White House unveils Cyber Trust Mark program for consumer devices

Interesting. I'm not sure if the public comment period is over (The original proposal is dated August, 2023), but this stands out to me from their paper:

    We propose to focus the scope of our program on intentional radiators that generate and emit RF energy by radiation or induction.31 Such devices – if exploited by a vulnerability – could be manipulated to generate and emit RF energy to cause harmful interference. While we observe that any IoT device may emit RF energy (whether intentionally, incidentally, or unintentionally), in the case of incidental and unintentional radiators, the RF energy emitted because of exploitation may not be enough to be likely to cause harmful interference to radio transmissions.

I guess it is the FCC so this makes sense from their point of view. From my perspective, I'd like to see marks indicating:

* If the devices can be pointed to an alternate API provider if the company stops supporting

* If firmware has been escrowed / will be made available if the company stops supporting

* If device data is stored by the company

* If that data is certified as end to end encrypted

* Some marks for who / how the data is used

Cool, I'd rather have a stamp that indicates a company will support their product for X number of years, and if they don't, they will release the software as OSS so you can maintain yourself. I have an extremely expensive scale that came with wifi support and an app, only bought it 3 years ago, half the features already don't work because they nuked the app and stopped supporting the scale. did I need a smart scale? Absolutely not, and I don't really need any other "smart" devices the more I think about stuff like this, and now seek to buy "stupid" devices as much as possible. I'm not sure what such security stamps are supposed to provide other than false sense of security, as most things can be hacked eventually with enough determination or someone unknown zero day.

This is a bit scary. Knowing how software is developed, I know there's no government program that could actually ensure a device is secure. It's one thing to measure an electronic device's EMI or pump it full of power and see if it catches fire. But black box testing of software is itself a black art, as software security is a lot more complex than [typical] electronic design.

The scary bit is that this label is going to be found to be ineffective, and then consumers may lose trust in government-issued safety stamps.

The real problem is very few vendors are inclined to spend the time and money to make their products truly stable & secure. Instead we churn out a firehouse of crap code for a sewage dump of cheap IoT products. I'm not sure how much a government-conceived seal will raise the bar of consumer expectations.

I'd still put my faith in other indicators like a company's track record, third party audits, robustness of open source library choices where applicable, my own analysis of their stack and engineering choices based on signs I can observe about their product / interface / etc (there are usually several present), my own testing and so forth.

I'd argue the generally accepted pace of consumer product development these days is reckless, and not sustainable if you want truly robust results.

I would have been glad to see this step in the right direction if I weren't convinced all it will likely amount to in practice is security theatre. Here's hoping my skepticism is unwarranted.

The combined requirements of govt purchasing must carry the mark and major US surveillance tech manufacturers like Amazon are leading the rollout, makes this seem less like a cybersecurity concern and more of a protectionist carve out.

I'm interested in the actual details here --

1) What are the requirements for the mark? E.g. no passwords stored in plaintext on servers, no blank/default passwords on devices for SSH or anything else, a process for security updates, etc.?

2) Who is inspecting the code, both server-side and device-side?

3) What are the processes for inspecting the code? How do we know it's actually being done and not just being rubber-stamped? After all, discovering that there's an accidental open port with a default password isn't easy.

Things like this are useless, in my mind, because hackers are always going to innovate and find ways around protection mechanisms. Today's "locked down" IoT device could easily become tomorrow's "vulnerable to an easily exploitable pre-auth RCE".

What the government probably _should_ do is begin establishing a record of manufacturers/vendors which indicates how secure their products have been over a long period of time with an indication of how secure and consumer-friendly their products should be considered in the future. This would take the form of something like the existing travel advisories Homeland Security provides.

Should you go to the Bahamas? Well, there's a level 2 travel advisory stating that jet ski operators there get kinda rapey sometimes.

Should you buy Cisco products? Well, they have a track record of deciding to EOL stuff instead of fixing it when it's expensive or inconvenient to do the right thing.

Should you buy Lenovo products? Well, they're built in a country that regularly tries and succeeds in hacking our infrastructure and has a history of including rootkits in their laptops.

Probably overlaps with the EU RED Cybersecurity requirements for IoT devices that are supposed to go into effect this year: https://www.ul.com/services/ul-solutions-cybersecurity-advis...

Seems like good fodder for a tongue twister. Try saying it 10 times fast:

- Must the Cyber Truck (Musk) bear the Cyber Trust Mark?

What's to stop the bad actors from just printing the logo on their gear anyways? Like they do with UL and N95?

They should have contacted the FSF.

https://ryf.fsf.org/

Again, decades ahead.

Who are these UL Solutions? They seem to have come out of nowhere and hit the jackpot, inserting themselves as arbiters for security. Smells a bit like how Common Criteria proffered independent certification labs, which were no panacea either.

The FCC doesnt do testing themselves. they just trust submitted paperwork. tech gets the “good one” certified then changes the parts for cheaper.

there is no regulation in tech. they own the fed.

This is equivalent to requiring an Underwriters Laboratory (UL) approval on every electrical appliance before settling on requirements for fuses or circuit breakers.

No matter how good everyone in this trust mark program is, you're only one confused deputy[1] away from disaster.

[1] https://en.wikipedia.org/wiki/Confused_deputy_problem

Digging for more details, but a lot of the technical requirements (e.g. encryption, password handling, etc.) are still unclear.

https://www.fcc.gov/CyberTrustMark

This is all well and good. You can have thousands of "mark of approvals", but is the most important item needed required ?

User upgradability if the Company Folds or Sunsets the product. When that happens, the user will need to buy a new device or live with comprised devices. Most will live with the comprised device.

So, IMO, the product should be fully open source and easily upgraded in order to get the Cyber Trust Mark.

Many countries have been doing this already (usually based on this ETSI spec: https://www.etsi.org/deliver/etsi_en/303600_303699/303645/03...)

Is it somehow related to this?

https://abcnews.go.com/International/us-diplomats-cuba-suffe...

I wonder how much this is going to add to the cost/effort of creating a new IOT product for startups/small businesses?

I wonder how many of these latest "White House did X" are going to go away in two weeks...

Interesting. This is probably a good thing to have around as a baseline for all the iot crap out there

NIST is involved (Dual_EC_DRBG).

Verdict: nope.

This is something that an independent, international cybersecurity nonprofit should be in-charge of, not a standards org that shills for what we think may have been the NSA (BULLRUN).

"Pedobear Seal of Approval" with NSA stamp!

Why the FCC as opposed to CISA?

This is doomed to failure.

Cybersecurity best practices are a point in time snapshot, the label will be dependent on at purchase time, how will that help people who have purchased second hand, or had products where items on shelves suddenly had a vulnerability discovered? You really think they are going to go through the cost of sending those back?

All software bugs can potentially be security bugs. This follows classic shock doctrine.

It's as if the federal government doesn't realize nobody trusts it. Whether due to ineptitude or dishonesty, the only thing we can be sure about this is that we can't be sure about it.

We need a blue ribbon commission on transparency, honesty, and good governance desperately. Let's reduce any federal agencies that make any sort of direct-to-citizen recommendations by 100% and instead spend that on rooting out bad incentives, misinformation, etc.

The true problem is that the world is addicted to additive security. "What can we add to make our systems more secure?" Since the InfoSec industry sprung from the IT industry, the financial incentives are backwards. At the moment, people pay for security solutions that add complexity. Walk the floor in any commercial security conference and you will find these to be the most prevalent. "Take my tech" is the mantra. If people only paid for security solutions that remove complexity, then it would be a very different story. "Let me do away with your complexity" would be the better mantra. Albeit a gross simplification, the industry must flip the script to subtractive security, asking what can we remove or revise to make our systems more secure.

Same thinking afflicts consumer devices. New IoT device? Which known-good security validated and battle tested software stack is the vendor reusing? Oh, your own homebrew stack that phones home? How novel! You mean you slapped on whatever it took to ship? Terrific! There is a bug in ROM with no way to securely remediate? Shocking! /s

Only Gov approved spyware included!

This is basically going to become a monopoly program. Stores and governments will start mandating it for sales like energy star. Then because UK is the administrator, the costs to certify will skyrocket. Basically this is going to ensure the only devices you can buy are those made by a select few megacorps.