Not that it matters, posters on this very site who claim to care will continue buying stuff off AliExpress, proud they got it for pennies on the dollar.
Look ma, a mini PC for $22! And they didn't even charge for the preinstalled malware!
Has anyone ever considered this junk is sold at a loss as a price of doing business, to expand a PRC-controlled botnet?
I stored their number in my notebook and going to my shopping, calling them from bus stop, and they answered me some nonsense.
I made my shopping, and some walk, then opened platform and these shops already disappear. Less than hour.
In other case I managed to make order and paid from card, and also shop disappeared. - In a week I received SMS from bank "your payment returned to your account".
It looks like part of the label [1] will include a QR or link to a public registry, so in theory you can easily confirm the device has actually been certified.
[1] https://docs.fcc.gov/public/attachments/FCC-23-65A1.pdf point 42
https://www.ul.com/news/ul-solutions-named-lead-administrato...
> UL Solutions will also work with the FCC and program stakeholders to develop a national registry of certified products that consumers can access via QR code on the label. The registry will have more detailed information about each product. Additionally, UL Solutions will serve as liaison between the FCC and other CLAs, as well as other key stakeholders. [emphasis added]
and here:
https://www.fcc.gov/CyberTrustMark
> The logo will be accompanied by a QR code that consumers can scan, linking to a registry of information with easy-to-understand details about the security of the product, such as the support period for the product and whether software patches and security updates are automatic.
This doesn't block full-blown counterfeit products (recreating certified devices including the label), but does address non-compliant devices trying to pose as compliant.
I've seen Energy Star logos for 30 years and never knew there was a public database, never thought to verify, and I don't think anyone else has either. The only thing Energy Star has been useful for is extracting rebates from utility companies and buying shitty dishwashers which were certain to be worse than what they were replacing.
Verification is useless if no one knows about it, or if the data isn't actionable. I have verified UL mark numbers for questionable products, but they often resolve to some Chinese ODM you've never heard of like 'Xionshang Industrial Electric Company' whose name certainly doesn't match the product label. Do you know the components haven't been swapped out since certification was achieved? Was the product actually sourced from there or counterfeit? You have no way to verify any of that.
UL issues holographic stickers but I've seen those like 10% of the time and probably just as easily faked.
And I'm not saying this will be that useful, just that it's not going to be a sticker and nothing else. That would be truly useless and pretty much just make money for sticker makers.
So, the product search works like a shopping cart site, and has no historical products, only new ones, and helpfully lists the prices.
Who is this meant to benefit?
This is federal offense, like document falsification.
So if somebody will be caught on doing it - could go to jail.
Examples of eligible products include internet-connected home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers, and baby monitors."
Ok, nothing I use then. I hope this comes to home and SMB network gear.
We propose to focus the scope of our program on intentional radiators that generate and emit RF energy by radiation or induction.31 Such devices – if exploited by a vulnerability – could be manipulated to generate and emit RF energy to cause harmful interference. While we observe that any IoT device may emit RF energy (whether intentionally, incidentally, or unintentionally), in the case of incidental and unintentional radiators, the RF energy emitted because of exploitation may not be enough to be likely to cause harmful interference to radio transmissions.
* If the devices can be pointed to an alternate API provider if the company stops supporting
* If firmware has been escrowed / will be made available if the company stops supporting
* If device data is stored by the company
* If that data is certified as end to end encrypted
* Some marks for who / how the data is used
* data stored/transmitted is secured by some kind of means
* the device supports software updates
* the device requires users to authenticate
* the device has documentation
* you can report security vulnerabilities to the developer
And even these are things that many devices fail to do, today. We gotta get the basics fixed first.
But for now, you can presume the Netflix button on your TV remote can't be configured to point to an alternative API if Netflix goes away. :)
At least for Android TV devices, Button Mapper works for some.
https://play.google.com/store/apps/details?id=flar2.homebutt...
'Cause they need somewhere to load in those exploits!
A hypothetical device which is all read-only (except perhaps for a very carefully crafted, limited set of configurable parameters) might in some cases be more secure than the bulk of what's on the shelves today. After all, how many widespread hacks do you read about on old, single-purpose fixed analog or digital devices (which in a sense are similarly 'read-only').
Case in point when 700,000 Netgear routers pinged the University of Wisconsin–Madison NTP server (harcoded IP address) every second.
https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse#Ne...
No Bluetooth, no Wi-Fi, no protocol sophisticated enough to distribute code. Just locally transmitted instructions.
People thought old analog 900mhz cordless phones were fine until others realized you could just tune a radio to that freq and listen to your neighbors.
The problem with saying you need auth and crypto is now you just added a bunch of complexity you have to maintain and update and hence now you've introduced vulnerabilities.
The more popular the device, the more knowable upside to an exploit. If the device can be updated, then usually the exploitable timeframe is limited and its unknown if the attempt is even worthwhile.
> After all, how many widespread hacks do you read about on old, single-purpose fixed analog or digital devices (which in a sense are similarly 'read-only').
Well basically because any device of consequence is trivially hacked by now. Think about game consoles or anything that would have DRM today.
> After all, how many widespread hacks do you read about on old, single-purpose fixed analog or digital devices (which in a sense are similarly 'read-only').
Quite a lot -- these are some of the easiest devices to hack. The only saving grace is that most of them are not connected to the internet so they are only vulnerable to local attacks. But garage doors, cordless phones, keyless entry, smart locks, smart home protocols, etc are notoriously vulnerable.
The reason you don't hear about new vulnerabilities each week is precisely because they're aren't updatable. The fact that they don't get updates with new vulnerabilities is not an advantage when they permanently have older vulnerabilities.
Disagree, it is extremely common for e.g. TVs and smart phones to ship with malware included. In fact it is almost impossible to buy some classes of devices that aren't intentionally compromised.
Having the thing never connect to the Internet at all and never receive updates is a far better security posture, and is the common recommendation among knowledgeable people for e.g. TVs.
In practice, your neighbors are almost certainly quite a bit less malicious than whatever a smart device might talk to on the Internet. Your neighbor isn't going to hack your cordless phone. Your TV manufacture is definitely going to drop malware onto it, disable functionality (i.e. damage it), etc.
Tons and tons? I don't understand this viewpoint at all. As the saying goes "There is no 'Internet of Things', just an Internet of unpatched Linux devices." That is, the primary vector for malware is devices that aren't (or can't) be patched after vulnerabilities are discovered.
I actually just spent time last week getting rid of tftpd, telnetd, netcat etc... on some IP cameras last week.
You only need a few k of ram to have a bot, especially with how it is almost the rule that embedded system run everything as root.
If you have the ability to do firmware extraction, look at just how bad the industry is now.
> the device requires users to authenticate
Why in the world would anyone want unauthenticated access to these devices?
> But for now, you can presume the Netflix button on your TV remote can't be configured to point to an alternative API if Netflix goes away. :)
Warning, I haven't personally tried this
This needs better and more detailed clarification. I've reverse engineered a camera-equipped pet feeder, and videos sent to a cloud (or my emulating server in my case) were partially encrypted - I-frames were, P-frames were NOT. Someone ticked a checkbox "videos are encrypted", and still left the thing glaring open.
Then, of course, it's also a matter of ciphers and modes, authentication, key generation, transmission and storage, etc etc.
Feels like encrypted storage and transmission features alone require a full whole label, like the FCC's broadband facts label, or FDA's nutritional facts label, which outlines what data exists in the system, where the data is stored, how it's encrypted, how it's authenticated, and so on.
Which is probably not happening until cryptography 101 becomes a part of general school curriculum and layman people start to understand the basics. Without people asking real questions and refusing to purchase products from sloppy engineering companies (aka voting with their wallets*), companies will always wave it away with tried-and-proven "military-grade security" bullshit.
___
*) That is, if there's even a competition. When no one does things right (because consumers don't know and thus don't ask for it), there's nothing to pick from.
Seems reasonable from the FCC's perspective, but I'm not sure how I'd feel about it.
So now, any interested subject (any human or entity, even "group of hackers") could ask to responsible. Or could talk with deputies, as their contacts should appear soon.
I don't do hardware at all so this may be infeasible or misunderstood but I imagine a scheme whereby one needs the encryption key in order to properly change the key that the hardware attestation firmware is expecting. The attestation key is encrypted with a separate private key and is decrypted by the firmware with the corresponding public key.
Presuming that's feasible, it would only really work until that private key is leaked and our hostile trade partners pinky promise not to use it. Perhaps some licensing could be used to make the people who own the device to be responsible for repairing it at an approved repair shop but that still has to be enforced.
- Must the Cyber Truck (Musk) bear the Cyber Trust Mark?
What the government probably _should_ do is begin establishing a record of manufacturers/vendors which indicates how secure their products have been over a long period of time with an indication of how secure and consumer-friendly their products should be considered in the future. This would take the form of something like the existing travel advisories Homeland Security provides.
Should you go to the Bahamas? Well, there's a level 2 travel advisory stating that jet ski operators there get kinda rapey sometimes.
Should you buy Cisco products? Well, they have a track record of deciding to EOL stuff instead of fixing it when it's expensive or inconvenient to do the right thing.
Should you buy Lenovo products? Well, they're built in a country that regularly tries and succeeds in hacking our infrastructure and has a history of including rootkits in their laptops.
What you’ve described is maybe more possible if provided by a Consumer Reports-style org that consumers could subscribe to.
But this is IoT stuff we're talking about here, not Lenovo/Cisco... but ReoLink/PETLIBRO/eufy/roborock/FOSCAM/Ring/iRobot/etc. Security (or the lack of it) in the IoT world is a whole different ball game. It isn't uncommon for IoT devices to be EOL on release date, or just lack authentication or encryption entirely.
They've provided thorough definitions and a label that implies they've all been understood by the manufacturer. It doesn't mean that this solves any real world problem.
> Security (or the lack of it) in the IoT world is a whole different ball game.
Those can be described as IoT devices. They're more appropriately categorized as "consumer electronics" and often have a firmware update right out of the box. That's what makes this badging program an absurd idea with no meaningful outcome. This segment is not going to care.
This isn't "Energy Star" where the purchased product does not have additional functionality which can be exposed or exploited through software and no third party testing can be exhaustive enough to prevent the obvious exploit from occurring.
Even to the extent they can it then enforces a product design which cannot be upgraded or modified by the user under any circumstances. Worse the design frustrates the users ability to do their own verification of the device security.
It's a good idea applied to the wrong category of products and users.
IoT devices are a subset of a much broader 'consumer electronics' category.
> and often have a firmware update right out of the box.
From major, established, mature companies, yes. Many device manufacturers in this category never issue firmware updates. Which is precisely why this is one of the requirements.
> This segment is not going to care.
Some may, some may not. The federal government will care, because they will be forced by law to comply.
> no third party testing can be exhaustive enough to prevent the obvious exploit from occurring.
Of course, no cybersecurity compliance plan can prevent exploits from occurring. If you try to address cybersecurity in that way, you will fail, anyway. The point is to place controls in place which are achievable, measurable, and help to mitigate risk.
> Even to the extent they can it then enforces a product design which cannot be upgraded or modified by the user under any circumstances.
NIST's requirements require the opposite of this.
This is the best strategy, but let's be clear... consumers who make a purchase have a reasonable expectation of owning a durable product that does not increase the threat surface of consumers' lives.
This means that the product requirements should be clear and the supply chain must be secure.
Until a "trust label" can guarantee these principles, the proposal is just another prop in a grand security theatre.
I wonder, how strict will be regulations on Chinese software parts. For EU/US/Australia/Korea originated should be less strict if could prove source.
[1]: https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8425.pdf
User upgradability if the Company Folds or Sunsets the product. When that happens, the user will need to buy a new device or live with comprised devices. Most will live with the comprised device.
So, IMO, the product should be fully open source and easily upgraded in order to get the Cyber Trust Mark.
This isn't something which a company can meaningfully guarantee to consumers. Even if it's technically possible for users to install their own software on a device - for that matter, even if the company goes out of their way to support it by releasing documentation and source code - there simply isn't interest from developers to build and maintain custom software for those devices. And the same goes for devices which depend on online services - those services cost money to run, and the number of users capable and willing to run their own is miniscule.
1) What are the requirements for the mark? E.g. no passwords stored in plaintext on servers, no blank/default passwords on devices for SSH or anything else, a process for security updates, etc.?
2) Who is inspecting the code, both server-side and device-side?
3) What are the processes for inspecting the code? How do we know it's actually being done and not just being rubber-stamped? After all, discovering that there's an accidental open port with a default password isn't easy.
Yep, pretty basic stuff, like 'require authentication', 'support software updates', etc
> 2) Who is inspecting the code, both server-side and device-side?
UL is administering the program and they're going to come up with the requirements
> UL Solutions will work with stakeholders to make recommendations to the FCC on a number of important program details, like applicable technical standards and testing procedures, post-market surveillance requirements, the product registry, and a consumer education campaign.
So now, any interested subject (any human or entity, even "group of hackers") could ask to responsible. Or could talk with deputies, as their contacts should appear soon.
1) Don’t be select Chinese products
2) Be select American products
It’s not reaaaally 3d chess, but a relatively crude misnomer for the “Made in America” stamp or “Its American and definitely not Chinese”.
The security practices are probably the same across products, it’s just the wrong time wrong presidency for China.
I'd still put my faith in other indicators like a company's track record, third party audits, robustness of open source library choices where applicable, my own analysis of their stack and engineering choices based on signs I can observe about their product / interface / etc (there are usually several present), my own testing and so forth.
I'd argue the generally accepted pace of consumer product development these days is reckless, and not sustainable if you want truly robust results.
I would have been glad to see this step in the right direction if I weren't convinced all it will likely amount to in practice is security theatre. Here's hoping my skepticism is unwarranted.
The scary bit is that this label is going to be found to be ineffective, and then consumers may lose trust in government-issued safety stamps.
Suffice it to say, but the keywords are a google dork for finding easy to hack pentesting victims.
Now the BSI (German institute for cybersecurity, similar to CISA) also started to push out certifications for the BSI Grundschutz, which is an absolute meaningless certificate and literally tests the absolute bare minimum things.
The problem here is that there is no market, this cyber security crisis cannot be solved economically, because customers want a certificate without having to do further work. So they'll get it at whatever auditor that accepts their money.
This is how it's done, even for ISO 27001 and SOC2 certifications. Nobody gives a damn if a single working student has 20+ role descriptions laying on their table. Findings are always ignored and never corrected.
Cyber security policies and their effects over time need to be measurable first before there can be certification processes.
Additionally there needs to be legislation that cannot be interpreted. Things like "reasonably modern" cannot be used as a law text because it doesn't mean anything, and instead standardized practices have to be made mandatory requirements. Preferably by a committee that is not self controlling, maybe even something like the EFF, FSF, OWASP or Linux foundation.
Well, there's SELinux, TOR
No matter how good everyone in this trust mark program is, you're only one confused deputy[1] away from disaster.
I just looked at the closest mains powered device I have here (a fancy humidifier/fan), and only saw an Inmetro mark, there's no UL mark at all.
(My point is: plenty of people are not from the USA. I happen to have already heard that the UL is sort of the USA equivalent of our Inmetro, though like many things in the USA it's a private entity instead of a government entity, but the parent poster probably hadn't heard of that.)
Cybersecurity best practices are a point in time snapshot, the label will be dependent on at purchase time, how will that help people who have purchased second hand, or had products where items on shelves suddenly had a vulnerability discovered? You really think they are going to go through the cost of sending those back?
All software bugs can potentially be security bugs. This follows classic shock doctrine.
Verdict: nope.
This is something that an independent, international cybersecurity nonprofit should be in-charge of, not a standards org that shills for what we think may have been the NSA (BULLRUN).
We need a blue ribbon commission on transparency, honesty, and good governance desperately. Let's reduce any federal agencies that make any sort of direct-to-citizen recommendations by 100% and instead spend that on rooting out bad incentives, misinformation, etc.
there is no regulation in tech. they own the fed.