Everything we know about the White House’s IoT security labeling effort

Home security cameras are some of the first devices to be considered for a security “nutrition label” that could launch in spring 2023.
Enlarge / Home security cameras are some of the first devices to be considered for a security “nutrition label” that could launch in spring 2023.
Getty Images

The White House issued a statement today that said, essentially, it hosted a big meeting on Wednesday, with big names, and that some kind of security label for smart devices will come of it in spring 2023. Here’s a good deal more on what happened, and what’s likely to come out of it.

One of the top-level recommendations of the US Cyberspace Solarium Commission, named for the Eisenhower administration’s drive to rethink Cold War strategy, in its March 2020 report was to “establish a national cybersecurity certification and labeling authority.” A “non-profit, non-governmental organization” will become a labeling authority for at least five years, tagging products based on the consensus of the departments of Commerce and Homeland Security and “experts from the federal government, academia, non-governmental organizations, and the private sector.”

And that’s about who showed up, according to the White House. Amazon, Comcast, Google, Intel, LG, Samsung, Sony, and other private entities showed up. So did the Connectivity Standards Alliance, the consortium behind Matter, along with the American National Standards Institute (ANSI), Consumer Reports, and the Consumer Technology Association, CTIA, and National Retail Federation lobbying groups. Add in just about every security-touching government agency, and you’ve got the panel the Solarium Commission recommended.

Details on the label itself as it exists so far, and what it would rate or measure, were not available, but there have been hints. CyberScoop quoted a White House official stating that device ratings could be based on “vulnerability remediation, amount of information collected on consumers, whether data is encrypted, and interoperability with other products.”

As for what the label could look like, there’s at least one template. Researchers from Carnegie Mellon University, one of the parties invited to the summit, had already created a security “nutrition label.” The label, based on input from more than 22 groups, performed well with users, the university claims. It provides multiple levels of disclosure, based on common Internet of Things pain points: default passwords, security updates, functionality when offline, and the like.

You can even create your own voluntary security label or just kick the tires on it, as I did.

I don’t know why we created this smart doorbell, but we are committed to updating it for at least three years.
I don’t know why we created this smart doorbell, but we are committed to updating it for at least three years.
Kevin Purdy / Carnegie Mellon

The White House told reporters Thursday that it aimed to “keep things simple,” with a code that can be scanned by phones to show security and privacy information.

What products will get the labels? The White House told reporters Wednesday that it would start with voluntary labeling in spring 2023, focusing on “particularly vulnerable Internet-connected devices such as routers” and home cameras.

The White House’s press release notes that it wants this effort to “generate a globally recognized label.” CyberScoop reported earlier this month that the task force was working with the European Union to “align on standards.” It’s notable, then, that Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger attended Singapore International Cyber Week, where she described the US as looking to Singapore as a “world leader in IoT,” as reported by The Register.

Singapore’s Cyber Security Labelling Scheme assigns almost every Internet-connected consumer device in that country a rating on a four-star scale. The system is recognized by Finland and, as of today, Germany. Announced at the conference this week is that the system may make its way soon to medical devices. It’s a decent bet that whatever system the US devises will want to reach some reciprocity with Singapore’s system, even if at just a single level.

The Cybersecurity Labelling Scheme in Singapore, where consumer devices receive one of four scores based on security practices.
The Cybersecurity Labelling Scheme in Singapore, where consumer devices receive one of four scores based on security practices.

Is there a Matter aspect to this labeling? Almost certainly, given the presence of the CSA at the White House summit. Matter certification already requires that devices use AES encryption when communicating across networks, be able to receive updates over the air, be code-signed, and have a secure enclave for storing keys and certificates to be checked against a blockchain ledger. Some or all of those aspects (minus the blockchain bit) are likely to be considered on security labels.

While the first version of this security label will almost certainly be a compromised, politically palatable effort, anything is likely to be better than the system we have now: individually searching smart home brand names and manufacturers online with the trailing phrases “breach” and “vulnerability.”

https://arstechnica.com/?p=1891741