Could we stop calling these pieces of junk "smart" devices? This marketing BS makes me puke.
== Bring us Dabbsy back! ==
The Biden administration is pushing ahead with its drive to add cyber security labeling to consumer Internet of Things (IoT) devices, and may join other nations in adopting the scheme pioneered by Singapore. This desire for labeling, and what's been achieved so far, was discussed at a Wednesday meeting attended by US deputy …
Out of curiosity, has Biden been holding all of the good legislation for the 6 months before the midterms?
It seems that nothing much was accomplished in the 18 months after he won the presidency then not much happened.
Don't get me wrong, Dems are almost infinitely preferable to whatever scumbag the GOP put forwards, but it just seems like Brandon has spent most of the last 2 years preparing for a dash to important elections.
It takes time to plan things out. Would you like little or no thought put into this "cyber security labeling" scheme, or would you like them to have some experts spend some time delving into what the problems are and whether and how they can be fixed, then consulting with interested parties like Google before putting this forward?
It can hardly be argued this was held up to shortly before the election to win votes, because how many additional votes do you think would go the democrats way based on this? It isn't exactly free stimulus checks or a temporary roll back of the federal gas tax, hardly anyone will notice this or care that it is being done. Even if it is a big success and this forces the IoT industry to care a bit more about security, it isn't something voters will care about.
What exactly are you thinking will happen in 2024? "Vote for Biden, he made my Ring doorbell more secure?" "Vote for Biden, because of him the vendor of my smart bulbs has announced three years of security patching support?" Yeah, not so good for campaign slogans!
consumers may not have the visibility they need into whether their IoT devices protect their data
and that is not going to change by applying a "secure" label to the device.
Who re-evaluates a device with top ratings for using minimal data protected by strong encryption after patches provide new functionalities and use data in different ways?
Is the label changed when new vulnerabilities become known?
How would a user notice a lowered security label rating?
The only safe way to use "smart" devices is to assume they will allow abuse of all data available to them and thus refuse to give them any data [that is not strictly necessary for a functionality that gives benefits that (far) outweigh any potential abuse of the data].
The label will be a tiny yellow stick-on thing printed in 3 point type and placed on the side of a screw well or other inaccessible place. It will designate the device as falling into one of a half dozen standard catagories. Minimal, Ineffective, Token, Problemetic, None or N/A. The last is for dumb devices such as paperweights and thumbtacks that have no electronics and are therefore actually secure ... at least for the time being.
I can't help but think that such labelling is pretty pointless. If something can talk to the internet, it can probably compromised. End-of.
Where stuff hides that it is connecting is what needs opening up. And for what purpose that is has been hidden. Cursory look at PiHole reveals all sorts of traffic from Samsung / Android / MS Windows being blocked. (In fact the TV generates more than anything else).
Yep. I have to think this "labelling" will be about as useful as the yellow energy-efficiency labels on appliances - good for about 3 seconds when you're in the store deciding which washing machine to buy, but completely useless after you purchase one. But it keeps several bureaucrats employed with important-sounding titles.
Not to mention, there's not an army of dark forces out there trying to make your washing machine less energy efficient than what's on the yellow label. But the IoT colored light bulb from Google you bought two years ago could be pwned at any second, even though the label on it says it's safe and doesn't store any data (because Google makes sure ($$$) all of their devices get a label giving them the highest rating possible, regardless of whether they actually merit it or not). I mean, a washing machine motor and transmission will degrade along a known statistical curve. IoT security is all about compromise because of unknowns, so any "label" is pretty much out of sync by the time the ink dries.
In order to work, it needs to be backed by formal standards and managed by a disinterested party. The UK BSI Kite Mark works very well for a wide range of goods as it fulfils both those requirements so it's an excellent model to follow. However if the proposed labelling is a mere self certification it will inevitably be useless, as the CE mark has shown on many occasions.
China? None of that. We're moving manufacturing back to North America (just in time to be replaced by a massive wave of automation that actually works -- but that's another tale for another time)
In the meantime, this is your shot at a killer business startup. Making pointless security labels for companies to paste on useless (or worse) internet connected electronic gear. Remember -- Move fast, break things. Get to market first even if the labels are wrong and stick only to those trying to apply them and possibly to household pets.
Like you can't put the label on it if you don't commit to security patches for a given length of time - maybe a longer time for getting a "better" mark on the label - then it would do some good. Assuming consumers know about it, and are only willing to buy gear with the proper label.
And assuming Amazon polices its third party sellers so vendors of cheap Chinese crap don't fraudulently add the label to their stuff. Though if done right, the labeling might be a way to help Amazon police it - or call them out for failing even the most basic checks if not.
Until details are made available we can only guess how much it will improve matters, if at all. There are some places where simple labeling makes a real difference, like UL listing in the US (the equivalent in Europe is CE IIRC) so we'll see.
Singapore uses the European Standards for IoT Security ETSI EN 303 645 in written in 2020 ...there are even Specifications for Assessment and Implementation. Finland also uses it, and of course, we have the EU Cybersecurity Act introduces an EU-wide cybersecurity certification framework for ICT products, services and processes that uses these Standards. The USA is far behind what is happening elsewhere ... See https://www.etsi.org/technologies/consumer-iot-security
I just had a brief look thru the Singapore CLS site.
https://www.csa.gov.sg/Programmes/certification-and-labelling-schemes/cybersecurity-labelling-scheme/about-cls
I see that the product label expires after 3 years, so what happens if a manufacturer wants to support it pass 3 years?
Why not have it as a yearly renewal after 3 years whereby the manufacturer can state if they want to carry on supporting the product or it's EOL?
I have had some home routers which I recall had over 3 years of updates.
Maybe they want us to dump everything after 3 years and buy new stuff. And if you wanted to wait a year after the product is out, to check if there are any problems with longer term usage, you basically have only 2 years of updates left, according to that site.
Seems ...... problematic.
This is nothing but political theater that accomplishes nothing. Consumers will not read the labels and the labels are out of date op days after the device is purchased.
This is as pointless as the labels of tobacco products, to sokers read them or care? no! This is like California labeling almost everything with "This product may contain dangerous stuff"
What's nest, labels on kitchen knives saying "Don't stick in your eyes!"