Consumer IoT Security Labels: Transparency Push IntensifiesVendors Want 'Clear, Consistent and Actionable Information' for Device Security
Essential, real-time security information about every Internet of Things device should be clearly communicated to consumers before and after purchase, a consortium of technology vendors says in a list of IoT security principles.
Consumers need more "clear, consistent and actionable information about the security of the device" to guide their IoT purchasing decisions as well as security actions post-purchase, said David Kleidermacher and Eugene Liderman, who help lead Android security efforts at Google, which is backing the proposals. Better transparency should facilitate better coordination for security across all the players in the connected device ecosystem, they said.
Market watchers estimate there are 17 billion IoT devices now in use, a figure set to rise to 25 billion by 2030. Such devices refer to any type of internet-connected hardware that might be used in or out of the home by consumers, including home and small office routers, internet-connected home security cameras and appliances, fitness trackers, GPS trackers, medical devices, garage door openers, baby monitors and speakers with voice assistant technology such as Amazon Alexa and Google Assistant.
IoT devices are top targets for attackers, especially because many use default passwords or lack even basic protections. Source code for the Mirai botnet, which first spread worldwide in 2018 by exploiting the default settings of IoT devices, remains freely available. Attackers continue to use Mirai code - among other tactics - to create and launch new large-scale IoT compromise campaigns (see: Hackers Exploit TP-Link N-Day Flaw to Build Mirai Botnet).
5 IoT Security Transparency Proposals
To help, the "Proposed Principles for Consumer IoT Security Transparency" - first detailed by Google last November - call for all IoT devices to use real-time labels that clearly specify for how long a device will receive patches and technical support and what type of support for authentication the device offers, among other security features.
The proposals are being backed by 10 businesses: ARM, Assa Abloy, Google, HackerOne, Keysight, NXP, OpenPolicy, Rapid7, Schlage and Silicon Labs.
These are their five IoT security transparency proposals:
- Labeling: "Live" labels - a printed label sporting a QR code or link - would direct consumers to a site or service that provides real-time and actionable information for bother buyers and manufacturers. The proposal calls for prohibiting the use of printed labels that imply the device is security-certified, or the use of a star-based rating system, given how quickly new threats can emerge and undercut such assurances.
- Standards: Labels need to reference one of a small number of security and privacy evaluation programs that can be trusted internationally, such as the ones being developed by the Connectivity Standards Alliance and GSMA which reference guidance from the likes of the U.S. National Institute for Standards and Technology and OWASP - the Open Worldwide Application Security Project, according to the proposal.
- Baselines: Devices should adhere to minimum, specified security baselines, while providing "flexibility above it" for vendors to do more, the proposal states. Examples include detailing the strength of a biometric authenticator, as well as the vendor's duration of promised support and security updates for the device.
- Transparency: "Broad-based transparency is just as important as the minimum bar," meaning that beyond setting minimum standards, consumers also need ways to compare and contrast additional features or capabilities.
- Incentives: Vendors, retailers and developers need "a mix of carrots and sticks" to adopt and promote security labeling, with national mandates having the potential for greatest impact for what will likely continue to be "voluntary regimes" in many countries, according to the proposal.
Signatories say a cornerstone of the proposals is the use of live labels, which are designed to cope with how quickly new threats can emerge. A device assessed to be secure when purchased may be insecure by the time it gets plugged in (see: Count of Hacked Cisco IOS XE Devices Unexpectedly Plummets).
"The threat landscape is always evolving, and new vulnerabilities can be discovered at any time," the signatories said in a joint statement. "If there are significant changes to a digital product's compliance or it loses its certification, the live label should reflect that."
While the proposal calls for the use of strong standards and authorized testing labs for assessing devices, it also says there must be a mechanism allowing independent security researchers "to pressure-test conformance claims made by manufacturers," especially as new threats emerge and devices may go out of compliance. The proposal also calls on manufacturers to create bug bounties, backed by incentives, to harness the power of "crowdsourced research."
The group's proposals follow a number of national initiatives designed to help consumers select devices that offer robust protecting against hack attacks.
In the United Kingdom, the Product Security and Telecommunications Infrastructure Act is set to come into force on April 24, 2024. The law will require all manufacturers of IoT devices sold in the U.K. to meet minimum security requirements. Parliament has yet to agree on what these security requirements will be, although it's due to debate those regulations this year.
In the United States, the Federal Communications Commission has proposed a Cyber Trust Mark program that would help consumers make more informed decisions, by highlighting products in the marketplace that adhere to higher security standards. The FCC, which regulates wireless communication devices, is currently seeking public comment on the labeling program and hopes to have it up and running before 2025.