an effective tool first. THEN work on branding it, and announcing it, etc. If your part is the most important, but you're not a subject matter expert... you're doing it wrong.

Slashdot Top Deals

All extremists should be taken out and shot.

Close