[HN Gopher] United Kingdom to introduce security labelling on co... ___________________________________________________________________ United Kingdom to introduce security labelling on connected devices Author : ingve Score : 123 points Date : 2020-03-13 14:41 UTC (8 hours ago) (HTM) web link (mender.io) (TXT) w3m dump (mender.io) | sonofgod wrote: | Trying to work out what I'd want in a first pass. At an absolute | minimum: | | * A commitment and ability to update any critical security issues | for a specified amount of time | | * Standardised mechanisms for reporting critical updates to users | which are not used for marketing | | * A basic checklist of best practice for internal self-audit (SQL | injection, plaintext data, enumeration attacks) | | A low bar, but still far better than what we've currently got. | (External audits are probably silver tier?) | smhenderson wrote: | Good list. I would add a clear and accessible way to report a | perceived problem without fear of some type of reprisal from | the company. | | But I can also see how that could be abused by bad actors so I | guess it would be a tricky part of the policy to do correctly. | mattlondon wrote: | I'd add: | | - 2-factor auth support | | - federated login support (i.e. login with Google/Facebook/etc | buttons) | | - some sort of indication of encryption in-flight and at-rest, | and who handles the keys (e.g. is there a per-user key that | tech support can't even access without user grant, or is there | a single hard-codes AES key in the APK etc that everyone knows) | rkangel wrote: | The 3rd one makes sense, the first two are system questions | rather than device questions. In an open system there may be | multiple service providers who's security should be judged | separately from the security of a device. | fmajid wrote: | Most MCUs don't have a persistent real-time clock and thus if | power is lost, there is a good chance TOTP based 2FA will no | longer work. | elliekelly wrote: | > A basic checklist of best practice for internal self-audit | (SQL injection, plaintext data, enumeration attacks) | | I think this is a massive ask/knowledge expectation for the | average person. A simple warning label about changing the | device password from the default would be a major step in the | right direction for consumers. | nitrogen wrote: | The average consumer probably has no idea what a growth | hormone is either, but it's all over food labeling. It might | be enough if there is a label that security experts know and | understand, that consumers can learn to say yes/no about | without having to know what it _really_ means. | michaelt wrote: | I think sonofgod means "Vendor self-certifies they have | tested their device against the checklist" rather than that | end users would perform the audit. | fmajid wrote: | The label could have a simple grade, along with a QR code | leading to the governmental agency approval DB page for the | product in question. | michaelt wrote: | Maybe you'd enjoy reading - and perhaps contributing to - Draft | ETSI EN 303 645 | https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02... | gumby wrote: | These are stickers; I was hoping they would be cryptographic | labels that you could validate over the network. | | Still, it's a start. | swamifil wrote: | I think some kind of indicator that networked devices are at risk | is a smart thing to do. I posted this "Show HN" a little while | ago: | | https://news.ycombinator.com/item?id=22343786 | | Part of the idea is that people will modify their behavior when | there's visible indication they're conducting a risky activity. | jotm wrote: | So is this like the "Smoking kills" labels on cigarette packs and | limits/warnings on beer cans or what? I'd say literally everyone | ignores those. | kfarr wrote: | Or like prop 65 warning in CA | flareback wrote: | from the press release linked to in the article | (https://www.gov.uk/government/news/government-to- | strengthen-...): | | - All consumer internet-connected device passwords must be unique | and not resettable to any universal factory setting | | - Manufacturers of consumer IoT devices must provide a public | point of contact so anyone can report a vulnerability and it will | be acted on in a timely manner | | - Manufacturers of consumer IoT devices must explicitly state the | minimum length of time for which the device will receive security | updates at the point of sale, either in store or online | jchw wrote: | This all seems reasonable. Frankly, though, imagine the benefit | we would see if this was also enforced for consumer network | equipment, like routers... | jl6 wrote: | I don't see a time limit on that second point. For how long | will companies be expected to act upon vulnerability reports? | What's a reasonable end of life? | jchw wrote: | My guess is that this is covered by the third point - if you | EOL security patches for a device I am guessing you are no | longer expected to act on vulnerability reports. | ellius wrote: | I saw this design on /r/security and thought it was a good idea: | | https://news.ycombinator.com/item?id=22343786 | | It seems like if we want to solve this problem we need to somehow | modify users' behavior by making them aware that indiscriminate | browsing is a risk. | xxpor wrote: | The question to me is: how do we avoid another FIPS-like | disaster, where the government standards fall behind the times | and lead to worse security then you'd otherwise get? | genmon wrote: | Could be worth them looking at the Trusted Technology Mark which | has been doing the hard work of figuring out how to certify | connected devices: | | https://web.archive.org/web/20190212185530/https://trustable... | (edit: linking via archive.org as the site appears to be | redirecting at least some clicks to scam sites) | | The axes are interesting and a good starting point. From their | site: | | * Privacy & Data Practices: Is it designed using state of the art | data practices, and respectful of user rights? | | * Transparency: Is it made clear to users what the device does | and how data might be used? | | * Security: Is it designed and built using state of the art | security practices and safeguards? | | * Stability: How robust is the device and how long of a life | cycle can a consumer reasonably expect? | | * Openness: How open are both the device and the manufacturer's | processes? Is open data used or generated? | ancarda wrote: | That URL opened up a scam site for me claiming I was going to | win something, I think a phone. I closed the tab too quickly to | see | | How did that happen? I have JavaScript disabled and an | adblocker installed... | | Edit: My browser's history: | | * https://trustabletech.org/about/# | | * http://www.wosemdesy.site/[...loads of crap here...] | | * http://competition5783.primeluck26.live/*******/[...loads of | crap here...] | droithomme wrote: | I got competition6155.primeluck2.live redirecting to mobile- | app-market-here1.info redirecting to | updatelive.yourultimatesafevideoplayer.info. Which is | obviously a malware download. | | Fun stuff. Gives me tons of confidence TrustableTech can be | trusted and certifying device security globally. Trusted | Technology Mark? To me this will mean "unsafe". | genmon wrote: | Looks like a Wordpress hack. I've dropped a note to the site | maintainers and heard back already -- they're on it. | Digit-Al wrote: | The irony :-/ | logifail wrote: | Q: is this content (at mender.io) supposed to be hard to read, or | is it just my eyeballs? | kragen wrote: | I think a reasonable basic set of requirements would be the | following: | | - There is no non-free firmware or other software on the device. | | - The consumer is provided full source code to the software and | can effectively replace the preinstalled version with a version | they have compiled themselves. | | - The manufacturer provides updated versions of any software or | firmware (again, including full source code) to patch any | discovered security vulnerability for the expected life of the | device: at least three years for most devices, but perhaps as | long as 30 to 60 years for some devices. This lifetime is | disclosed. | | - The device does not transmit any personally identifiable | information back to the manufacturer in its default | configuration; for example, audio recordings, power usage | measurements, accelerometer readings, temperature readings, or | customer login names or account numbers. | | Unfortunately, I don't think such requirements are viable in the | current political situation. That doesn't change the fact that | any device that fails to comply with them introduces a serious | security vulnerability: there is no way for the users to defend | themselves against malicious actors who penetrate the | manufacturer. The Dieselgate scandal and the Huawei prohibition | are only the mildest taste of what we are in for. | | Of course it is not practical for every person to audit the | source code of the firmware for every TV remote control and power | brick they use, but it is possible for people to organize | consumer watchdog agencies that do perform such audits. | adrianN wrote: | Replacing the firmware should require physical access for | security reasons imho. | kragen wrote: | I think that's a good idea in most cases. | FpUser wrote: | I would even read it were it not for light grey text on white | background. I am declaring personal vendetta against visual | design decisions that ignore any common sense. | pjc50 wrote: | > Both the United Kingdom and Singapore have aligned their IoT | security plans and programs with the draft European Standard EN | 303 645 'Cyber Security for Consumer Internet of Things'. | | > https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02... | | About 30 pages of broad points. Judicious use of "where | applicable". | have_faith wrote: | Unrelated to article content. I can't believe someone thought it | was a good idea to set body text to 60% opacity... | lewiscollard wrote: | Here's the original gov.uk press release, and as always (kudos | to their team) it's beautifully legible: | | https://www.gov.uk/government/news/government-to-strengthen-... | frou_dh wrote: | https://news.ycombinator.com/item?id=9238739 | have_faith wrote: | I would be totally fine with the comment section being split | in two, the main section being on-topic and a bottom section | for related but less core discussion. I doubt many on HN | would like the idea though. | BurningFrog wrote: | Tagging would be a more 2020 version. | frou_dh wrote: | We can just bikeshed inside our own mind. It needn't be | articulated. | have_faith wrote: | Honestly a depressing thought ha. Rules control the fun. | rat9988 wrote: | Please apply your own advice and bikeshed in your mind. | Let people who come here for discussions discuss. | TeMPOraL wrote: | I would, as long as both sections are on the same page. Or | even three sections: on topic, tangents, on medium - in | that order (or even fourth section at the end, meta). | | Point being, I love me the occasional rant about a page's | bad design decisions, or some vaguely on-topic meta angles. | I want to read them all, but preferably in order, and not | mixed up together. | have_faith wrote: | On-topic / Meta would simply be enough. Like you I get | some value from the occasional side discussion. I can | appreciate why people would want to keep the main | discussion on topic though, I just think it would be best | to keep the meta discussion and just section it off. | [deleted] | gorpomon wrote: | I'll kindly say this: while it might be technically | bikeshedding, accessibility on the web is important and it | only gets better when we call it out, respectfully, every | chance we get. OP should have chosen better words, but the | sentiment is valid. | | It's very likely that as a high ranking HN article the owners | of mender.io will read these comments and improve their blog. | I don't have sight accessibility issues and I struggled to | read this content. | frou_dh wrote: | https://news.ycombinator.com/item?id=22226562 | gorpomon wrote: | Feedback sent via their contact form. Nothing further to | discuss here really, happy reading everyone. | ralphmender wrote: | Thank you for the feedback. I'm with Mender.io and we will | be addressing this. | timthorn wrote: | This is a good point to remind citizens to keep an eye on the | Government consultations that come out from time to time - at | least in the UK, we all have the opportunity to contribute to | this type of regulation through responding to the relevant | consultations. | | https://www.gov.uk/search/policy-papers-and-consultations?or... | bob1029 wrote: | I fail to see how this really improves anything for the average | consumer. Government getting involved in this sort of thing just | feels like more of the same TSA-style security theater nonsense. | I'd prefer my network device manufacturers focus their efforts on | the actual hard stuff rather than spending time and money getting | certified for some bullshit box label. | olyjohn wrote: | Exactly. It's going to be a list of check-boxes that the | manufacturer will do the bare minimum to meet. Or they twist | their process and wording to make it look like they are meeting | the requirement. | timthorn wrote: | > focus their efforts on the actual hard stuff | | The trouble is, they (or at least, a good number of them) | aren't doing so at the moment. This will get them to at least | address the easy stuff. | crazygringo wrote: | No matter how great security labeling may be, I fear the | incentives are completely and utterly in the wrong place. | | An _individual consumer_ who purchases a poorly protected network | device is unlikely to suffer any meaningful individual harm, like | having their computer ransomwared. | | Rather, it makes things like botnets possible that can be used | for all sorts of things, e.g. DoS attacks against a third party. | | So why should a consumer do anything but ignore the label? It's | the rational choice if the less-secure product is cheaper. | | If we want security standards, they need to be legislated | democratically and applied to _all_ devices -- not left up to | consumer choice. | | Now whether a legislature is capable of doing that effectively is | certainly an open question. But I'm afraid labeling may be no | more than an ineffective band-aid. | WalterBright wrote: | Oh, I bet enough consumers will make selections based on | labeling that vendors will find it worthwhile to meet those | standards to get those labels. | | I know I will. | Digit-Al wrote: | > An individual consumer who purchases a poorly protected | network device is unlikely to suffer any meaningful individual | harm, like having their computer ransomwared. | | The number of stories I've read of poorly secured connected | devices aimed at children. Stories of flaws so basic that it | would be trivially easy for an attacker to get the child's | location and send them messages posing as a parent. | | Individual consumers will be very concerned about devices that | could potentially allow their child to be lured to some random | location and attacked. | JumpCrisscross wrote: | > _An individual consumer who purchases a poorly protected | network device is unlikely to suffer any meaningful individual | harm_ | | It opens the door to liability for companies who purchase | insecure network devices. If your peers are buying good | hardware while you're buying self-identifying garbage, someone | harmed by a botnet running on your metal has a better argument, | now, that you were knowingly reckless. | msla wrote: | > If your peers are buying good hardware while you're buying | self-identifying garbage, someone harmed by a botnet running | on your metal has a better argument, now, that you were | knowingly reckless. | | If every piece of hardware has the same label, that argument | dries up and blows away. | | If some piece of hardware doesn't have the label and later | gets owned, the manufacturer will be held accountable. It | would have to be, or else this is toothless. Since no | manufacturer can predict which vulnerabilities may be | discovered, and since legal teams are a cowardly and | superstitious lot, every manufacturer will put the label on | now to avoid any potential problems later. | jdnenej wrote: | Why even allow the sale in the first place. We don't allow | the sale of faulty seat belts and say "well the consumer knew | when they got it" | thfuran wrote: | But if there are a hundred million compromised TVs, toasters, | refrigerators, and thermostats, liability for those few | enterprises is largely a moot point. | TheRealPomax wrote: | I don't understand what you're trying to say here. The fact | that companies will now be liable means that if even a | single person is affected, not only is there clear | liability, the kind of offenses that aren't sued for right | now, because the payoff is to low to cover the court costs, | are suddenly perfectly viable class action suits for | amounts in the hundreds of millions of dollars against | single manufacturers. | | That's a huge shift, and about as far from "moot" as you | can get. | ldjb wrote: | I think what is being discussed here in liability for | companies purchasing insecure devices, rather than the | manufacturers of those devices. | | It is reasonable to say that, even if companies are | discouraged from purchasing insecure devices, that won't | necessarily deter consumers purchasing insecure devices | for their households. The threat from devices in | households is perhaps even greater than in businesses, if | the number of households in question is great enough. | LatteLazy wrote: | >If we want security standards, they need to be legislated | democratically and applied to all devices -- not left up to | consumer choice. | | I get where you are coming from, and forgive me for going all | libertarian but... I have less than zero trust in governments | (especially mine in the UK). They don't understand tech. They | don't want or try to understand tech. They have zero interest | in personal freedom or autonomy. | | If the UK government did this, I'd go out of my way to find a | "non secure" phone as anything they licensed would just have | massive insecure backdoors and probably wouldn't actually work | as a phone... | | Sorry for the rant. I'd honestly like more security in my | devices... | tathougies wrote: | > If we want security standards, they need to be legislated | democratically and applied to all devices -- not left up to | consumer choice. | | But if you want security standards, and bob does not, why | should bob be forced to want them? | harimau777 wrote: | Because Bob puts others at risk by using an insecure device. | _s wrote: | Isn't that the same argument that can be applied to health? | Vaccines, clean water, fluoride etc promote your well-being, | and protect you from various bacteria and viruses. Why | shouldn't you protect your "digital" self as well? | jchw wrote: | Isn't this the healthcare argument but for security? Because | it becomes an international problem when millions of EOL'd | devices have a wormable flaw and can send enormous DDoS | traffic stressing networks and taking sites offline? | jeherr wrote: | Wouldn't that be more of a problem if security is | standardized though? If everyone has the same security, the | same flaw makes everyone vulnerable. Multiple competing | security types diversify the pool and prevent one flaw from | causing all devices being susceptible to the same attack. | jchw wrote: | I fail to see how standardizing how long products are | supported and how vulnerability reports are processed | would cause everyone to have less security. | londons_explore wrote: | The internet, by it's core design, allows anyone to send as | much data as they like with any content and pretending to be | anyone. | | I don't think mandatory security requirements for webcams is | going to do much about that... | | Instead, we should be thinking about how packets can be source | and destination signed, and how unsigned packets can be dropped | in the network rather than clogging up their destination. | londons_explore wrote: | Let me write the source code for the label printer... | def IsDeviceSecureEnoughForUKGovernment(): if | manufacturer=='Huawei': return "Not Secure. Use | sparingly" return "Certified Secure" | noizejoy wrote: | I often wonder why IOT devices aren't regulated more analogous to | cars, since the Internet is a bit analogous to a road system [0], | i.e. a shared resource where mistakes and misbehaviour impact | other participants. | | A couple of car analogies might be, that car manufacturers are | required to have cars repairable for x years, and that recalls to | repair dangerous defects are mandatory. In the case of IOT, the | recalls could just be mandatory updates. | | [0] https://en.wikipedia.org/wiki/Information_superhighway | jdnenej wrote: | Because technology progresses faster than laws and by the time | the laws catch up there are already powerful corporations | established based on the lack of those laws. | | For example its an obvious public and environmental benefit to | require that all phones have a user replaceable battery but | until recently they almost all did and now it's too late | because every phone maker would lobby against it. ___________________________________________________________________ (page generated 2020-03-13 23:00 UTC)