back to article Stickers emerge as EU's weapon against dud IoT security

The European Commission is readying a push to get companies to produce labels that reveal the security baked into internet-of-things things. The labelling effort is part of a broader push to drive companies to better handle security controls and privacy data in the notoriously insecure and leaky devices. Deputy head of …

  1. Anonymous Coward
    Anonymous Coward

    "By the time the EC gets its stickers sorted.."

    Ah, Eurostickers..such a marque of quality and trust. I do so hope this scheme is as successful as the CE one...

    1. Phil O'Sophical Silver badge

      Re: "By the time the EC gets its stickers sorted.."

      "This product contains some security. By continuing to use it you agree to accept the use of security."

  2. Voland's right hand Silver badge

    I want only one sticker

    "Source Available".

    The rest can be sorted and if a device is interesting and useful _WILL_ _BE_ sorted.

    1. the hatter
      Stop

      Re: I want only one sticker

      One part of the problem is that even with source, it can't necessarily be easily updated, or even updated at all. Just because you can coerce your hardware to accept an update, doesn't mean the other owners could. I think you'd at least need a sticker for how to update - automatic, prompted, does it need you to run a windows executable, or to insert a usb key, does it need to have open internet connectivity. Step two would then inevitably be can you roll back an automatic update, when the manufacturer ships you an update that breaks functionality you use.

    2. Anonymous Coward
      Thumb Down

      Re: I want only one sticker

      It can only be sorted if someone competent takes an interest. BTW, no such test requirements seem to exist to determine this either. Expect strict liability to pop up as a result.

    3. heyrick Silver badge

      Re: I want only one sticker

      Il upvote you to counter the downvotes. You see, there should be no big reason why an update cannot be applied if FULL sources are available. If the manufacturer can do it, so can we. The problem comes when "open source" means you get the Linux kernel, busybox, etc but nothing of the update system or any of the "custom" software or hardware drivers. Shall I list the devices I own that claim to have source code but that means only the parts the GPL oblige to be open? Useless. Proper source can get things moving, but it's a rare device one can build their own firmware for...

      1. Robert Carnegie Silver badge

        Re: I want only one sticker

        Yeh, you probably want a device to require a key before updating firmware. Or a physical cable link. Not a drive-by wi-fi.

    4. Trigonoceps occipitalis Silver badge

      Re: I want only one sticker

      A big one, one that will wrap the IOT device several times over.

      Oh yes, and made of tin foil and marked in big, friendly letters "Do Not Remove!"

  3. Pascal Monett Silver badge

    Stickers OK, education, not so much

    I am warming to the idea that the layperson, to use the OA's qualifier, is not the person to explain security to. If an entire generation of people could not learn to set the time on their VCRs (slightly exaggerated, I know), it is unreasonable to expect their offspring to understand the stakes in our security-lacking world of today.

    Security needs a major shift into companies baking the security into their products and making it easy to use despite the user's cluelessness. Not an easy task given the lack of security awareness in companies at this point in time, but one that will become feasible after enough finger-pointing and IoT-based DDoS attacks.

    So we're basically going towards a more security-friendly world one DDoS at a time.

  4. Dan 55 Silver badge

    Stickers emerge as EU's weapon against dud IoT security

    Or duds emerge as EU's stick against weaponised IoT security?

  5. Mage Silver badge
    Boffin

    Energy Rating stickers

    A, AA, AAA, AAAA

    The cleaner won't lift dust, the dishwasher will leave cups stained and have no rinse cycle, the lamps won't be bright enough and omnidirectional to light a whole room, the toaster will dry out the bread and only brown it at max setting and only take pan sized slices, not larger batch loaf, the coffee machine won't even keep warm for mandated 40min max but 20min ... etc.

    Sadly we do understand the evil energy saving stickers.

    1. Trigonoceps occipitalis Silver badge

      Re: Energy Rating stickers

      My dishwasher has an energy saving programme, its the one I use when I don't want the dishes clean and dry.

  6. TeeCee Gold badge
    Facepalm

    Pointless.

    .... labels that reveal the security baked into....

    Which is meaningless. The only thing of interest is whether and how quickly it will be patched when, not if, it's compromised.

    Typical of the EU, a crap way of addressing the wrong problem.

    1. Roland6 Silver badge

      Re: Pointless.

      Not totally pointless.

      History tells us that security has a shelf life, so a label that specifies the security measures being used helps with the asset management.

      However, I do think the EU needs to set up a quasi-independent organisation to do for IoT what the WiFi Alliance did for WiFi interop. It's job being to define a suite of standards-based interop profiles, a testing regime and product kitemark/labelling scheme.

      Whilst a WiFi network set up to WiFi Alliance's best practises isn't as secure as a network setup based on CESG guidance, for many it did facilitate a means to move away from WEP to WPA2/AES etc. Obviously, it still needs an expert to know whether a product carrying a 2006 WiFi-Alliance kitemark is still fit for purpose in a system built using products that satisfy 2016 security concerns.

    2. heyrick Silver badge

      Re: Pointless.

      The problem is not whether or not there are stickers. What is important is the ENFORCEMENT. If selling a shoddy product with a "this is secure" sticker means Juncker shouts, don't expect anybody to pay attention. If selling a shoddy product means all stock in the EU is seized and the director jailed, then companies might take it seriously...

    3. I am the liquor Silver badge

      whether and how quickly it will be patched

      It's something that could be baked into the standards behind the stickers. The sticker would tell you for how many years the manufacturer has committed to provide patches. (That could be a powerful market incentive - consumers aren't going to like shelling out good money on an appliance that has a sticker on the front telling them it'll be going in the bin after 3 years.) The standard would specify how promptly fixes for any CVE-logged vulnerability must be delivered during that support lifetime. If the manufacturer fails to meet the standard, they used the sticker improperly and get fined by the regulator. Add on mandatory requirements for source code escrow and a financial bond to fund maintenance if the company folds during the product's lifetime, and you could come up with a regulatory system that would improve IoT security in a useful way.

      I mean I doubt they will, but they could.

  7. Pen-y-gors Silver badge

    Let's face it

    The only way to make IoT thingies safe is to disconnect them from teh internet - and possibly re-program them with an axe to be doubly sure.

    1. Anonymous Coward
      Headmaster

      Re: Let's face it

      Oh Jeez, now you've done it...

      So, when does the IEEE axe/device interface standards committee get empaneled?

  8. Jimmy2Cows Silver badge

    Perhaps an effort to explain firmware upgrades to lay-people is also needed.

    Understanding of firmware upgrades is useless if the manufacturer can't be arsed to provide them.

  9. Anonymous Coward
    Joke

    Botnet ready...

    Why not slap a sticker on every IoT device with the text : 'Botnet ready' ?

  10. wzlbrmf

    "Kleiner said the Commission would encourage companies to come up with a labelling system for internet-connected devices that are approved and secure."

    Maybe it is time to quote Bruce Schneier again: "Security is a process, not a product."

    Given how many C and D labelled refrigerators are still being sold, I wonder how many people would still buy those insecure IoT devices. Hey, D is so much cheaper than A.

    1. toughluck

      Nothing wrong with no security.

      Suppose it's not connected to the internet and air-gapped. What's wrong with a "D" label?

      -

      As for home appliances, physics don't work that way.

      Dishwasher tablets are standardized to work in a certain volume of water. I think it's something like 5 liters. Heating up 5 liters of water from 20 °C to 70 °C will always require 0.3 kWh. Pumping water with a 500 W pump for 2 hours will always require 1 kWh.

      An AAAA model will require exactly the same energy in that intensive wash cycle as an A model. And that A model might actually have more usable low energy programs which might end up saving power in the long run.

      I have an AA-qualified dishwasher. The newer model with AAA qualification was an extra ~50 euro. The testing method requires that the very first program after turning on is the one used for testing.

      I used it once for only slightly dirty dishes. I didn't even bother removing them from the dishwasher since they were stained, and still dirty and wet (despite 1.5 hours of washing and 2 hours of "drying"). Using the same detergent, I set it for one hour quick program (same temperature of 50 °C), and the dishes were completely clean.

      --

      As for fridges, same physics apply. Assuming the same insulation, it requires the same amount of energy to remove 1 kJ of heat regardless of the energy saving features. I do have a nice AA model that works pretty well, but I bought it for the warranty (10 years for the pump which is the digital direct drive version). It's nice and quiet as long as it's running on gear 1-2 out of five. At 3 it's already as loud as my older fridge and at 4-5, it's loud enough to be heard, although fortunately it's just a humming noise.

      I realize people buy into the hype, but standardized labels are for standardized conditions for standardized people in a standardized world.

      Sadly, in the real world, there are no standardized conditions or standardized people. But standardized labels exist.

  11. Chris G Silver badge

    Label:

    Use of this device may incur loss of your Bank account contemts, Identity, House and you may have to sell yuor wife and children into slavery. Accept/ Not Accept

  12. Anonymous Coward
    Stop

    "Warning: This product contains security"

    "However, we can't tell you how much, because we don't understand IT security ourselves. In fact, we can't even tell you what it is. Manufacturer may also have more friends in government than you do, and therefore any liability from compromise of this product defaults to you, the owner. Product's poor security may also be the direct result of government efforts to enable mass surveillance, because we all know you can't be trusted.

    Warning: substitution of older model, non-computerized models for this product has been made illegal, as numerous campaign and manifesto promises about championing of smart green products have already been made without consideration to what this means to you, the owner."

  13. Doctor Syntax Silver badge

    This could be a useful first step if it involves creating an on-going process to set standards and to provide testing. The next step is to use that to prevent non-compliant stuff getting onto the market.

  14. Anonymous Coward
    Anonymous Coward

    IOTG

    Would it not make sense to have the IOT devices use a non routable protocol and have a house gateway for this sh.... stuff?

    We could then tailor the gateway to our requirements for cost, security, features and as the non routable stuff is hidden, non update-able items can be tolerated as long as the gateway locks them down to a limited set of instructions.

    To me the error is in considering a device that does one or two things needs to be able to get to the rest of the world, directly.

  15. Captain Badmouth
    FAIL

    Total waste of time

    Considering how much dangerous stuff can be bought over t'interweb already with no oversight from overstretched trading standards/ govt. departments, how is this going to be regulated?

    I see mains plugs with no fuse and inadequate dimensions here :

    http://www.electriciantalk.com/f25/counterfeit-illegal-plugs-leads-27655/

    http://www.bs1363.org.uk/

    Our local chip shop owner had two led signs from ebay that had failed, the mains lead was secured to the hardboard by hot melt glue as was the control electronics board, no mains cable clamp at all. I've sent piccies to HSE last Feb. but heard nothing since. In case any of you are thinking of following a similar route with some dodgy electricals, be aware that neither HSE nor Trading standards seem to be aware of their respective responsibilities. I had to send HSE a copy of the relevant page from a govt. document to show them that the complaint fell within their remit. They kept arguing that :

    "Thank you for taking the time to report your concern to the Health and Safety Executive. The enforcement of health and safety matters in this particular premises does not fall to HSE. HSE do not enforce Fish and Chip shops, therefore the enforcement of this premises falls to the Local Council."

    and :

    "Apologies that we have not gotten back to you sooner regarding your concern below.

    I have had a look at the website (******) which you kindly provided the link for deals with signs for bars and restaurants.

    It looks to me like a matter for trading standards rather than HSE as ****** is selling to the retail trade."

    They did eventually admit that it was their responsibility as detailed here :

    <ENFORCEMENT

    The Regulations are primarily enforced by the local authority trading standards departments with regard to consumer products. The Health and Safety Executive enforce the Regulations in respect of electrical equipment that is:

    1. designed for use or operation by persons at work; or

    2. designed for use otherwise than at work, in non-domestic premises made available for persons at a place where they may use the equipment.

    Any reference to an enforcement authority in this guide is a reference to both trading standards officers and Inspectors of the Health and Safety Executive.>

    1. Anonymous Coward
      Anonymous Coward

      Re: Total waste of time

      Only a fool would buy not just one but two trade display signs from Ebay.

  16. djack

    Other Warnings

    There should be other (ralated) mandatory stickers in bright red on white in inch high text like

    WARNING : This product sends your information to other people

    WARNING : This product will be an expensive paper-weight when <company> closes or decides it does not want to continue running it or wants you to upgrade.

    Anything requiring those stickers don't go near my home.

  17. Alan Bourke

    What we need is a mandatory kill switch on each device.

    Marked 'Isolate this device from the internet'.

  18. Mark M.

    Internet connectivity

    No-one, other than a complete idiot, is likely to connect their sensitive little IoT gadget *directly* to the internet where it can be abused and sodomized by the skiddies if they ever discover it. If an idiot does do that, then they deserve to get sodomized.

    An EU sticker with a "Passed security compliance as of <enter date here>" would be worth as much as a piece of soiled toilet paper in about 3 months to a year's time after that date, especially if the IoT manufacturer is a lazy piece of p*** who ships boxes, takes the money, then washes their hands of any after-sales support by way of updates or customer advice.

    Most people who have a need for, and understand, IoT devices will connect it to a router which ought to have reasonable ingress security to protect it. Those who can afford to have expensive IoT gadgets would probably already have a very beefed up firewall/proxy on their router to ensure that whatever is inside their firewall behaves when it goes outside to play and that *nothing* from the outside can get in unless it has the appropriate authentication. They can then worry about firmware updates at their leisure.

    1. Robert Carnegie Silver badge

      Re: Internet connectivity

      Devices probably will be wireless, 802.11 or Bluetooth - so they're at risk of being targeted from your front door or window, as well as through your home network.

  19. Stoneshop Silver badge
    Mushroom

    Stickers

    For a lot of idIoT tat the only applicable sticker is one that irremovably covers the power and network ports, and fully shields any WiFi, Bluetooth, LoRa and other EM radiation.

  20. You aint sin me, roit Silver badge

    I want a big fat sticker!

    "DO NOT CONNECT TO NETWORK"

  21. imanidiot Silver badge

    Oh good

    Another EU mandated sticker. Because we don't have enough of those and everybody pays attention to them!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021