Until recently, brands, manufacturers and retailers did not have clear baseline security frameworks to work from and no clear way to communicate to consumers the value of their cybersecurity efforts. By collaborating with key industry and governmental stakeholders, UL has devised conformity assessment for all key security frameworks and a consumer labeling system to convey the level of security protection provided to connected products.
UL’s new IoT Security Rating solution evaluates critical security features of connected products against common attack practices and known IoT vulnerabilities, as: Andrew Jamieson, UL Director, Security and Technology, explains.
Digital Journal: To what extent is the demand for IoT products growing?
Andrew Jamieson: In the consumer segment particularly, devices are often competing on price and features, and those features increasingly include connections to other things – mobile apps, smart speakers, cloud systems, etc. These things inherently require some form of connectivity, and so the consumer demand for IoT systems increases apace.
At the same time, it’s often easier and quicker for manufacturers to design systems around micro-controllers and micro-processors than it is to build what may have been previously a purely analog system. The prices for these components continue to come down, and the ease with which they can be integrated into a product – given the volume of open source software, guidance and reference platforms that are available – is dramatic.
DJ: What are the main security concerns with IoT products?
Jamieson: The security concerns with IoT products can be complex to map out. Obviously, there are potential privacy issues with the functions these systems can have that collect personal details, recordings or other data from us and our homes. We’ve recently seen issues where cameras were taken over to allow for external parties to see and talk to people inside a house, or where children’s smartwatches could be used by others to track the location of the people wearing them, as well as see individual personal details of those children.
There may be safety issues as well; for example, changing or impacting the operation of software on an oven, heater or even a printer can potentially create a fire hazard. An IoT door lock may not just have issues with software security that allows for a hacker to open the lock remotely, sometimes these systems can focus too much on the IoT aspect and not enough on the lock aspect – and as such, have issues with the foundational physical security they are supposed to provide!
So, it’s not just software vulnerabilities that are a concern with these systems, but physical and implementation concerns that may exist as well. Common design issues such as default passwords, poor use of cryptography, insecure cloud services or lack (or insecure deployment) of patches; these are all very well-known issues. However, it’s also important to recognize that the connectivity of these systems, the way they are installed and used, and how well they are going to actually achieve the purpose for which they are intended, all of these things can lead to insecure products as well.
Finally, it’s important to recognize that not all the impacts of insecure IoT systems are borne by the purchaser/user of the system. We’ve seen attacks such as Miraii where a botnet – a collection of many compromised systems – was formed from IoT cameras to deploy attacks that impacted the operation of large sections of the internet.
DJ: How significant are privacy concerns?
Jamieson:Privacy concerns can be very real. We outlined some potential areas above, where cameras or microphones could be used to capture information that may be later exposed. However, there can be a network effect to this as well, where the more data you have being collected and potentially exposed by IoT systems, the more this data may reveal about you when viewed in its totality.
DJ: Who should be responsible for ensuring purchased products have up-to-date security in place: the manufacturer or the consumer?
Jamieson:Certainly, the company that is responsible for producing and providing the product for sale through retailers should be the entity that is responsible for ensuring that system is able to be used and operated in a secure way. We do not expect users to be responsible for the electrical safety of the products they use at home, and we should not expect that end users should be responsible for ensuring systems are protected from software attacks.
This is not to say that users can divorce themselves of all responsibility if they actively use or implement systems against manufacturer specifications or guidance, in such a way that it renders the product unsafe. This has parallels with electrical and fire safety too – we require heaters to have cut-off switches in case they get too hot, but if someone were to disable this in some way and the product catches fire; that can’t be the manufacturers fault. For IoT, if the customer actively prevents patches from being installed, or connects a system directly to the internet that is specifically designed to be only locally accessible; there’s only so much a manufacturer can do to maintain the security at that point.
However, this is of course a complex issue. Although most people tend to quite intrinsically understand the requirements around electrical and fire safety these days, that’s because we’ve grown up in a world that has educated us on these systems that have been all around us since we were born. IoT is very new, security is a very new science, and so we need to be careful in assuming any level of blame or responsibility on the consumers who are not so well versed in the do’s and don’ts of these systems.
DJ: What is UL’s IoT Security Rating?
Jamieson:UL’s IoT Security Rating is a security assessment and labeling solution, created and operated by UL, that tests and ranks the security features of IoT products. You can view the requirements themselves on our Standards website here (https://www.shopULstandards.com/ProductDetail.aspx?UniqueKey=35953). This program was established based on common security issues that often plague IoT systems, which we have also covered in our IoT Top 20 document (https://ims.UL.com/IoTSecurityTop20 ).
With this solution, we look for mitigations against the common vulnerabilities that affect IoT systems – default passwords, poor cryptography, insecure updates, etc. – as we have discussed above. With this assessment, if the device meets certain defined criteria regarding security mitigations, the product can be assigned one of five levels of security: Bronze, Silver, Gold, Platinum or Diamond. As the levels increase, this indicates not only that a product has more security protections built in, but the depth of analysis performed during testing to validate these protections has increased as well.
The goal of this solutions is to help expose to customers which products have been designed to be more secure, so that the customer can consider this as part of their purchase decision. At this point, there are many surveys that indicate that customers do care about security and that they are willing to pay more for security, but it’s hard for them to understand which products are valuing their security more. This solution helps customers with that challenge.
DJ: How do you ensure the security rating is current?
Jamieson:The security requirements for the IoT Security Rating will be updated from time to time as required – in the same way that, for example, the things required in an Australasian New Car Assessment Program (ANCAP) safety rating for cars changes over time too. As new vulnerabilities are discovered and as the general level of security of IoT systems improves, we expect that this program will continue to raise the bar of what acceptable levels of security are for consumer systems.
It is a requirement for systems assessed under this solution, for example, that the manufacturer or distributor has a vulnerability management program that is designed to actively monitor new threats and issues with the security of their systems, rank and patch these issues, and distribute patches as required. Verified products then receive a differentiated UL Verified Mark security label – specifying the achieved security level – and are evaluated on an ongoing basis by UL. The achieved UL Verified Mark can serve as a competitive differentiator for manufacturer’s products and can be used on their products, packaging, marketing and retail environments. If a company fails to meet these vulnerability management and ongoing evaluation obligations, UL reserves the right to revoke their ability to use the UL Verified Mark on their products and marketing materials.
