Stickers emerge as EU's weapon against dud IoT security The European Commission is readying a push to get companies to produce labels that reveal the security baked into internet-of-things things. The labelling effort is part of a broader push to drive companies to better handle security controls and privacy data in the notoriously insecure and leaky devices. Deputy head of …
One part of the problem is that even with source, it can't necessarily be easily updated, or even updated at all. Just because you can coerce your hardware to accept an update, doesn't mean the other owners could. I think you'd at least need a sticker for how to update - automatic, prompted, does it need you to run a windows executable, or to insert a usb key, does it need to have open internet connectivity. Step two would then inevitably be can you roll back an automatic update, when the manufacturer ships you an update that breaks functionality you use.
Il upvote you to counter the downvotes. You see, there should be no big reason why an update cannot be applied if FULL sources are available. If the manufacturer can do it, so can we. The problem comes when "open source" means you get the Linux kernel, busybox, etc but nothing of the update system or any of the "custom" software or hardware drivers. Shall I list the devices I own that claim to have source code but that means only the parts the GPL oblige to be open? Useless. Proper source can get things moving, but it's a rare device one can build their own firmware for...
I am warming to the idea that the layperson, to use the OA's qualifier, is not the person to explain security to. If an entire generation of people could not learn to set the time on their VCRs (slightly exaggerated, I know), it is unreasonable to expect their offspring to understand the stakes in our security-lacking world of today.
Security needs a major shift into companies baking the security into their products and making it easy to use despite the user's cluelessness. Not an easy task given the lack of security awareness in companies at this point in time, but one that will become feasible after enough finger-pointing and IoT-based DDoS attacks.
So we're basically going towards a more security-friendly world one DDoS at a time.
A, AA, AAA, AAAA
The cleaner won't lift dust, the dishwasher will leave cups stained and have no rinse cycle, the lamps won't be bright enough and omnidirectional to light a whole room, the toaster will dry out the bread and only brown it at max setting and only take pan sized slices, not larger batch loaf, the coffee machine won't even keep warm for mandated 40min max but 20min ... etc.
Sadly we do understand the evil energy saving stickers.
Not totally pointless.
History tells us that security has a shelf life, so a label that specifies the security measures being used helps with the asset management.
However, I do think the EU needs to set up a quasi-independent organisation to do for IoT what the WiFi Alliance did for WiFi interop. It's job being to define a suite of standards-based interop profiles, a testing regime and product kitemark/labelling scheme.
Whilst a WiFi network set up to WiFi Alliance's best practises isn't as secure as a network setup based on CESG guidance, for many it did facilitate a means to move away from WEP to WPA2/AES etc. Obviously, it still needs an expert to know whether a product carrying a 2006 WiFi-Alliance kitemark is still fit for purpose in a system built using products that satisfy 2016 security concerns.
The problem is not whether or not there are stickers. What is important is the ENFORCEMENT. If selling a shoddy product with a "this is secure" sticker means Juncker shouts, don't expect anybody to pay attention. If selling a shoddy product means all stock in the EU is seized and the director jailed, then companies might take it seriously...
It's something that could be baked into the standards behind the stickers. The sticker would tell you for how many years the manufacturer has committed to provide patches. (That could be a powerful market incentive - consumers aren't going to like shelling out good money on an appliance that has a sticker on the front telling them it'll be going in the bin after 3 years.) The standard would specify how promptly fixes for any CVE-logged vulnerability must be delivered during that support lifetime. If the manufacturer fails to meet the standard, they used the sticker improperly and get fined by the regulator. Add on mandatory requirements for source code escrow and a financial bond to fund maintenance if the company folds during the product's lifetime, and you could come up with a regulatory system that would improve IoT security in a useful way.
I mean I doubt they will, but they could.
"Kleiner said the Commission would encourage companies to come up with a labelling system for internet-connected devices that are approved and secure."
Maybe it is time to quote Bruce Schneier again: "Security is a process, not a product."
Given how many C and D labelled refrigerators are still being sold, I wonder how many people would still buy those insecure IoT devices. Hey, D is so much cheaper than A.
Suppose it's not connected to the internet and air-gapped. What's wrong with a "D" label?
-
As for home appliances, physics don't work that way.
Dishwasher tablets are standardized to work in a certain volume of water. I think it's something like 5 liters. Heating up 5 liters of water from 20 °C to 70 °C will always require 0.3 kWh. Pumping water with a 500 W pump for 2 hours will always require 1 kWh.
An AAAA model will require exactly the same energy in that intensive wash cycle as an A model. And that A model might actually have more usable low energy programs which might end up saving power in the long run.
I have an AA-qualified dishwasher. The newer model with AAA qualification was an extra ~50 euro. The testing method requires that the very first program after turning on is the one used for testing.
I used it once for only slightly dirty dishes. I didn't even bother removing them from the dishwasher since they were stained, and still dirty and wet (despite 1.5 hours of washing and 2 hours of "drying"). Using the same detergent, I set it for one hour quick program (same temperature of 50 °C), and the dishes were completely clean.
--
As for fridges, same physics apply. Assuming the same insulation, it requires the same amount of energy to remove 1 kJ of heat regardless of the energy saving features. I do have a nice AA model that works pretty well, but I bought it for the warranty (10 years for the pump which is the digital direct drive version). It's nice and quiet as long as it's running on gear 1-2 out of five. At 3 it's already as loud as my older fridge and at 4-5, it's loud enough to be heard, although fortunately it's just a humming noise.
I realize people buy into the hype, but standardized labels are for standardized conditions for standardized people in a standardized world.
Sadly, in the real world, there are no standardized conditions or standardized people. But standardized labels exist.
"However, we can't tell you how much, because we don't understand IT security ourselves. In fact, we can't even tell you what it is. Manufacturer may also have more friends in government than you do, and therefore any liability from compromise of this product defaults to you, the owner. Product's poor security may also be the direct result of government efforts to enable mass surveillance, because we all know you can't be trusted.
Warning: substitution of older model, non-computerized models for this product has been made illegal, as numerous campaign and manifesto promises about championing of smart green products have already been made without consideration to what this means to you, the owner."
Would it not make sense to have the IOT devices use a non routable protocol and have a house gateway for this sh.... stuff?
We could then tailor the gateway to our requirements for cost, security, features and as the non routable stuff is hidden, non update-able items can be tolerated as long as the gateway locks them down to a limited set of instructions.
To me the error is in considering a device that does one or two things needs to be able to get to the rest of the world, directly.
Considering how much dangerous stuff can be bought over t'interweb already with no oversight from overstretched trading standards/ govt. departments, how is this going to be regulated?
I see mains plugs with no fuse and inadequate dimensions here :
http://www.electriciantalk.com/f25/counterfeit-illegal-plugs-leads-27655/
http://www.bs1363.org.uk/
Our local chip shop owner had two led signs from ebay that had failed, the mains lead was secured to the hardboard by hot melt glue as was the control electronics board, no mains cable clamp at all. I've sent piccies to HSE last Feb. but heard nothing since. In case any of you are thinking of following a similar route with some dodgy electricals, be aware that neither HSE nor Trading standards seem to be aware of their respective responsibilities. I had to send HSE a copy of the relevant page from a govt. document to show them that the complaint fell within their remit. They kept arguing that :
"Thank you for taking the time to report your concern to the Health and Safety Executive. The enforcement of health and safety matters in this particular premises does not fall to HSE. HSE do not enforce Fish and Chip shops, therefore the enforcement of this premises falls to the Local Council."
and :
"Apologies that we have not gotten back to you sooner regarding your concern below.
I have had a look at the website (******) which you kindly provided the link for deals with signs for bars and restaurants.
It looks to me like a matter for trading standards rather than HSE as ****** is selling to the retail trade."
They did eventually admit that it was their responsibility as detailed here :
<ENFORCEMENT
The Regulations are primarily enforced by the local authority trading standards departments with regard to consumer products. The Health and Safety Executive enforce the Regulations in respect of electrical equipment that is:
1. designed for use or operation by persons at work; or
2. designed for use otherwise than at work, in non-domestic premises made available for persons at a place where they may use the equipment.
Any reference to an enforcement authority in this guide is a reference to both trading standards officers and Inspectors of the Health and Safety Executive.>
There should be other (ralated) mandatory stickers in bright red on white in inch high text like
WARNING : This product sends your information to other people
WARNING : This product will be an expensive paper-weight when <company> closes or decides it does not want to continue running it or wants you to upgrade.
Anything requiring those stickers don't go near my home.
No-one, other than a complete idiot, is likely to connect their sensitive little IoT gadget *directly* to the internet where it can be abused and sodomized by the skiddies if they ever discover it. If an idiot does do that, then they deserve to get sodomized.
An EU sticker with a "Passed security compliance as of <enter date here>" would be worth as much as a piece of soiled toilet paper in about 3 months to a year's time after that date, especially if the IoT manufacturer is a lazy piece of p*** who ships boxes, takes the money, then washes their hands of any after-sales support by way of updates or customer advice.
Most people who have a need for, and understand, IoT devices will connect it to a router which ought to have reasonable ingress security to protect it. Those who can afford to have expensive IoT gadgets would probably already have a very beefed up firewall/proxy on their router to ensure that whatever is inside their firewall behaves when it goes outside to play and that *nothing* from the outside can get in unless it has the appropriate authentication. They can then worry about firmware updates at their leisure.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
