The White House has launched a new cybersecurity label for internet-connected devices in a bid to help end-users quickly assess the security credentials of IoT systems.
The program will mean smart devices sold in the US can be given the ‘Cyber Trust Mark’ to indicate vendors have implemented essential security measures when developing their products.
“The U.S. Cyber Trust Mark program allows them to test products against established cybersecurity criteria from the U.S. National Institute of Standards and Technology via compliance testing by accredited labs, and earn the Cyber Trust Mark label,” the announcement stated.
The Cyber Trust Mark aims to “educate American consumers” and build their trust in connected devices amid rising IoT-based cyber attacks while incentivizing vendors to produce more secure devices by default.
The initiative has received praise from the wider security community, who generally identified its potential, but some stakeholders have expressed concern of a lack of rigorous testing for vendors looking to take advantage of the label.
Roger Grimes, defense evangelist at security awareness firm KnowBe4, praised the program’s overall aim but said the label would have more meaning if it included binding security requirements vendors would need to satisfy in order to receive the Mark.
“There are a lot of things to like about this program, especially the focus on IoT cybersecurity basics, such as changing default passwords, patching, data protection, and a software/hardware bill of materials. Allowing consumers to scan a QR code and get information from a decentralized IoT registry is a terrific idea. Those reasons alone are reasons enough for the program,” he argued.
“But the devil is in the details and many of the security requirements are really just recommendations, such as the entire program itself (i.e., vendors do not need to participate), are voluntary and only suggestions. I wish many basic cybersecurity defenses such as the customer being forced to change the default password and automatic patching were required to be in the program. It would make the program much more valuable.”
Weak requirements could allow vendors to skimp on cyber basics
Grimes used the example of including hard-coded default passwords in IoT devices, a security weakness that has plagued smart products for a number of years. He argues that the current version of the program could result in vendors merely paying lip service to addressing this vulnerability by notifying customers to change passwords, instead of removing the problem in the first place.
“As another example, vendors participating in the program must tell consumers if they have a hard-coded default password instead of just preventing any vendor from having a hard-coded default password.”
This may lead to inconsistency among vendors, Grimes warned, with some taking the Mark more seriously than others.
He argued the program lacks a clear way to distinguish which vendors are actually working to meaningfully secure their devices from those that aren’t, where both entities would be able to use the Trust Mark on their products.
“So, you could have some IoT vendors really going out of their way to make very secure products that require very little attention from the consumer and other IoT vendors not applying the same high cybersecurity practices and getting to use the same mark simply for telling the consumer they use substandard cybersecurity practices, assuming the consumer actually scans the QR code and reads the information,” Grimes said.
“Wouldn’t it be better if the mark actually meant the vendor was using generally accepted safe cybersecurity practices?”
Grimes compared the situation to FCC safety marks used to demonstrate the safety of electronic devices, stating that by simply seeing the mark users know it is safe and meets certain minimum criteria, whereas the Cyber Trust Mark leaves room for vendors to skirt actually ensuring their products are secure.
“When I see an FCC safety mark on an electrical cord or lamp, I know it’s safe. I don’t have to scan a code and read information to find out if it is actually safe,” he said.
“I wish the Cyber Trust Mark label meant the same thing…that the device was actually safe as designed. I think the problem is that consumers will see the mark and automatically assume the device meets expected cybersecurity standards and maybe it does and maybe it doesn’t.”
Source link
-
-
-
-
-
-
-
-
