[HN Gopher] United Kingdom to introduce security labelling on co...
___________________________________________________________________
United Kingdom to introduce security labelling on connected devices
Author : ingve
Score : 123 points
Date : 2020-03-13 14:41 UTC (8 hours ago)
(HTM) web link (mender.io)
(TXT) w3m dump (mender.io)
| sonofgod wrote:
| Trying to work out what I'd want in a first pass. At an absolute
| minimum:
|
| * A commitment and ability to update any critical security issues
| for a specified amount of time
|
| * Standardised mechanisms for reporting critical updates to users
| which are not used for marketing
|
| * A basic checklist of best practice for internal self-audit (SQL
| injection, plaintext data, enumeration attacks)
|
| A low bar, but still far better than what we've currently got.
| (External audits are probably silver tier?)
| smhenderson wrote:
| Good list. I would add a clear and accessible way to report a
| perceived problem without fear of some type of reprisal from
| the company.
|
| But I can also see how that could be abused by bad actors so I
| guess it would be a tricky part of the policy to do correctly.
| mattlondon wrote:
| I'd add:
|
| - 2-factor auth support
|
| - federated login support (i.e. login with Google/Facebook/etc
| buttons)
|
| - some sort of indication of encryption in-flight and at-rest,
| and who handles the keys (e.g. is there a per-user key that
| tech support can't even access without user grant, or is there
| a single hard-codes AES key in the APK etc that everyone knows)
| rkangel wrote:
| The 3rd one makes sense, the first two are system questions
| rather than device questions. In an open system there may be
| multiple service providers who's security should be judged
| separately from the security of a device.
| fmajid wrote:
| Most MCUs don't have a persistent real-time clock and thus if
| power is lost, there is a good chance TOTP based 2FA will no
| longer work.
| elliekelly wrote:
| > A basic checklist of best practice for internal self-audit
| (SQL injection, plaintext data, enumeration attacks)
|
| I think this is a massive ask/knowledge expectation for the
| average person. A simple warning label about changing the
| device password from the default would be a major step in the
| right direction for consumers.
| nitrogen wrote:
| The average consumer probably has no idea what a growth
| hormone is either, but it's all over food labeling. It might
| be enough if there is a label that security experts know and
| understand, that consumers can learn to say yes/no about
| without having to know what it _really_ means.
| michaelt wrote:
| I think sonofgod means "Vendor self-certifies they have
| tested their device against the checklist" rather than that
| end users would perform the audit.
| fmajid wrote:
| The label could have a simple grade, along with a QR code
| leading to the governmental agency approval DB page for the
| product in question.
| michaelt wrote:
| Maybe you'd enjoy reading - and perhaps contributing to - Draft
| ETSI EN 303 645
| https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02...
| gumby wrote:
| These are stickers; I was hoping they would be cryptographic
| labels that you could validate over the network.
|
| Still, it's a start.
| swamifil wrote:
| I think some kind of indicator that networked devices are at risk
| is a smart thing to do. I posted this "Show HN" a little while
| ago:
|
| https://news.ycombinator.com/item?id=22343786
|
| Part of the idea is that people will modify their behavior when
| there's visible indication they're conducting a risky activity.
| jotm wrote:
| So is this like the "Smoking kills" labels on cigarette packs and
| limits/warnings on beer cans or what? I'd say literally everyone
| ignores those.
| kfarr wrote:
| Or like prop 65 warning in CA
| flareback wrote:
| from the press release linked to in the article
| (https://www.gov.uk/government/news/government-to-
| strengthen-...):
|
| - All consumer internet-connected device passwords must be unique
| and not resettable to any universal factory setting
|
| - Manufacturers of consumer IoT devices must provide a public
| point of contact so anyone can report a vulnerability and it will
| be acted on in a timely manner
|
| - Manufacturers of consumer IoT devices must explicitly state the
| minimum length of time for which the device will receive security
| updates at the point of sale, either in store or online
| jchw wrote:
| This all seems reasonable. Frankly, though, imagine the benefit
| we would see if this was also enforced for consumer network
| equipment, like routers...
| jl6 wrote:
| I don't see a time limit on that second point. For how long
| will companies be expected to act upon vulnerability reports?
| What's a reasonable end of life?
| jchw wrote:
| My guess is that this is covered by the third point - if you
| EOL security patches for a device I am guessing you are no
| longer expected to act on vulnerability reports.
| ellius wrote:
| I saw this design on /r/security and thought it was a good idea:
|
| https://news.ycombinator.com/item?id=22343786
|
| It seems like if we want to solve this problem we need to somehow
| modify users' behavior by making them aware that indiscriminate
| browsing is a risk.
| xxpor wrote:
| The question to me is: how do we avoid another FIPS-like
| disaster, where the government standards fall behind the times
| and lead to worse security then you'd otherwise get?
| genmon wrote:
| Could be worth them looking at the Trusted Technology Mark which
| has been doing the hard work of figuring out how to certify
| connected devices:
|
| https://web.archive.org/web/20190212185530/https://trustable...
| (edit: linking via archive.org as the site appears to be
| redirecting at least some clicks to scam sites)
|
| The axes are interesting and a good starting point. From their
| site:
|
| * Privacy & Data Practices: Is it designed using state of the art
| data practices, and respectful of user rights?
|
| * Transparency: Is it made clear to users what the device does
| and how data might be used?
|
| * Security: Is it designed and built using state of the art
| security practices and safeguards?
|
| * Stability: How robust is the device and how long of a life
| cycle can a consumer reasonably expect?
|
| * Openness: How open are both the device and the manufacturer's
| processes? Is open data used or generated?
| ancarda wrote:
| That URL opened up a scam site for me claiming I was going to
| win something, I think a phone. I closed the tab too quickly to
| see
|
| How did that happen? I have JavaScript disabled and an
| adblocker installed...
|
| Edit: My browser's history:
|
| * https://trustabletech.org/about/#
|
| * http://www.wosemdesy.site/[...loads of crap here...]
|
| * http://competition5783.primeluck26.live/*******/[...loads of
| crap here...]
| droithomme wrote:
| I got competition6155.primeluck2.live redirecting to mobile-
| app-market-here1.info redirecting to
| updatelive.yourultimatesafevideoplayer.info. Which is
| obviously a malware download.
|
| Fun stuff. Gives me tons of confidence TrustableTech can be
| trusted and certifying device security globally. Trusted
| Technology Mark? To me this will mean "unsafe".
| genmon wrote:
| Looks like a Wordpress hack. I've dropped a note to the site
| maintainers and heard back already -- they're on it.
| Digit-Al wrote:
| The irony :-/
| logifail wrote:
| Q: is this content (at mender.io) supposed to be hard to read, or
| is it just my eyeballs?
| kragen wrote:
| I think a reasonable basic set of requirements would be the
| following:
|
| - There is no non-free firmware or other software on the device.
|
| - The consumer is provided full source code to the software and
| can effectively replace the preinstalled version with a version
| they have compiled themselves.
|
| - The manufacturer provides updated versions of any software or
| firmware (again, including full source code) to patch any
| discovered security vulnerability for the expected life of the
| device: at least three years for most devices, but perhaps as
| long as 30 to 60 years for some devices. This lifetime is
| disclosed.
|
| - The device does not transmit any personally identifiable
| information back to the manufacturer in its default
| configuration; for example, audio recordings, power usage
| measurements, accelerometer readings, temperature readings, or
| customer login names or account numbers.
|
| Unfortunately, I don't think such requirements are viable in the
| current political situation. That doesn't change the fact that
| any device that fails to comply with them introduces a serious
| security vulnerability: there is no way for the users to defend
| themselves against malicious actors who penetrate the
| manufacturer. The Dieselgate scandal and the Huawei prohibition
| are only the mildest taste of what we are in for.
|
| Of course it is not practical for every person to audit the
| source code of the firmware for every TV remote control and power
| brick they use, but it is possible for people to organize
| consumer watchdog agencies that do perform such audits.
| adrianN wrote:
| Replacing the firmware should require physical access for
| security reasons imho.
| kragen wrote:
| I think that's a good idea in most cases.
| FpUser wrote:
| I would even read it were it not for light grey text on white
| background. I am declaring personal vendetta against visual
| design decisions that ignore any common sense.
| pjc50 wrote:
| > Both the United Kingdom and Singapore have aligned their IoT
| security plans and programs with the draft European Standard EN
| 303 645 'Cyber Security for Consumer Internet of Things'.
|
| > https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02...
|
| About 30 pages of broad points. Judicious use of "where
| applicable".
| have_faith wrote:
| Unrelated to article content. I can't believe someone thought it
| was a good idea to set body text to 60% opacity...
| lewiscollard wrote:
| Here's the original gov.uk press release, and as always (kudos
| to their team) it's beautifully legible:
|
| https://www.gov.uk/government/news/government-to-strengthen-...
| frou_dh wrote:
| https://news.ycombinator.com/item?id=9238739
| have_faith wrote:
| I would be totally fine with the comment section being split
| in two, the main section being on-topic and a bottom section
| for related but less core discussion. I doubt many on HN
| would like the idea though.
| BurningFrog wrote:
| Tagging would be a more 2020 version.
| frou_dh wrote:
| We can just bikeshed inside our own mind. It needn't be
| articulated.
| have_faith wrote:
| Honestly a depressing thought ha. Rules control the fun.
| rat9988 wrote:
| Please apply your own advice and bikeshed in your mind.
| Let people who come here for discussions discuss.
| TeMPOraL wrote:
| I would, as long as both sections are on the same page. Or
| even three sections: on topic, tangents, on medium - in
| that order (or even fourth section at the end, meta).
|
| Point being, I love me the occasional rant about a page's
| bad design decisions, or some vaguely on-topic meta angles.
| I want to read them all, but preferably in order, and not
| mixed up together.
| have_faith wrote:
| On-topic / Meta would simply be enough. Like you I get
| some value from the occasional side discussion. I can
| appreciate why people would want to keep the main
| discussion on topic though, I just think it would be best
| to keep the meta discussion and just section it off.
| [deleted]
| gorpomon wrote:
| I'll kindly say this: while it might be technically
| bikeshedding, accessibility on the web is important and it
| only gets better when we call it out, respectfully, every
| chance we get. OP should have chosen better words, but the
| sentiment is valid.
|
| It's very likely that as a high ranking HN article the owners
| of mender.io will read these comments and improve their blog.
| I don't have sight accessibility issues and I struggled to
| read this content.
| frou_dh wrote:
| https://news.ycombinator.com/item?id=22226562
| gorpomon wrote:
| Feedback sent via their contact form. Nothing further to
| discuss here really, happy reading everyone.
| ralphmender wrote:
| Thank you for the feedback. I'm with Mender.io and we will
| be addressing this.
| timthorn wrote:
| This is a good point to remind citizens to keep an eye on the
| Government consultations that come out from time to time - at
| least in the UK, we all have the opportunity to contribute to
| this type of regulation through responding to the relevant
| consultations.
|
| https://www.gov.uk/search/policy-papers-and-consultations?or...
| bob1029 wrote:
| I fail to see how this really improves anything for the average
| consumer. Government getting involved in this sort of thing just
| feels like more of the same TSA-style security theater nonsense.
| I'd prefer my network device manufacturers focus their efforts on
| the actual hard stuff rather than spending time and money getting
| certified for some bullshit box label.
| olyjohn wrote:
| Exactly. It's going to be a list of check-boxes that the
| manufacturer will do the bare minimum to meet. Or they twist
| their process and wording to make it look like they are meeting
| the requirement.
| timthorn wrote:
| > focus their efforts on the actual hard stuff
|
| The trouble is, they (or at least, a good number of them)
| aren't doing so at the moment. This will get them to at least
| address the easy stuff.
| crazygringo wrote:
| No matter how great security labeling may be, I fear the
| incentives are completely and utterly in the wrong place.
|
| An _individual consumer_ who purchases a poorly protected network
| device is unlikely to suffer any meaningful individual harm, like
| having their computer ransomwared.
|
| Rather, it makes things like botnets possible that can be used
| for all sorts of things, e.g. DoS attacks against a third party.
|
| So why should a consumer do anything but ignore the label? It's
| the rational choice if the less-secure product is cheaper.
|
| If we want security standards, they need to be legislated
| democratically and applied to _all_ devices -- not left up to
| consumer choice.
|
| Now whether a legislature is capable of doing that effectively is
| certainly an open question. But I'm afraid labeling may be no
| more than an ineffective band-aid.
| WalterBright wrote:
| Oh, I bet enough consumers will make selections based on
| labeling that vendors will find it worthwhile to meet those
| standards to get those labels.
|
| I know I will.
| Digit-Al wrote:
| > An individual consumer who purchases a poorly protected
| network device is unlikely to suffer any meaningful individual
| harm, like having their computer ransomwared.
|
| The number of stories I've read of poorly secured connected
| devices aimed at children. Stories of flaws so basic that it
| would be trivially easy for an attacker to get the child's
| location and send them messages posing as a parent.
|
| Individual consumers will be very concerned about devices that
| could potentially allow their child to be lured to some random
| location and attacked.
| JumpCrisscross wrote:
| > _An individual consumer who purchases a poorly protected
| network device is unlikely to suffer any meaningful individual
| harm_
|
| It opens the door to liability for companies who purchase
| insecure network devices. If your peers are buying good
| hardware while you're buying self-identifying garbage, someone
| harmed by a botnet running on your metal has a better argument,
| now, that you were knowingly reckless.
| msla wrote:
| > If your peers are buying good hardware while you're buying
| self-identifying garbage, someone harmed by a botnet running
| on your metal has a better argument, now, that you were
| knowingly reckless.
|
| If every piece of hardware has the same label, that argument
| dries up and blows away.
|
| If some piece of hardware doesn't have the label and later
| gets owned, the manufacturer will be held accountable. It
| would have to be, or else this is toothless. Since no
| manufacturer can predict which vulnerabilities may be
| discovered, and since legal teams are a cowardly and
| superstitious lot, every manufacturer will put the label on
| now to avoid any potential problems later.
| jdnenej wrote:
| Why even allow the sale in the first place. We don't allow
| the sale of faulty seat belts and say "well the consumer knew
| when they got it"
| thfuran wrote:
| But if there are a hundred million compromised TVs, toasters,
| refrigerators, and thermostats, liability for those few
| enterprises is largely a moot point.
| TheRealPomax wrote:
| I don't understand what you're trying to say here. The fact
| that companies will now be liable means that if even a
| single person is affected, not only is there clear
| liability, the kind of offenses that aren't sued for right
| now, because the payoff is to low to cover the court costs,
| are suddenly perfectly viable class action suits for
| amounts in the hundreds of millions of dollars against
| single manufacturers.
|
| That's a huge shift, and about as far from "moot" as you
| can get.
| ldjb wrote:
| I think what is being discussed here in liability for
| companies purchasing insecure devices, rather than the
| manufacturers of those devices.
|
| It is reasonable to say that, even if companies are
| discouraged from purchasing insecure devices, that won't
| necessarily deter consumers purchasing insecure devices
| for their households. The threat from devices in
| households is perhaps even greater than in businesses, if
| the number of households in question is great enough.
| LatteLazy wrote:
| >If we want security standards, they need to be legislated
| democratically and applied to all devices -- not left up to
| consumer choice.
|
| I get where you are coming from, and forgive me for going all
| libertarian but... I have less than zero trust in governments
| (especially mine in the UK). They don't understand tech. They
| don't want or try to understand tech. They have zero interest
| in personal freedom or autonomy.
|
| If the UK government did this, I'd go out of my way to find a
| "non secure" phone as anything they licensed would just have
| massive insecure backdoors and probably wouldn't actually work
| as a phone...
|
| Sorry for the rant. I'd honestly like more security in my
| devices...
| tathougies wrote:
| > If we want security standards, they need to be legislated
| democratically and applied to all devices -- not left up to
| consumer choice.
|
| But if you want security standards, and bob does not, why
| should bob be forced to want them?
| harimau777 wrote:
| Because Bob puts others at risk by using an insecure device.
| _s wrote:
| Isn't that the same argument that can be applied to health?
| Vaccines, clean water, fluoride etc promote your well-being,
| and protect you from various bacteria and viruses. Why
| shouldn't you protect your "digital" self as well?
| jchw wrote:
| Isn't this the healthcare argument but for security? Because
| it becomes an international problem when millions of EOL'd
| devices have a wormable flaw and can send enormous DDoS
| traffic stressing networks and taking sites offline?
| jeherr wrote:
| Wouldn't that be more of a problem if security is
| standardized though? If everyone has the same security, the
| same flaw makes everyone vulnerable. Multiple competing
| security types diversify the pool and prevent one flaw from
| causing all devices being susceptible to the same attack.
| jchw wrote:
| I fail to see how standardizing how long products are
| supported and how vulnerability reports are processed
| would cause everyone to have less security.
| londons_explore wrote:
| The internet, by it's core design, allows anyone to send as
| much data as they like with any content and pretending to be
| anyone.
|
| I don't think mandatory security requirements for webcams is
| going to do much about that...
|
| Instead, we should be thinking about how packets can be source
| and destination signed, and how unsigned packets can be dropped
| in the network rather than clogging up their destination.
| londons_explore wrote:
| Let me write the source code for the label printer...
| def IsDeviceSecureEnoughForUKGovernment(): if
| manufacturer=='Huawei': return "Not Secure. Use
| sparingly" return "Certified Secure"
| noizejoy wrote:
| I often wonder why IOT devices aren't regulated more analogous to
| cars, since the Internet is a bit analogous to a road system [0],
| i.e. a shared resource where mistakes and misbehaviour impact
| other participants.
|
| A couple of car analogies might be, that car manufacturers are
| required to have cars repairable for x years, and that recalls to
| repair dangerous defects are mandatory. In the case of IOT, the
| recalls could just be mandatory updates.
|
| [0] https://en.wikipedia.org/wiki/Information_superhighway
| jdnenej wrote:
| Because technology progresses faster than laws and by the time
| the laws catch up there are already powerful corporations
| established based on the lack of those laws.
|
| For example its an obvious public and environmental benefit to
| require that all phones have a user replaceable battery but
| until recently they almost all did and now it's too late
| because every phone maker would lobby against it.
___________________________________________________________________
(page generated 2020-03-13 23:00 UTC)