US Government Launches Its Long-Awaited IoT Security Labeling Program

An anonymous reader quotes a report from TechCrunch: The Biden administration has launched its long-awaited Internet of Things (IoT) cybersecurity labeling program that aims to protect Americans against the myriad of security risks associated with internet-connected devices. The program, officially named the "U.S. Cyber Trust Mark," aims to help Americans ensure they are buying internet-connected devices that include strong cybersecurity protections against cyberattacks. The Internet of Things, a term encompassing everything from fitness trackers and routers to baby monitors and smart refrigerators, has long been considered a weak cybersecurity link. Many devices ship with easy-to-guess default passwords and offer a lack of security regular updates, putting consumers at risk of being hacked.

The Biden administration says its voluntary Energy Star-influenced labeling system will "raise the bar" for IoT security by enabling Americans to make informed decisions about the security credentials of the internet-connected devices they buy. The U.S. Cyber Trust Mark will take the form of a distinct shield logo, which will appear on products that meet established cybersecurity criteria. This criterion, established by the National Institute of Standards and Technology (NIST), will require, for example, that devices require unique and strong default passwords, protect both stored and transmitted data, offer regular security updates, and ship with incident detection capabilities.

The full list of standards is not yet finalized. The White House said that NIST will immediately start work on defining cybersecurity standards for "higher-risk" consumer-grade routers, devices that attackers frequently target to steal passwords and create botnets that can be used to launch distributed denial-of-service (DDoS) attacks. This work will be completed by the end of 2023, with the aim that the initiative will cover these devices when it launches in 2024. In a call with reporters, the White House confirmed that the Cyber Trust Mark will also include a QR code that will link to a national registry of certified devices and provide up-to-date security information, such as software updating policies, data encryption standards and vulnerability remediation. Amazon and Best Buy are some of the first major U.S. retailers to have signed up for the initiative. Others include Cisco, Google, LG, Qualcomm and Samsung.

The U.S. Department of Energy also said it is working with industry partners to develop cybersecurity labeling requirements for smart meters and power inverters.

NSA-Approved

[omnichad]

I'm just sure this will be fine.

Re: NSA-Approved

[Anonymouse Cowtard]

In Soviet Russia program labels YOU!

Popups now?

[Brain-Fu]

Sorry for the off topic post, but why are we suddenly being assaulted by these popups pushing a Slashdot newsletter subscription???

KNOCK IT OFF!!!

Everyone hates popups. And literally everyone knows this! Every single person involved in the decision to popup at us knows that we will hate it. So why are you doing it? Do you want us to hate you? Is our irritation your primary goal?

Come one Slashdot, you are better than this. Or at least, you used to be.

Re:

[christoban]

SERIOUSLY. I have extremely poor eyesight, so I have to use massive fonts and zoom way in. Every goddamn page now, this huge popup now forces me to zoom way out and fumble around to close the fucking thing, since I can't see the 'X' to close it. It's made the site incredible hard for low vision people like me.

Just so Slashdot can push their moronic, redundant newsletter that no one gives one shit about.

Try the NoScript extension

[dereference]

It's available for Firefox and Chrome. You need to allow only slashdot.org and a.fsdn.com to retain full capabilities to read, post, moderate, etc. and you will see no popups. Indeed you'll see (almost) nothing beyond the main content.

Re:

[christoban]

Thank you

Re:

[UnknownSoldier]

Yup, this is bullshit.

Can we Ad-Block the fucker? (Maybe the "X" button?)

Re:

[omnichad]

A one time pop up is no big deal. Where is the cookie that remembers it 3 minutes later when I load another page?

Re: Popups now?

[dwater]

I get a banner at the top of the page saying I'm offline when I'm not, and that they're showing me something from the wayback machine or something. Cloudflare bla bla.
If I can get to slashdot.org, I'm not offline.

Re:

[UnknownSoldier]

You can use this JavaScript to get rid of this bullshit pop-up:

document.body.removeChild( document.getElementById('PopupSignupForm_0') );

For how long?

[yababom]

It seems like the label should include the year that this devices certification expires, and/or a custom QR code where you can look up the certification status.

My Hope.

[Motleypuss]

I hope they add "do not eat" to the labelling; my neighbors have about as many functional neurons as a lobotimised flatworm.

Worthless

[sinkskinkshrieks]

Only giant brands will use it, where there is already buyer trust. Random IoT Alexa lights from China aren't going to use it. Vague handwaving about unspecified security standards. I bet it won't offer anything but a "Protected by Norton" shield for A+ security theater. This is something better handled by a co-op/nonprofit where there are privacy and security researchers and industry to come up with a rating, compliance, and certification system.

Re:

[omnichad]

Nobody cares about safety or even ensuring proper functionality anymore. Just look how many chargers and surge protectors are sold on Amazon without even a fake UL listing logo.

Side note: "this would be better handled by" whoever actually does it. And so far nobody has, so in that absence it's better to have something than nothing for as little good as it will do.

Re:

[KorioLiam]

Business cares about security where it directly relates to finances. I can give an example of a site for sports betting - https://melbet.com/ [melbet.com] Sport is not only a beautiful show but also a lot of money. I had no idea before how many gambling fans come here to guess the winner. I'm sure the local cybersecurity is better than the bank's)

Re:

[arglebargle_xiv]

There's also two other reason why it'll be worthless even if it "works", firstly big brands will ensure it's watered down to the point where it's mostly useless, or to quote the great philosopher Hobbes "The secret to success is to lower your expectations to the point where they're already met", and secondly the gatekeeper is NIST who live in their own private universe and seem to be incapable of coming up with any security standards that apply to the real world unless they're rubberstamping stuff that some

Re:

[AmiMoJo]

The cheap/Chinese ones are often the best, because you can replace the firmware with something open source. Many of them use the same chip (ESP32) and can run the Tasmota firmware.

Re:

[Voyager529]

The cheap/Chinese ones are often the best, because you can replace the firmware with something open source. Many of them use the same chip (ESP32) and can run the Tasmota firmware.

This was my thought as well, actually. I can understand locked bootloaders and signed firmware requirements as a default config, but lots of these companies don't offer an override method for those who wish to use third party firmware. The security requirements will likely require signed firmware, but those same requirements will likely lack that override requirement, turning lots of these certified things into e-waste or security vulnerabilities.

Shouldn't be too complicated

[BarneyGuarder]

They can save a lot of time and money by producing only one label: TERRIFYINGLY INSECURE* *riddled with more holes than bad guys in a Rambo movie

Problems with good-enough standards

[NotEmmanuelGoldstein]

... will also include a QR code

Problems with this 'certificate':
- cheap products won't include a QR code
- products will include a fraudulent QR code
- the QR code doesn't expire, meaning the not-updated security is always 'equal to' current security practices
- the standards body won't issue new QR codes (security standards), meaning manufacturers don't have to respond to new cracking/intrusion technology.

right

[argStyopa]

A US government whose web pages look like they come from MySpace is a great arbiter of "what's secure".

I'd assume the only thing this certification provides is certainty that the device contains all the required backdoors for law enforcement and federal surveillance.

Just labeling?

[whitroth]

And they're not going to REQUIRE regular security updates?