Smart devices to get cybersecurity rating | Cyber Trust Mark

[Spotty]

Summary

The US will be introducing a new certification and label scheme for smart devices called the Cyber Trust Mark.

Similar to the Energy Star rating on household appliances the scheme will display a logo rating the cyber security of the smart device along with a QR code that can be scanned to display more details about the security of the device. Devices will be rated based on things such as data protection, strong default passwords, and extent of software (security) updates.

 

Quotes

Quote

the US Cyber Trust Mark, will signify that devices bearing it meet security standards based on those established in a report by the National Institute of Standards and Technology (NIST). The voluntary program is expected to be in place in 2024, with the labels hitting devices “soon after.”

The program is meant to cover connected devices commonly found in the home, like smart refrigerators, smart microwaves, smart televisions, and smart climate control systems. But the announcement also lists “smart fitness trackers” as a device that would be covered by the certification and labeling program, suggesting ambitions beyond the commonly-defied smart home automation space.

The FCC is “acting under its authorities to regulate wireless communication devices” to propose the certification and labeling program, which it says would require “strong default passwords, data protection, software updates, and incident detection capabilities,”

 

Quote

Participants in today’s announcement include: Amazon, Best Buy, Carnegie Mellon University, CyLab, Cisco Systems, Connectivity Standards Alliance, Consumer Reports, Consumer Technology Association, Google, Infineon, the Information Technology Industry Council, IoXT, KeySight, LG Electronics U.S.A., Logitech, OpenPolicy, Qorvo, Qualcomm, Samsung Electronics, UL Solutions, Yale and August U.S.

 

My thoughts

inb4 everybody complains that you can't trust the government to tell you what is secure. Regardless of whether or not you trust the government I think the scheme will provide incentive for manufacturers to implement better cybersecurity practices in an effort to achieve a higher rating.

 

I'm a little surprised to see that Amazon, Google, and Samsung have already signed up to the scheme. Notably Apple, who makes a variety of smart IoT devices that would likely be covered by this scheme such as the HomePod, Apple Watch, as well as the HomeApp software, is as of yet absent. Apple normally advertises privacy and security as a major feature so it's odd that they wouldn't sign up to the scheme.

 

 

Discussion Question

Would a cybersecurity rating influence your decision on which smart devices to buy?

 

 

Sources

https://www.theverge.com/2023/7/18/23798153/fcc-cyber-trust-mark-biden-security

[OhioYJ]

Doesn't this rating only help at this one point in time? For example I have two different security cameras that later were "fine" at release, then  their default password was discovered, and if you were not an informed user, you had an issue. 

 

So perhaps it better than nothing, but still just seems like marketing.

[DrMacintosh]

32 minutes ago, Spotty said:

Apple normally advertises privacy and security as a major feature so it's odd that they wouldn't sign up to the scheme.

That may be precisely why they aren't. HomeKit is already marketed as the secure smart home platform from a big tech company. HomeKit Routers can already be configured to block absolutely all outgoing or incoming traffic for HomeKit devices, so there really isn't anything to left to secure or protect users from at that point. 

 

A lot of smart home vendors aren't signing up with this. For one, I don't see Home Assistant anywhere. Lots of security oriented people actually use Home Assistant with a HomeKit backbone. 

[Eigenvektor]

25 minutes ago, Spotty said:

Would a cybersecurity rating influence your decision on which smart devices to buy?

I guess. Or rather, it would influence which one definitely not to buy.

 

Of course the issue is that a good mark at the time of purchase might be outdated quickly, so you'd have to check regularly and then act accordingly. What if a zero day is discovered that can't be patched due to it being firmware/hardware based.

[Crunchy Dragon]

A cybersecurity rating is cool to see, but it in no way will impact any smart home or IoT device purchases for me.

 

The most I would do is a network of security cameras, but I would try to avoid IoT or smart devices in that category as much as I possibly can. Overall, I don't believe in all the amenities of a "smart home". To echo(lol) the above incident regarding Amazon, there's no way I would cede that much control of my own home and property to a random corporation.

 

Don't have to worry about your IoT devices being insecure if you don't have any IoT devices. I'm ready and willing to sacrifice a little bit of convenience for peace of mind.

[SorryBella]

This will matter about as much as an Energy Star mark in few years time.

[Senzelian]

3 hours ago, Caroline said:

Seriously, who unironically believes a house full of devices and appliances connected to the internet and remotely controlled by a corporation is a good thing?

The CEO of such a corporation  

[Stahlmann]

The only secure smart home devices are the ones that work locally and without an internet connection. Do you really trust in any company after seeing so many incidents of data breeches and how the data was stored? (sensitive customer information being stored in plain text without encryption etc.)

[Doobeedoo]

Will my phone get it?

[williamcll]

inb4 only a literallywho brand gets the positive mark.

[Thaldor]

I believe someone needs to ask this while it's a bit political question and so might go against forum rules but it's still quite important question for like the 90% of the world.

Is this just US thingy or a more global thing?

Like you know, X wiretapping Y is bad bad thing but Y wiretapping the whole internet is just fantastic and fine. (let's play that the party hat is made from foil so we can get past that)

 

Like for example the not so much advertised but if you know what you need to know you will find out that Windows 10/11 has been FIPS 140 certificated so the cryptography parts should be in order. Except the FIPS 140 just proves the cryptographic algorithms are correct, the whole software can be Swiss cheese with enough backdoors that John Fogerty has hard time finding enough dudes to look out of them all, but as the algorithm is correct, Uncle Sam approves it's safe.

 

Just saying that for this kind of sticker to have any meaningful point, it should be given by actually neutral party. And while something like strong default passwords can be checked and truthfully, without any bias, proved by whoever, that should be something so important that if any company is found to not do it always, they should be publicly "crucified" for it. There should be Spectre/Meltdown level of mass hysteria and it should be on everyone's lips and ears that that company's products are dangerous until publicly proven that they have issued fixes and they work. Not that someone slaps a sticker on product that fills the lowest level of security and then the non-tech savvy commoners think that product is completely safe because it has that sticker on it.

[SnugglyGirl]

I would not trust such a rating at all. The police have many tools to access devices using exploits that they wouldn't want people to have good security on phones.

Look at how upset they got when they were trying to access the Iphones of terroists or shooters etc. 

Also how would they do the testing? I know of devices that people have made to do the pin codes. They dump the phone and somehow make it reset after so many tries so it does not lock the phone out. They can also make a finger device too.

[bcredeur97]

23 hours ago, OhioYJ said:

Doesn't this rating only help at this one point in time? For example I have two different security cameras that later were "fine" at release, then  their default password was discovered, and if you were not an informed user, you had an issue. 

 

So perhaps it better than nothing, but still just seems like marketing.

One idea to maybe address this would be like a “weight” for manufacturers

 

so your new manufacturers will always start at a lower score (like a “base score” vs a manufacturer who’s well established. 
 

but they can work their base score up by being consistent with all their products over time.

 

that would incentivize making good products and would try to get people to play the long game (meaning things will be supported for a while) which will be a consumer benefit. 

 

only problem is it may make it harder for the new guy to get his foot in door

 

i would prefer the idea of dumbing down isolated vlans for consumers. Put all this junk in a place where it can’t hurt anyone 

[Crunchy Dragon]

1 hour ago, bcredeur97 said:

i would prefer the idea of dumbing down isolated vlans for consumers. Put all this junk in a place where it can’t hurt anyone 

Ubiquiti Dream Machine can do that. I'm sure there are other routers that can, but Ubiquti comes to mind the most quickly for me(I know people who have them and love them). I've been considering moving my entire network to Ubiquiti hardware if for no other reason than to have a little more control over the network, but also to get away from the crap Google routers our ISP gave us.

 

You'll need a surface level understanding of networking or a below enthusiast skill at Googling to figure out how the Ubiquiti stuff works, I would say. A relative of mine was showing me his setup and I could just about follow everything he was showing me, before I got better at networking and networking terminology.

[jagdtigger]

On 7/19/2023 at 3:41 AM, Spotty said:

The US will be introducing a new certification and label scheme for smart devices called the Cyber Trust Mark.

If its anything like FIPS that even fortinet are qualified i think it wont do much good.....

[Spotty]

17 hours ago, Doobeedoo said:

Will my phone get it?

I didn't see anywhere mentioning phones included as IoT devices. From what I read it was mostly targeted at smart home appliances like smart fridges, smart thermostats, etc. I only really looked at a couple of news articles when writing this post and haven't looked too deeply in to it. I'm not even sure if it has been finalised what devices will be covered and what the full requirements are that they will need to meet to qualify.

 

4 hours ago, SnugglyGirl said:

I would not trust such a rating at all. The police have many tools to access devices using exploits that they wouldn't want people to have good security on phones.

I don't think this is really what the rating is meant to be representing. It's not meant to represent that devices are hack-proof.

 

It seems more to be targeted towards stopping bad security practices like manufacturers releasing products and never providing any security updates to fix discovered known security flaws. Creates the obligation for companies to fix that instead of just listing the product as EoL and doing absolutely nothing to fix the vulnerabilities.

 

Things like internet connected printers that can be easily compromised.

https://cybernews.com/security/we-hacked-28000-unsecured-printers-to-raise-awareness-of-printer-security-issues/

 

There has been a few times where internet connected security cameras have been publicly accessible with trivial default passwords to access the devices. There were websites set up where people could just skip through random people's security cameras that were exposed to the internet. This should require more secure default passwords (and imo should force people to set a unique password during setup).

https://www.hackread.com/website-streams-from-private-security-cameras/

[OhioYJ]

19 hours ago, bcredeur97 said:

i would prefer the idea of dumbing down isolated vlans for consumers. Put all this junk in a place where it can’t hurt anyone 

The hurdle I see and run into many times, with many things, is "why should I buy that, I can get this for only $x dollars". <-- That being an issue, as VLANs add complication, and trying to convince someone that they need smarter switches (managed) or a bit fancier router. Many people just plain don't care.

[LAwLz]

I was originally against this, but after reading the core baseline published by NIST I actually think it's a good idea. 

I think the problem is that people will see that label and get the wrong impression. The label is based on a baseline for what NIST sees as the minimum necessary to maybe have a "secure" device.

I am worried that people will think this is a label of endorsement (as in "this device is secure"). It's not an endorsement. It's an "if your device doesn't have this then you should be worried because this is not a high bar to pass" label.

 

 

Here are some of the core parts of the baseline (there are more details in the report itself):

• The device has an identifier like a serial number.
• The configuration on the device can be changed, and there has to be some mechanism to prevent unauthorized changes (like password protection).
• The device uses secure encryption methods when storing and transmitting data.
• A user should be able to lock down the local and network interfaces of a device unless they are necessary for core functionality. So for example if you have a diagnostics port on the device then you should be able to password-protect that port.
• The software on the device should be upgradable, and updates should allow for some mechanism to be authorized and verified.
• The device should be able to report when its security may be compromised, like for example log and flag incorrect login attempts, 

 

As you can see, it really isn't a high bar to cross. If your device doesn't have these things, then you're in bad shape. But just because your device has these things doesn't mean it is secure either.

[Donut417]

On 7/18/2023 at 11:41 PM, Spotty said:

Would a cybersecurity rating influence your decision on which smart devices to buy?

No. I’m not putting an NSA listening device in my home.