The idea of a “Cyber-Underwriters Laboratories mark” is really in the air; in the past six months, I’ve had it proposed to me by spooks, regulators, activists, consumer protection advocates, and security experts. But the devil is in the details.
The problem is that there’s no good way for someone contemplating a purchase to determine whether the thing they’re buying has secure or insecure software. Since everything from cars to washing machines to pacemakers are inert lumps of plastic and metal, animated by networked software, this is a big deal. Buy the wrong device and you might get randos perving on your toddler, driving your car off the road at high speed, or use your own CCTV system to figure out how to safely rob you.
The for-profit ratings agency UL (formerly the nonprofit ratings agency “Underwriters Laboratories”) has an answer. Using a staff of 600 security experts, they will inspect the source code of smart devices and give them a pass/fail grade you can use to guide your decisions. However, the process by which they will evaluate these devices is proprietary and only available if you pony up $800 to be a retail UL customer.
This runs contrary to the most elementary best practice, AKA “Schneier’s Law”: “Anyone can think up a security system that works so well that he himself can’t think of a way of breaking it.” In other words, if you don’t subject your technical hypotheses to adversarial peer review, you’re likely to make stupid mistakes. That goes for Chrysler and UL.
IoT vendors wishing to certify their products as UL 2900-compliant submit their widget, including source code, to UL for evaluation. Although head-quartered in the Chicago area, UL has offices around the world, including a large office in the Netherlands, Modeste said, that will support IoT vendors in the EU who are under pressure from ENISA, the European Union Agency for Network and Information Security, to up their security game. “Most UL customers have global reach and global brands,” Modeste said.
The certification process can take several months, and results in product certification valid for twelve months. But security is a process, not a product. Even a perfectly-secured device could find itself punctured like a piece of emmental cheese due to previously-undiscovered vulnerabilities, during the certification window—or, even more likely, within the twelve-month post-certification period. How does UL 2900 handle this challenge?
“During [the certification process] the vendor is required to inform us of…any software changes,” Modeste said, “so we can work with them to validate, continue to evaluate the product up the end before issuing the certificate.” Vendors will also be required to securely patch vulnerable devices in a timely manner.
How precisely will this work? Without a copy of the UL 2900 tech specs to examine, we’ll just have to take Modeste’s word the process has been adequately reviewed.
Underwriters Labs refuses to share new IoT cybersecurity standard
[JM Porup/Ars Technica]