White House unveils Cyber Trust Mark program for consumer devices
163 comments
·January 8, 2025vessenes
kube-system
You might be getting a bit too far ahead of where the industry is at with some of those wishlist items. NIST's requirements are things that are best practices that everyone agrees with, like:
* data stored/transmitted is secured by some kind of means
* the device supports software updates
* the device requires users to authenticate
* the device has documentation
* you can report security vulnerabilities to the developer
And even these are things that many devices fail to do, today. We gotta get the basics fixed first.
But for now, you can presume the Netflix button on your TV remote can't be configured to point to an alternative API if Netflix goes away. :)
rkagerer
the device supports software updates
'Cause they need somewhere to load in those exploits!
A hypothetical device which is all read-only (except perhaps for a very carefully crafted, limited set of configurable parameters) might in some cases be more secure than the bulk of what's on the shelves today. After all, how many widespread hacks do you read about on old, single-purpose fixed analog or digital devices (which in a sense are similarly 'read-only').
jayd16
Some things to realize about read-only devices is that once they are cracked, they are cracked forever. The devs have dev time to secure the device, the hackers have infinite time to crack it. Once done, the game is up. All instances are now easily exploited.
The more popular the device, the more knowable upside to an exploit. If the device can be updated, then usually the exploitable timeframe is limited and its unknown if the attempt is even worthwhile.
> After all, how many widespread hacks do you read about on old, single-purpose fixed analog or digital devices (which in a sense are similarly 'read-only').
Well basically because any device of consequence is trivially hacked by now. Think about game consoles or anything that would have DRM today.
kube-system
Most software vulnerabilities aren't intentionally added backdoors, but flaws in the software that shipped on a device.
> After all, how many widespread hacks do you read about on old, single-purpose fixed analog or digital devices (which in a sense are similarly 'read-only').
Quite a lot -- these are some of the easiest devices to hack. The only saving grace is that most of them are not connected to the internet so they are only vulnerable to local attacks. But garage doors, cordless phones, keyless entry, smart locks, smart home protocols, etc are notoriously vulnerable.
The reason you don't hear about new vulnerabilities each week is precisely because they're aren't updatable. The fact that they don't get updates with new vulnerabilities is not an advantage when they permanently have older vulnerabilities.
moritonal
An interesting thought is how when devices couldn't auto-update, they had to work out the gate. I imagine this encouraged companies to do much better testing to reach a gold-plate before deploying.
ocdtrekkie
Yep! My Insteon home automation devices have no firmware update capabilities. They also have an extremely simple local RF protocol. They allow smart device behavior but are too stupid to be "compromised".
nyrikki
You don't need access to persistent storage, especially with multi-entry executables like busybox, which are often similar to built in rootkits today.
I actually just spent time last week getting rid of tftpd, telnetd, netcat etc... on some IP cameras last week.
You only need a few k of ram to have a bot, especially with how it is almost the rule that embedded system run everything as root.
If you have the ability to do firmware extraction, look at just how bad the industry is now.
hn_throwaway_99
> After all, how many widespread hacks do you read about on old, single-purpose fixed analog or digital devices (which in a sense are similarly 'read-only').
Tons and tons? I don't understand this viewpoint at all. As the saying goes "There is no 'Internet of Things', just an Internet of unpatched Linux devices." That is, the primary vector for malware is devices that aren't (or can't) be patched after vulnerabilities are discovered.
null
TeMPOraL
The software update angle has already been commented on, but I'm not sure this one is a good idea either:
> the device requires users to authenticate
kube-system
No, it is a good idea. If someone is operating or changing settings on your baby monitor, doorbell camera, garage door opener, smart switch, light bulb, etc -- the developer should check to make sure that the actor doing so is authorized to do it.
Why in the world would anyone want unauthenticated access to these devices?
saltminer
> But for now, you can presume the Netflix button on your TV remote can't be configured to point to an alternative API if Netflix goes away. :)
At least for Android TV devices, Button Mapper works for some.
https://play.google.com/store/apps/details?id=flar2.homebutt...
extraduder_ire
Whoever made the decision to make Intents work the way they do on Android made a really good choice. It's remarkable how much you can customize and replace different pieces of software on an android device.
godelski
> But for now, you can presume the Netflix button on your TV remote can't be configured to point to an alternative API if Netflix goes away. :)
Warning, I haven't personally tried this
vessenes
Oh, I'm with you 100%. The labels for my list will all be like black with a big X through them. But I propose consumer behavior has a better shot of changing with labels.
mystified5016
Seems to me that this would wholesale rule out projects like the ESP32 open WiFi driver. Or rather, in order to comply, espressif would have to retool their chips to make "unauthorized" aceess to the raw radio hardware impossible. Sort of how cellular modems are now.
Seems reasonable from the FCC's perspective, but I'm not sure how I'd feel about it.
drdaeman
> If that data is certified as end to end encrypted
This needs better and more detailed clarification. I've reverse engineered a camera-equipped pet feeder, and videos sent to a cloud (or my emulating server in my case) were partially encrypted - I-frames were, P-frames were NOT. Someone ticked a checkbox "videos are encrypted", and still left the thing glaring open.
Then, of course, it's also a matter of ciphers and modes, authentication, key generation, transmission and storage, etc etc.
Feels like encrypted storage and transmission features alone require a full whole label, like the FCC's broadband facts label, or FDA's nutritional facts label, which outlines what data exists in the system, where the data is stored, how it's encrypted, how it's authenticated, and so on.
Which is probably not happening until cryptography 101 becomes a part of general school curriculum and layman people start to understand the basics. Without people asking real questions and refusing to purchase products from sloppy engineering companies (aka voting with their wallets*), companies will always wave it away with tried-and-proven "military-grade security" bullshit.
___
*) That is, if there's even a competition. When no one does things right (because consumers don't know and thus don't ask for it), there's nothing to pick from.
ttyprintk
2023 FDA labeling for networked medical devices is conscious that a nurse might need to use the device on a network he/she doesn’t trust.
toddmorey
The device doesn’t ship with a known, unchangeable admin password. The device doesn’t needlessly require Wi-Fi access for basic local functionality. [my wish list]
simne
Some questions already answered in article - from gov't responsible NIST and FCC and from industry agreed to participate deputies from large companies, so now they will gather meetings and will create some documents.
So now, any interested subject (any human or entity, even "group of hackers") could ask to responsible. Or could talk with deputies, as their contacts should appear soon.
ok123456
Can we add that it's self-repairable domestically?
dylan604
What could we do to make something self-repairable domestically that would also make it not repairable otherwise? Like if you bought it here, but then took it with you internationally, would it suddenly not be repairable?
lcnPylGDnU4H9OF
Curious if it would be possible for a manufacturer could do similar hardware attestation as what's done for iPhones while allowing for the hardware and its attestation key to be swapped for a different set only if one has a certain private encryption key.
I don't do hardware at all so this may be infeasible or misunderstood but I imagine a scheme whereby one needs the encryption key in order to properly change the key that the hardware attestation firmware is expecting. The attestation key is encrypted with a separate private key and is decrypted by the firmware with the corresponding public key.
Presuming that's feasible, it would only really work until that private key is leaked and our hostile trade partners pinky promise not to use it. Perhaps some licensing could be used to make the people who own the device to be responsible for repairing it at an approved repair shop but that still has to be enforced.
nimbius
another question: how does this work with open-source technology? Banana Pi for example is often considered an IOT.
JohnMakin
Cool, I'd rather have a stamp that indicates a company will support their product for X number of years, and if they don't, they will release the software as OSS so you can maintain yourself. I have an extremely expensive scale that came with wifi support and an app, only bought it 3 years ago, half the features already don't work because they nuked the app and stopped supporting the scale. did I need a smart scale? Absolutely not, and I don't really need any other "smart" devices the more I think about stuff like this, and now seek to buy "stupid" devices as much as possible. I'm not sure what such security stamps are supposed to provide other than false sense of security, as most things can be hacked eventually with enough determination or someone unknown zero day.
mxuribe
Yeah, nowadays i try to buy many things that are "not smart" in order to avoid what you experienced with the smart scale. That being said, i wonder if what you're asking for is more on the warranty side, rather than security/promise side? To clarify, i am 100% in agreement with you that after a company stops supporting a product, they should open source it (which could create a secondary ecosystem of techs who offer services to support said open source software if a person is not inclined to manage the OSS themselves, etc.)...However, technically wouldn't a company's "promise" to support software be more like a warranty? And in that case, whatever gov. agency who oversees warranties would need to nudge business to comply...nevertheless both this cybermark, a warranty on software lifecycle, and other things are the LEAST that shoild exist nowadays.
heresie-dabord
> try to buy many things that are "not smart"
This is the best strategy, but let's be clear... consumers who make a purchase have a reasonable expectation of owning a durable product that does not increase the threat surface of consumers' lives.
This means that the product requirements should be clear and the supply chain must be secure.
Until a "trust label" can guarantee these principles, the proposal is just another prop in a grand security theatre.
0xbadcafebee
This is a bit scary. Knowing how software is developed, I know there's no government program that could actually ensure a device is secure. It's one thing to measure an electronic device's EMI or pump it full of power and see if it catches fire. But black box testing of software is itself a black art, as software security is a lot more complex than [typical] electronic design.
The scary bit is that this label is going to be found to be ineffective, and then consumers may lose trust in government-issued safety stamps.
cookiengineer
In Germany we had something like this from the TUEV Süd, where they certified online shops and online banking websites for their security.
Suffice it to say, but the keywords are a google dork for finding easy to hack pentesting victims.
Now the BSI (German institute for cybersecurity, similar to CISA) also started to push out certifications for the BSI Grundschutz, which is an absolute meaningless certificate and literally tests the absolute bare minimum things.
The problem here is that there is no market, this cyber security crisis cannot be solved economically, because customers want a certificate without having to do further work. So they'll get it at whatever auditor that accepts their money.
This is how it's done, even for ISO 27001 and SOC2 certifications. Nobody gives a damn if a single working student has 20+ role descriptions laying on their table. Findings are always ignored and never corrected.
Cyber security policies and their effects over time need to be measurable first before there can be certification processes.
Additionally there needs to be legislation that cannot be interpreted. Things like "reasonably modern" cannot be used as a law text because it doesn't mean anything, and instead standardized practices have to be made mandatory requirements. Preferably by a committee that is not self controlling, maybe even something like the EFF, FSF, OWASP or Linux foundation.
est
> I know there's no government program that could actually ensure a device is secure
Well, there's SELinux, TOR
LinuxBender
I would be more specific than that. SELinux can be running and intentionally poorly written policies can allow absolutely anything to happen. The risk being, [X] Checkbox SELinux is technically running.
rkagerer
The real problem is very few vendors are inclined to spend the time and money to make their products truly stable & secure. Instead we churn out a firehouse of crap code for a sewage dump of cheap IoT products. I'm not sure how much a government-conceived seal will raise the bar of consumer expectations.
I'd still put my faith in other indicators like a company's track record, third party audits, robustness of open source library choices where applicable, my own analysis of their stack and engineering choices based on signs I can observe about their product / interface / etc (there are usually several present), my own testing and so forth.
I'd argue the generally accepted pace of consumer product development these days is reckless, and not sustainable if you want truly robust results.
I would have been glad to see this step in the right direction if I weren't convinced all it will likely amount to in practice is security theatre. Here's hoping my skepticism is unwarranted.
jzebedee
The combined requirements of govt purchasing must carry the mark and major US surveillance tech manufacturers like Amazon are leading the rollout, makes this seem less like a cybersecurity concern and more of a protectionist carve out.
readyplayernull
Laser safety glasses in Amazon are so fake anyone could come up with a conspiracy theory about some country trying to blind the population of another.
knowitnone
cool. you get to sue Amazon for millions for the loss of one eye
SketchySeaBeast
You mean get stuck in a legal battle which takes years where Amazon denies responsibility and pushes everything to the original vendor, who for some reason went out of business 15 minutes before the suit was filed?
crazygringo
I'm interested in the actual details here --
1) What are the requirements for the mark? E.g. no passwords stored in plaintext on servers, no blank/default passwords on devices for SSH or anything else, a process for security updates, etc.?
2) Who is inspecting the code, both server-side and device-side?
3) What are the processes for inspecting the code? How do we know it's actually being done and not just being rubber-stamped? After all, discovering that there's an accidental open port with a default password isn't easy.
kube-system
https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8425.pdf
Yep, pretty basic stuff, like 'require authentication', 'support software updates', etc
> 2) Who is inspecting the code, both server-side and device-side?
UL is administering the program and they're going to come up with the requirements
> UL Solutions will work with stakeholders to make recommendations to the FCC on a number of important program details, like applicable technical standards and testing procedures, post-market surveillance requirements, the product registry, and a consumer education campaign.
simne
Good questions. As I understand, they spent months to decide who will be responsible and who will pay (and how much). Announce happen after budget passed Parliament, so now could make manning table and hire people for next steps.
simne
Some questions already answered in article - from gov't responsible NIST and FCC and from industry agreed to participate deputies from large companies, so now they will gather meetings and will create some documents.
So now, any interested subject (any human or entity, even "group of hackers") could ask to responsible. Or could talk with deputies, as their contacts should appear soon.
bloomingkales
Here are requirements if you follow the China-bad politics:
1) Don’t be select Chinese products
2) Be select American products
It’s not reaaaally 3d chess, but a relatively crude misnomer for the “Made in America” stamp or “Its American and definitely not Chinese”.
The security practices are probably the same across products, it’s just the wrong time wrong presidency for China.
beams_of_light
Things like this are useless, in my mind, because hackers are always going to innovate and find ways around protection mechanisms. Today's "locked down" IoT device could easily become tomorrow's "vulnerable to an easily exploitable pre-auth RCE".
What the government probably _should_ do is begin establishing a record of manufacturers/vendors which indicates how secure their products have been over a long period of time with an indication of how secure and consumer-friendly their products should be considered in the future. This would take the form of something like the existing travel advisories Homeland Security provides.
Should you go to the Bahamas? Well, there's a level 2 travel advisory stating that jet ski operators there get kinda rapey sometimes.
Should you buy Cisco products? Well, they have a track record of deciding to EOL stuff instead of fixing it when it's expensive or inconvenient to do the right thing.
Should you buy Lenovo products? Well, they're built in a country that regularly tries and succeeds in hacking our infrastructure and has a history of including rootkits in their laptops.
kube-system
NIST isn't a bunch of dummies that don't know this. The requirements posed are not micromanagement of device design; some address your concern exactly... like a requirement that developers provide contact information to report vulnerabilities and that devices makers just can't ignore authentication entirely.
But this is IoT stuff we're talking about here, not Lenovo/Cisco... but ReoLink/PETLIBRO/eufy/roborock/FOSCAM/Ring/iRobot/etc. Security (or the lack of it) in the IoT world is a whole different ball game. It isn't uncommon for IoT devices to be EOL on release date, or just lack authentication or encryption entirely.
timewizard
> NIST isn't a bunch of dummies that don't know this
They've provided thorough definitions and a label that implies they've all been understood by the manufacturer. It doesn't mean that this solves any real world problem.
> Security (or the lack of it) in the IoT world is a whole different ball game.
Those can be described as IoT devices. They're more appropriately categorized as "consumer electronics" and often have a firmware update right out of the box. That's what makes this badging program an absurd idea with no meaningful outcome. This segment is not going to care.
This isn't "Energy Star" where the purchased product does not have additional functionality which can be exposed or exploited through software and no third party testing can be exhaustive enough to prevent the obvious exploit from occurring.
Even to the extent they can it then enforces a product design which cannot be upgraded or modified by the user under any circumstances. Worse the design frustrates the users ability to do their own verification of the device security.
It's a good idea applied to the wrong category of products and users.
kube-system
> Those can be described as IoT devices. They're more appropriately categorized as "consumer electronics"
IoT devices are a subset of a much broader 'consumer electronics' category.
> and often have a firmware update right out of the box.
From major, established, mature companies, yes. Many device manufacturers in this category never issue firmware updates. Which is precisely why this is one of the requirements.
> This segment is not going to care.
Some may, some may not. The federal government will care, because they will be forced by law to comply.
> no third party testing can be exhaustive enough to prevent the obvious exploit from occurring.
Of course, no cybersecurity compliance plan can prevent exploits from occurring. If you try to address cybersecurity in that way, you will fail, anyway. The point is to place controls in place which are achievable, measurable, and help to mitigate risk.
> Even to the extent they can it then enforces a product design which cannot be upgraded or modified by the user under any circumstances.
NIST's requirements require the opposite of this.
svnt
Picking and choosing companies like that could work if it could somehow remain apolitical. This registry can work despite the tendency for these things to become political.
What you’ve described is maybe more possible if provided by a Consumer Reports-style org that consumers could subscribe to.
Greyfoscam
Wouldn't it be simpler to have a QR code below the symbol with anything relevant to make this work ?
ryandrake
When I buy technology today, I'm 10X more worried about the manufacturer deliberately changing, killing or nerfing the product after I bought it, than I am worried about hackers compromising it. This goes for connected hardware, IOT devices, and software.
elcritch
Oddly "hackers" are the ones who often revive defunct hardware or give users back control over their devices. Things like DRM laws seem to only enhance corporate interests.
schnable
Probably overlaps with the EU RED Cybersecurity requirements for IoT devices that are supposed to go into effect this year: https://www.ul.com/services/ul-solutions-cybersecurity-advis...
floxy
Seems like good fodder for a tongue twister. Try saying it 10 times fast:
- Must the Cyber Truck (Musk) bear the Cyber Trust Mark?
motohagiography
nice: Must Musk's Cyber Truck Bear the Cyber Trust Mark?
It's adding a standards and governance layer to tech, which creates a capacity for compliance management in regualted industries. annoying for sure, but the US has lost its unipolar superpower role because its critical infrastructure systems were made of garbage code and its population is effectively defenseless.
it doesn't solve it, but it improves the dynamic.
sebastiennight
Hmm as a tongue-twister it lacks twists and has too many extra sounds.
I'd suggest something like:
Most Musk Cyber Trucks metrics trick Cyber Trust Mark's trust
silisili
What's to stop the bad actors from just printing the logo on their gear anyways? Like they do with UL and N95?
Jtsummers
They describe it as being like EnergyStar which suggests they'll have a consumer accessible registry as described here:
https://www.ul.com/news/ul-solutions-named-lead-administrato...
> UL Solutions will also work with the FCC and program stakeholders to develop a national registry of certified products that consumers can access via QR code on the label. The registry will have more detailed information about each product. Additionally, UL Solutions will serve as liaison between the FCC and other CLAs, as well as other key stakeholders. [emphasis added]
and here:
https://www.fcc.gov/CyberTrustMark
> The logo will be accompanied by a QR code that consumers can scan, linking to a registry of information with easy-to-understand details about the security of the product, such as the support period for the product and whether software patches and security updates are automatic.
This doesn't block full-blown counterfeit products (recreating certified devices including the label), but does address non-compliant devices trying to pose as compliant.
likeabatterycar
> They describe it as being like EnergyStar which suggests they'll have a consumer accessible registry
I've seen Energy Star logos for 30 years and never knew there was a public database, never thought to verify, and I don't think anyone else has either. The only thing Energy Star has been useful for is extracting rebates from utility companies and buying shitty dishwashers which were certain to be worse than what they were replacing.
Verification is useless if no one knows about it, or if the data isn't actionable. I have verified UL mark numbers for questionable products, but they often resolve to some Chinese ODM you've never heard of like 'Xionshang Industrial Electric Company' whose name certainly doesn't match the product label. Do you know the components haven't been swapped out since certification was achieved? Was the product actually sourced from there or counterfeit? You have no way to verify any of that.
UL issues holographic stickers but I've seen those like 10% of the time and probably just as easily faked.
Jtsummers
https://www.energystar.gov/ - Here's the registry.
And I'm not saying this will be that useful, just that it's not going to be a sticker and nothing else. That would be truly useless and pretty much just make money for sticker makers.
knowitnone
how many people search the registries when they buy stuff? I've only done it once and the product(made in China) looked janky and as cheap as can be.
ehaskins
You have to have rules before you can enforce them...
It looks like part of the label [1] will include a QR or link to a public registry, so in theory you can easily confirm the device has actually been certified.
[1] https://docs.fcc.gov/public/attachments/FCC-23-65A1.pdf point 42
anotherhue
The vendor is supposed to check I think. Not that that makes sense in a comingling inventory world.
likeabatterycar
I'm sure Amazon - whose store is mostly generic Chinese schlock nowadays - will check.
Not that it matters, posters on this very site who claim to care will continue buying stuff off AliExpress, proud they got it for pennies on the dollar.
Look ma, a mini PC for $22! And they didn't even charge for the preinstalled malware!
Has anyone ever considered this junk is sold at a loss as a price of doing business, to expand a PRC-controlled botnet?
simne
Looks like you just have not deal with bad traders on platforms. I once found on local aggregator product too cheap to be good (unfortunately at that moment only two stores sell these product).
I stored their number in my notebook and going to my shopping, calling them from bus stop, and they answered me some nonsense.
I made my shopping, and some walk, then opened platform and these shops already disappear. Less than hour.
In other case I managed to make order and paid from card, and also shop disappeared. - In a week I received SMS from bank "your payment returned to your account".
knowitnone
assertion without proof is paranoia. not saying you are wrong but go get some proof first
simne
> What's to stop the bad actors from just printing the logo on their gear anyways?
This is federal offense, like document falsification.
So if somebody will be caught on doing it - could go to jail.
knowitnone
except they are not in your country so how can to go to jail and why do they care about you laws?
simne
Have you hear about customs?
lebubule
Arnavion
Note that the FSF has no problem giving an RYF certification to hardware with unupdatable binary blobs, as long as those blobs reside in a separate chip like an SPI flash. It's not a measure of security or maintainability. Of course whether the FCC label will be one either remains to be seen.
ngneer
Who are these UL Solutions? They seem to have come out of nowhere and hit the jackpot, inserting themselves as arbiters for security. Smells a bit like how Common Criteria proffered independent certification labs, which were no panacea either.
amaterasu
Underwriters Laboratories, UL. Look at the back of pretty much any mains powered device and you'll see their mark. They were founded 130 years ago, and test and warrant devices (typically high voltage) to be safe. Security is a new thing for them, but they're well suited to provide the services.
ngneer
Thanks for that context, quite interesting and very much appreciated. I ought to have looked them up proper, but their name is unrecognizable in the security scene.
I am not sure I understand why UL are "well suited" to provide these services. Is it that they have a compatible business model? I do not see how 130 years of solid experience in one domain means (much of) anything for an entirely different domain. Sounds like they have a nice round 0 years of experience in security. To make a crude analogy, this is like telling CERN to go start building spaceships. I mean, CERN has a proven track record for building complex things, right?
cesarb
> Underwriters Laboratories, UL. Look at the back of pretty much any mains powered device and you'll see their mark.
I just looked at the closest mains powered device I have here (a fancy humidifier/fan), and only saw an Inmetro mark, there's no UL mark at all.
(My point is: plenty of people are not from the USA. I happen to have already heard that the UL is sort of the USA equivalent of our Inmetro, though like many things in the USA it's a private entity instead of a government entity, but the parent poster probably hadn't heard of that.)
Interesting. I'm not sure if the public comment period is over (The original proposal is dated August, 2023), but this stands out to me from their paper:
I guess it is the FCC so this makes sense from their point of view. From my perspective, I'd like to see marks indicating:* If the devices can be pointed to an alternate API provider if the company stops supporting
* If firmware has been escrowed / will be made available if the company stops supporting
* If device data is stored by the company
* If that data is certified as end to end encrypted
* Some marks for who / how the data is used