White House unveils Cyber Trust Mark program for consumer devices
88 comments
·January 8, 2025vessenes
kube-system
You might be getting a bit too far ahead of where the industry is at with some of those wishlist items. NIST's requirements are things that are best practices that everyone agrees with, like:
* data stored/transmitted is secured by some kind of means
* the device supports software updates
* the device requires users to authenticate
* the device has documentation
* you can report security vulnerabilities to the developer
And even these are things that many devices fail to do, today. We gotta get the basics fixed first.
But for now, you can presume the Netflix button on your TV remote can't be configured to point to an alternative API if Netflix goes away. :)
rkagerer
the device supports software updates
'Cause they need somewhere to load in those exploits!
A hypothetical device which is all read-only (except perhaps for a very carefully crafted, limited set of configurable parameters) might in some cases be more secure than the bulk of what's on the shelves today. After all, how many widespread hacks do you read about on old, single-purpose fixed analog or digital devices (which in a sense are similarly 'read-only').
moritonal
An interesting thought is how when devices couldn't auto-update, they had to work out the gate. I imagine this encouraged companies to do much better testing to reach a gold-plate before deploying.
ocdtrekkie
Yep! My Insteon home automation devices have no firmware update capabilities. They also have an extremely simple local RF protocol. They allow smart device behavior but are too stupid to be "compromised".
TeMPOraL
The software update angle has already been commented on, but I'm not sure this one is a good idea either:
> the device requires users to authenticate
saltminer
> But for now, you can presume the Netflix button on your TV remote can't be configured to point to an alternative API if Netflix goes away. :)
At least for Android TV devices, Button Mapper works for some.
https://play.google.com/store/apps/details?id=flar2.homebutt...
vessenes
Oh, I'm with you 100%. The labels for my list will all be like black with a big X through them. But I propose consumer behavior has a better shot of changing with labels.
toddmorey
The device doesn’t ship with a known, unchangeable admin password. The device doesn’t needlessly require Wi-Fi access for basic local functionality. [my wish list]
drdaeman
> If that data is certified as end to end encrypted
This needs better and more detailed clarification. I've reverse engineered a camera-equipped pet feeder, and videos sent to a cloud (or my emulating server in my case) were partially encrypted - I-frames were, P-frames were NOT. Someone ticked a checkbox "videos are encrypted", and still left the thing glaring open.
Then, of course, it's also a matter of ciphers and modes, authentication, key generation, transmission and storage, etc etc.
Feels like encrypted storage and transmission features alone require a full whole label, like the FCC's broadband facts label, or FDA's nutritional facts label, which outlines what data exists in the system, where the data is stored, how it's encrypted, how it's authenticated, and so on.
Which is probably not happening until cryptography 101 becomes a part of general school curriculum and layman people start to understand the basics. Without people asking real questions and refusing to purchase products from sloppy engineering companies (aka voting with their wallets*), companies will always wave it away with tried-and-proven "military-grade security" bullshit.
___
*) That is, if there's even a competition. When no one does things right (because consumers don't know and thus don't ask for it), there's nothing to pick from.
ttyprintk
2023 FDA labeling for networked medical devices is conscious that a nurse might need to use the device on a network he/she doesn’t trust.
nimbius
another question: how does this work with open-source technology? Banana Pi for example is often considered an IOT.
ok123456
Can we add that it's self-repairable domestically?
dylan604
What could we do to make something self-repairable domestically that would also make it not repairable otherwise? Like if you bought it here, but then took it with you internationally, would it suddenly not be repairable?
simne
Some questions already answered in article - from gov't responsible NIST and FCC and from industry agreed to participate deputies from large companies, so now they will gather meetings and will create some documents.
So now, any interested subject (any human or entity, even "group of hackers") could ask to responsible. Or could talk with deputies, as their contacts should appear soon.
mystified5016
Seems to me that this would wholesale rule out projects like the ESP32 open WiFi driver. Or rather, in order to comply, espressif would have to retool their chips to make "unauthorized" aceess to the raw radio hardware impossible. Sort of how cellular modems are now.
Seems reasonable from the FCC's perspective, but I'm not sure how I'd feel about it.
JohnMakin
Cool, I'd rather have a stamp that indicates a company will support their product for X number of years, and if they don't, they will release the software as OSS so you can maintain yourself. I have an extremely expensive scale that came with wifi support and an app, only bought it 3 years ago, half the features already don't work because they nuked the app and stopped supporting the scale. did I need a smart scale? Absolutely not, and I don't really need any other "smart" devices the more I think about stuff like this, and now seek to buy "stupid" devices as much as possible. I'm not sure what such security stamps are supposed to provide other than false sense of security, as most things can be hacked eventually with enough determination or someone unknown zero day.
mxuribe
Yeah, nowadays i try to buy many things that are "not smart" in order to avoid what you experienced with the smart scale. That being said, i wonder if what you're asking for is more on the warranty side, rather than security/promise side? To clarify, i am 100% in agreement with you that after a company stops supporting a product, they should open source it (which could create a secondary ecosystem of techs who offer services to support said open source software if a person is not inclined to manage the OSS themselves, etc.)...However, technically wouldn't a company's "promise" to support software be more like a warranty? And in that case, whatever gov. agency who oversees warranties would need to nudge business to comply...nevertheless both this cybermark, a warranty on software lifecycle, and other things are the LEAST that shoild exist nowadays.
heresie-dabord
> try to buy many things that are "not smart"
This is the best strategy, but let's be clear... consumers who make a purchase have a reasonable expectation of owning a durable product that does not increase the threat surface of consumers' lives.
This means that the product requirements should be clear and the supply chain must be secure.
Until a "trust label" can guarantee these principles, the proposal is just another prop in a grand security theatre.
rkagerer
The real problem is very few vendors are inclined to spend the time and money to make their products truly stable & secure. Instead we churn out a firehouse of crap code for a sewage dump of cheap IoT products. I'm not sure how much a government-conceived seal will raise the bar of consumer expectations.
I'd still put my faith in other indicators like a company's track record, third party audits, robustness of open source library choices where applicable, my own analysis of their stack and engineering choices based on signs I can observe about their product / interface / etc (there are usually several present), my own testing and so forth.
I'd argue the generally accepted pace of consumer product development these days is reckless, and not sustainable if you want truly robust results.
I would have been glad to see this step in the right direction if I weren't convinced all it will likely amount to in practice is security theatre. Here's hoping my skepticism is unwarranted.
0xbadcafebee
This is a bit scary. Knowing how software is developed, I know there's no government program that could actually ensure a device is secure. It's one thing to measure an electronic device's EMI or pump it full of power and see if it catches fire. But black box testing of software is itself a black art, as software security is a lot more complex than [typical] electronic design.
The scary bit is that this label is going to be found to be ineffective, and then consumers may lose trust in government-issued safety stamps.
cookiengineer
In Germany we had something like this from the TUEV Süd, where they certified online shops and online banking websites for their security.
Suffice it to say, but the keywords are a google dork for finding easy to hack pentesting victims.
Now the BSI (German institute for cybersecurity, similar to CISA) also started to push out certifications for the BSI Grundschutz, which is an absolute meaningless certificate and literally tests the absolute bare minimum things.
The problem here is that there is no market, this cyber security crisis cannot be solved economically, because customers want a certificate without having to do further work. So they'll get it at whatever auditor that accepts their money.
This is how it's done, even for ISO 27001 and SOC2 certifications. Nobody gives a damn if a single working student has 20+ role descriptions laying on their table. Findings are always ignored and never corrected.
Cyber security policies and their effects over time need to be measurable first before there can be certification processes.
Additionally there needs to be legislation that cannot be interpreted. Things like "reasonably modern" cannot be used as a law text because it doesn't mean anything, and instead standardized practices have to be made mandatory requirements. Preferably by a committee that is not self controlling, maybe even something like the EFF, FSF, OWASP or Linux foundation.
est
> I know there's no government program that could actually ensure a device is secure
Well, there's SELinux, TOR
LinuxBender
I would be more specific than that. SELinux can be running and intentionally poorly written policies can allow absolutely anything to happen. The risk being, [X] Checkbox SELinux is technically running.
jzebedee
The combined requirements of govt purchasing must carry the mark and major US surveillance tech manufacturers like Amazon are leading the rollout, makes this seem less like a cybersecurity concern and more of a protectionist carve out.
readyplayernull
Laser safety glasses in Amazon are so fake anyone could come up with a conspiracy theory about some country trying to blind the population of another.
knowitnone
cool. you get to sue Amazon for millions for the loss of one eye
SketchySeaBeast
You mean get stuck in a legal battle which takes years where Amazon denies responsibility and pushes everything to the original vendor, who for some reason went out of business 15 minutes before the suit was filed?
beams_of_light
Things like this are useless, in my mind, because hackers are always going to innovate and find ways around protection mechanisms. Today's "locked down" IoT device could easily become tomorrow's "vulnerable to an easily exploitable pre-auth RCE".
What the government probably _should_ do is begin establishing a record of manufacturers/vendors which indicates how secure their products have been over a long period of time with an indication of how secure and consumer-friendly their products should be considered in the future. This would take the form of something like the existing travel advisories Homeland Security provides.
Should you go to the Bahamas? Well, there's a level 2 travel advisory stating that jet ski operators there get kinda rapey sometimes.
Should you buy Cisco products? Well, they have a track record of deciding to EOL stuff instead of fixing it when it's expensive or inconvenient to do the right thing.
Should you buy Lenovo products? Well, they're built in a country that regularly tries and succeeds in hacking our infrastructure and has a history of including rootkits in their laptops.
kube-system
NIST isn't a bunch of dummies that don't know this. The requirements posed are not micromanagement of device design; some address your concern exactly... like a requirement that developers provide contact information to report vulnerabilities and that devices makers just can't ignore authentication entirely.
But this is IoT stuff we're talking about here, not Lenovo/Cisco... but ReoLink/PETLIBRO/eufy/roborock/FOSCAM/Ring/iRobot/etc. Security (or the lack of it) in the IoT world is a whole different ball game. It isn't uncommon for IoT devices to be EOL on release date, or just lack authentication or encryption entirely.
timewizard
> NIST isn't a bunch of dummies that don't know this
They've provided thorough definitions and a label that implies they've all been understood by the manufacturer. It doesn't mean that this solves any real world problem.
> Security (or the lack of it) in the IoT world is a whole different ball game.
Those can be described as IoT devices. They're more appropriately categorized as "consumer electronics" and often have a firmware update right out of the box. That's what makes this badging program an absurd idea with no meaningful outcome. This segment is not going to care.
This isn't "Energy Star" where the purchased product does not have additional functionality which can be exposed or exploited through software and no third party testing can be exhaustive enough to prevent the obvious exploit from occurring.
Even to the extent they can it then enforces a product design which cannot be upgraded or modified by the user under any circumstances. Worse the design frustrates the users ability to do their own verification of the device security.
It's a good idea applied to the wrong category of products and users.
svnt
Picking and choosing companies like that could work if it could somehow remain apolitical. This registry can work despite the tendency for these things to become political.
What you’ve described is maybe more possible if provided by a Consumer Reports-style org that consumers could subscribe to.
Greyfoscam
Wouldn't it be simpler to have a QR code below the symbol with anything relevant to make this work ?
ryandrake
When I buy technology today, I'm 10X more worried about the manufacturer deliberately changing, killing or nerfing the product after I bought it, than I am worried about hackers compromising it. This goes for connected hardware, IOT devices, and software.
crazygringo
I'm interested in the actual details here --
1) What are the requirements for the mark? E.g. no passwords stored in plaintext on servers, no blank/default passwords on devices for SSH or anything else, a process for security updates, etc.?
2) Who is inspecting the code, both server-side and device-side?
3) What are the processes for inspecting the code? How do we know it's actually being done and not just being rubber-stamped? After all, discovering that there's an accidental open port with a default password isn't easy.
kube-system
https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8425.pdf
Yep, pretty basic stuff, like 'require authentication', 'support software updates', etc
> 2) Who is inspecting the code, both server-side and device-side?
UL is administering the program and they're going to come up with the requirements
> UL Solutions will work with stakeholders to make recommendations to the FCC on a number of important program details, like applicable technical standards and testing procedures, post-market surveillance requirements, the product registry, and a consumer education campaign.
bloomingkales
Here are requirements if you follow the China-bad politics:
1) Don’t be select Chinese products
2) Be select American products
It’s not reaaaally 3d chess, but a relatively crude misnomer for the “Made in America” stamp or “Its American and definitely not Chinese”.
The security practices are probably the same across products, it’s just the wrong time wrong presidency for China.
simne
Good questions. As I understand, they spent months to decide who will be responsible and who will pay (and how much). Announce happen after budget passed Parliament, so now could make manning table and hire people for next steps.
simne
Some questions already answered in article - from gov't responsible NIST and FCC and from industry agreed to participate deputies from large companies, so now they will gather meetings and will create some documents.
So now, any interested subject (any human or entity, even "group of hackers") could ask to responsible. Or could talk with deputies, as their contacts should appear soon.
schnable
Probably overlaps with the EU RED Cybersecurity requirements for IoT devices that are supposed to go into effect this year: https://www.ul.com/services/ul-solutions-cybersecurity-advis...
silisili
What's to stop the bad actors from just printing the logo on their gear anyways? Like they do with UL and N95?
Jtsummers
They describe it as being like EnergyStar which suggests they'll have a consumer accessible registry as described here:
https://www.ul.com/news/ul-solutions-named-lead-administrato...
> UL Solutions will also work with the FCC and program stakeholders to develop a national registry of certified products that consumers can access via QR code on the label. The registry will have more detailed information about each product. Additionally, UL Solutions will serve as liaison between the FCC and other CLAs, as well as other key stakeholders. [emphasis added]
and here:
https://www.fcc.gov/CyberTrustMark
> The logo will be accompanied by a QR code that consumers can scan, linking to a registry of information with easy-to-understand details about the security of the product, such as the support period for the product and whether software patches and security updates are automatic.
This doesn't block full-blown counterfeit products (recreating certified devices including the label), but does address non-compliant devices trying to pose as compliant.
likeabatterycar
> They describe it as being like EnergyStar which suggests they'll have a consumer accessible registry
I've seen Energy Star logos for 30 years and never knew there was a public database, never thought to verify, and I don't think anyone else has either. The only thing Energy Star has been useful for is extracting rebates from utility companies and buying shitty dishwashers which were certain to be worse than what they were replacing.
Verification is useless if no one knows about it, or if the data isn't actionable. I have verified UL mark numbers for questionable products, but they often resolve to some Chinese ODM you've never heard of like 'Xionshang Industrial Electric Company' whose name certainly doesn't match the product label. Do you know the components haven't been swapped out since certification was achieved? Was the product actually sourced from there or counterfeit? You have no way to verify any of that.
UL issues holographic stickers but I've seen those like 10% of the time and probably just as easily faked.
Jtsummers
https://www.energystar.gov/ - Here's the registry.
And I'm not saying this will be that useful, just that it's not going to be a sticker and nothing else. That would be truly useless and pretty much just make money for sticker makers.
knowitnone
how many people search the registries when they buy stuff? I've only done it once and the product(made in China) looked janky and as cheap as can be.
ehaskins
You have to have rules before you can enforce them...
It looks like part of the label [1] will include a QR or link to a public registry, so in theory you can easily confirm the device has actually been certified.
[1] https://docs.fcc.gov/public/attachments/FCC-23-65A1.pdf point 42
anotherhue
The vendor is supposed to check I think. Not that that makes sense in a comingling inventory world.
likeabatterycar
I'm sure Amazon - whose store is mostly generic Chinese schlock nowadays - will check.
Not that it matters, posters on this very site who claim to care will continue buying stuff off AliExpress, proud they got it for pennies on the dollar.
Look ma, a mini PC for $22! And they didn't even charge for the preinstalled malware!
Has anyone ever considered this junk is sold at a loss as a price of doing business, to expand a PRC-controlled botnet?
simne
Looks like you just have not deal with bad traders on platforms. I once found on local aggregator product too cheap to be good (unfortunately at that moment only two stores sell these product).
I stored their number in my notebook and going to my shopping, calling them from bus stop, and they answered me some nonsense.
I made my shopping, and some walk, then opened platform and these shops already disappear. Less than hour.
In other case I managed to make order and paid from card, and also shop disappeared. - In a week I received SMS from bank "your payment returned to your account".
knowitnone
assertion without proof is paranoia. not saying you are wrong but go get some proof first
simne
> What's to stop the bad actors from just printing the logo on their gear anyways?
This is federal offense, like document falsification.
So if somebody will be caught on doing it - could go to jail.
knowitnone
except they are not in your country so how can to go to jail and why do they care about you laws?
simne
Have you hear about customs?
ngneer
Who are these UL Solutions? They seem to have come out of nowhere and hit the jackpot, inserting themselves as arbiters for security. Smells a bit like how Common Criteria proffered independent certification labs, which were no panacea either.
amaterasu
Underwriters Laboratories, UL. Look at the back of pretty much any mains powered device and you'll see their mark. They were founded 130 years ago, and test and warrant devices (typically high voltage) to be safe. Security is a new thing for them, but they're well suited to provide the services.
floxy
Seems like good fodder for a tongue twister. Try saying it 10 times fast:
- Must the Cyber Truck (Musk) bear the Cyber Trust Mark?
devwastaken
The FCC doesnt do testing themselves. they just trust submitted paperwork. tech gets the “good one” certified then changes the parts for cheaper.
there is no regulation in tech. they own the fed.
Interesting. I'm not sure if the public comment period is over (The original proposal is dated August, 2023), but this stands out to me from their paper:
I guess it is the FCC so this makes sense from their point of view. From my perspective, I'd like to see marks indicating:* If the devices can be pointed to an alternate API provider if the company stops supporting
* If firmware has been escrowed / will be made available if the company stops supporting
* If device data is stored by the company
* If that data is certified as end to end encrypted
* Some marks for who / how the data is used