
United Kingdom to introduce security labelling on connected devices - ingve
https://mender.io/blog/united-kingdom-to-introduce-security-labelling-on-connected-devices
======
crazygringo
No matter how great security labeling may be, I fear the incentives are
completely and utterly in the wrong place.

An _individual consumer_ who purchases a poorly protected network device is
unlikely to suffer any meaningful individual harm, like having their computer
ransomwared.

Rather, it makes things like botnets possible that can be used for all sorts
of things, e.g. DoS attacks against a third party.

So why should a consumer do anything but ignore the label? It's the rational
choice if the less-secure product is cheaper.

If we want security standards, they need to be legislated democratically and
applied to _all_ devices -- not left up to consumer choice.

Now whether a legislature is capable of doing that effectively is certainly an
open question. But I'm afraid labeling may be no more than an ineffective
band-aid.

~~~
JumpCrisscross
> _An individual consumer who purchases a poorly protected network device is
> unlikely to suffer any meaningful individual harm_

It opens the door to liability for companies who purchase insecure network
devices. If your peers are buying good hardware while you're buying self-
identifying garbage, someone harmed by a botnet running on your metal has a
better argument, now, that you were knowingly reckless.

~~~
jdnenej
Why even allow the sale in the first place. We don't allow the sale of faulty
seat belts and say "well the consumer knew when they got it"

~~~
x0
The only sales you can control are the ones that happen in your own country.
I'm sure you can buy seat belts from Ali Baba at a fraction of the price,
they'll probably be hilariously non-compliant to your country's safety
standards, whether or not they work can be modeled by a fair dice roll, and
I'm sure your insurer will deny any claims you make after installing them. But
you can certainly buy them.

~~~
tialaramex
You may not be able to import them.

It's likely that if you literally fly out, buy them, pack them in a suitcase
and fly home they'd make it, but if you try to buy a crate of obviously non-
compliant Product X and it arrives at a port there's a reasonable chance
somebody says "This Product X is non-compliant, so, why the hell is that
here?" and you're not going to receive it.

You might think well, surely they don't look in most crates. And they don't.
They don't look in the forty identical crates of compliant seatbelts going to
Ford, because why would Ford be like "Hey, let's order 39 crates of complaint
ones, but order 40 crates with #8 non-compliant to kill a few customers as a
joke" ?

They're going to look in your crate because you never ordered any crates of
seatbelts before, and "Bo Yang Belts" never sent anybody in your country a
crate of anything before. Because their products aren't compliant to anybody's
standards and so you're their first foreign sale.

But actually you may never even get to buy them. The huge first world
economies like the EU and US order such enormous volumes of _stuff_ and
require compliance to their standards that it just often doesn't make sense to
make Product A for them and then also Product B that's much worse but a bit
cheaper for domestic use. I wouldn't like to guess if seatbelts are such a
product.

~~~
akadruid1
Your answer seems logical but it is a real problem, see this article about
Amazon repeatedly called out for selling deathtrap infant seats:
[https://www.bbc.co.uk/news/technology-51497010](https://www.bbc.co.uk/news/technology-51497010).
They really do exist and really do make it across the fairly strict borders in
the UK regularly.

------
sonofgod
Trying to work out what I'd want in a first pass. At an absolute minimum:

* A commitment and ability to update any critical security issues for a specified amount of time

* Standardised mechanisms for reporting critical updates to users which are not used for marketing

* A basic checklist of best practice for internal self-audit (SQL injection, plaintext data, enumeration attacks)

A low bar, but still far better than what we've currently got. (External
audits are probably silver tier?)

~~~
elliekelly
> A basic checklist of best practice for internal self-audit (SQL injection,
> plaintext data, enumeration attacks)

I think this is a massive ask/knowledge expectation for the average person. A
simple warning label about changing the device password from the default would
be a major step in the right direction for consumers.

~~~
nitrogen
The average consumer probably has no idea what a growth hormone is either, but
it's all over food labeling. It might be enough if there is a label that
security experts know and understand, that consumers can learn to say yes/no
about without having to know what it _really_ means.

------
flareback
from the press release linked to in the article
([https://www.gov.uk/government/news/government-to-
strengthen-...](https://www.gov.uk/government/news/government-to-strengthen-
security-of-internet-connected-products)):

\- All consumer internet-connected device passwords must be unique and not
resettable to any universal factory setting

\- Manufacturers of consumer IoT devices must provide a public point of
contact so anyone can report a vulnerability and it will be acted on in a
timely manner

\- Manufacturers of consumer IoT devices must explicitly state the minimum
length of time for which the device will receive security updates at the point
of sale, either in store or online

~~~
jl6
I don’t see a time limit on that second point. For how long will companies be
expected to act upon vulnerability reports? What’s a reasonable end of life?

~~~
jchw
My guess is that this is covered by the third point - if you EOL security
patches for a device I am guessing you are no longer expected to act on
vulnerability reports.

------
xxpor
The question to me is: how do we avoid another FIPS-like disaster, where the
government standards fall behind the times and lead to worse security then
you'd otherwise get?

~~~
bigiain
We can’t. That’s pretty much how government works in the best case. In the
worst case we’ll get both mandatory worse security _and_ a rentseeking
monopoly granted to donors and ex politicians to supply/enforce it as well.

------
bob1029
I fail to see how this really improves anything for the average consumer.
Government getting involved in this sort of thing just feels like more of the
same TSA-style security theater nonsense. I'd prefer my network device
manufacturers focus their efforts on the actual hard stuff rather than
spending time and money getting certified for some bullshit box label.

~~~
timthorn
> focus their efforts on the actual hard stuff

The trouble is, they (or at least, a good number of them) aren't doing so at
the moment. This will get them to at least address the easy stuff.

~~~
bigiain
They are extremely good at focusing on “the hard stuff”, of shaving tenths of
a cent off production costs. To a first approximation, nobody cares about
anything except price in the low end of gadgets.

------
noizejoy
I often wonder why IOT devices aren’t regulated more analogous to cars, since
the Internet is a bit analogous to a road system [0], i.e. a shared resource
where mistakes and misbehaviour impact other participants.

A couple of car analogies might be, that car manufacturers are required to
have cars repairable for x years, and that recalls to repair dangerous defects
are mandatory. In the case of IOT, the recalls could just be mandatory
updates.

[0]
[https://en.wikipedia.org/wiki/Information_superhighway](https://en.wikipedia.org/wiki/Information_superhighway)

~~~
jdnenej
Because technology progresses faster than laws and by the time the laws catch
up there are already powerful corporations established based on the lack of
those laws.

For example its an obvious public and environmental benefit to require that
all phones have a user replaceable battery but until recently they almost all
did and now it's too late because every phone maker would lobby against it.

~~~
Hokusai
> Because technology progresses faster than laws and by the time the laws
> catch up there are already powerful corporations established based on the
> lack of those laws.

I see another aspect of this. Societies have allowed tech companies to run
unregulated in a trader-off between safety and technological advance.

Medical equipment, cars or planes are examples were regulations were put in
place as safety failures have more dangerous consequences.

As devices are more ubiquitous and the economy and lives depend more on them,
further regulation will be pushed forward.

> and now it's too late because every phone maker would lobby against it.

I agree that will take political will to regulate the tech industry. But, in
the same way that phone manufacturers do not want replaceable batteries the
rest of industries will see their costs reduced by such a regulation. So,
there is also opposing forces that want big tech to play nicer with the rest
of the industry ecosystem. And, in democratic countries, population will also
push for change as their lives are disrupted by the lack of regulation.

------
ardy42
> The idea is that similar to how bluetooth and wifi labels help consumers
> feel confident their products will work with these wireless communication
> protocols, a Security label will instill confidence in consumers that their
> device is safe and secure according to standards.

I would like a _warning_ label if the device requires an internet connection
for normal operation or features that don't really need it, so I can decide
not to buy it if the requirement is unreasonable.

------
timthorn
This is a good point to remind citizens to keep an eye on the Government
consultations that come out from time to time - at least in the UK, we all
have the opportunity to contribute to this type of regulation through
responding to the relevant consultations.

[https://www.gov.uk/search/policy-papers-and-
consultations?or...](https://www.gov.uk/search/policy-papers-and-
consultations?order=updated-newest)

------
swamifil
I think some kind of indicator that networked devices are at risk is a smart
thing to do. I posted this "Show HN" a little while ago:

[https://news.ycombinator.com/item?id=22343786](https://news.ycombinator.com/item?id=22343786)

Part of the idea is that people will modify their behavior when there's
visible indication they're conducting a risky activity.

------
genmon
Could be worth them looking at the Trusted Technology Mark which has been
doing the hard work of figuring out how to certify connected devices:

[https://web.archive.org/web/20190212185530/https://trustable...](https://web.archive.org/web/20190212185530/https://trustabletech.org/about/)
(edit: linking via archive.org as the site appears to be redirecting at least
some clicks to scam sites)

The axes are interesting and a good starting point. From their site:

* Privacy & Data Practices: Is it designed using state of the art data practices, and respectful of user rights?

* Transparency: Is it made clear to users what the device does and how data might be used?

* Security: Is it designed and built using state of the art security practices and safeguards?

* Stability: How robust is the device and how long of a life cycle can a consumer reasonably expect?

* Openness: How open are both the device and the manufacturer‘s processes? Is open data used or generated?

~~~
ancarda
That URL opened up a scam site for me claiming I was going to win something, I
think a phone. I closed the tab too quickly to see

How did that happen? I have JavaScript disabled and an adblocker installed...

Edit: My browser's history:

* [https://trustabletech.org/about/#](https://trustabletech.org/about/#)

* [http://www.wosemdesy.site/](http://www.wosemdesy.site/)[...loads of crap here...]

* [http://competition5783.primeluck26.live/*******/](http://competition5783.primeluck26.live/*******/)[...loads of crap here...]

~~~
genmon
Looks like a Wordpress hack. I've dropped a note to the site maintainers and
heard back already -- they're on it.

~~~
Digit-Al
The irony :-/

------
pjc50
> Both the United Kingdom and Singapore have aligned their IoT security plans
> and programs with the draft European Standard EN 303 645 ‘Cyber Security for
> Consumer Internet of Things’.

>
> [https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02...](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.00.00_20/en_303645v020000a.pdf)

About 30 pages of broad points. Judicious use of "where applicable".

------
gumby
These are stickers; I was hoping they would be cryptographic labels that you
could validate over the network.

Still, it's a start.

~~~
toby-
It's a start of sorts; I seriously hope it develops into a wider set of
reasonable policies and practices. The UK gov't does a lot right when it comes
to IT and security, but it also gets a lot wrong — I'm hoping this develops
sensibly.

------
kragen
I think a reasonable basic set of requirements would be the following:

\- There is no non-free firmware or other software on the device.

\- The consumer is provided full source code to the software and can
effectively replace the preinstalled version with a version they have compiled
themselves.

\- The manufacturer provides updated versions of any software or firmware
(again, including full source code) to patch any discovered security
vulnerability for the expected life of the device: at least three years for
most devices, but perhaps as long as 30 to 60 years for some devices. This
lifetime is disclosed.

\- The device does not transmit any personally identifiable information back
to the manufacturer in its default configuration; for example, audio
recordings, power usage measurements, accelerometer readings, temperature
readings, or customer login names or account numbers.

Unfortunately, I don't think such requirements are viable in the current
political situation. That doesn't change the fact that any device that fails
to comply with them introduces a serious security vulnerability: there is no
way for the users to defend themselves against malicious actors who penetrate
the manufacturer. The Dieselgate scandal and the Huawei prohibition are only
the mildest taste of what we are in for.

Of course it is not practical for every person to audit the source code of the
firmware for every TV remote control and power brick they use, but it is
possible for people to organize consumer watchdog agencies that do perform
such audits.

~~~
adrianN
Replacing the firmware should require physical access for security reasons
imho.

~~~
kragen
I think that's a good idea in most cases.

------
ellius
I saw this design on /r/security and thought it was a good idea:

[https://news.ycombinator.com/item?id=22343786](https://news.ycombinator.com/item?id=22343786)

It seems like if we want to solve this problem we need to somehow modify
users' behavior by making them aware that indiscriminate browsing is a risk.

------
logifail
Q: is this content (at mender.io) supposed to be hard to read, or is it just
my eyeballs?

~~~
michaelatmender
Definitely not our intention to make it hard to read! Now that it's been
pointed out, we've changed the text color on the blogs. Hopefully that will
make it easier to read for everybody.

------
FpUser
I would even read it were it not for light grey text on white background. I am
declaring personal vendetta against visual design decisions that ignore any
common sense.

------
jotm
So is this like the "Smoking kills" labels on cigarette packs and
limits/warnings on beer cans or what? I'd say literally everyone ignores
those.

~~~
tialaramex
_All_ the packs of cigarettes say "Smoking kills".

I presume the idea is that your Apple Foozle is safe, and so is this Famous
Brand Foozle and this Obviously Rebadged Generic Foozle that's half the price
of the Apple product, but the foozle your mate got from the geezer who used to
get him pirate DVDs doesn't have the sticker. No surprise when your mate gets
ransomware a few months later. They saw him coming.

------
tinus_hn
At the very least a required disclosure that shows how long the product will
receive security updates would be really helpful.

------
londons_explore
Let me write the source code for the label printer...

    
    
        def IsDeviceSecureEnoughForUKGovernment():
          if manufacturer=='Huawei':
            return "Not Secure.  Use sparingly"
          return "Certified Secure"

