White House Launches 'Cyber Trust' Safety Label For Smart Devices
- Reference: 0175853499
- News link: https://yro.slashdot.org/story/25/01/08/2225255/white-house-launches-cyber-trust-safety-label-for-smart-devices
- Source link:
> "Today, the White House announced the launch of the U.S. Cyber Trust Mark, a new cybersecurity safety label for internet-connected consumer devices. The Cyber Trust Mark label, which will [1]appear on smart products sold in the United States later this year , will help American consumers determine whether the devices they want to buy are safe to install in their homes. It's designed for consumer smart devices, such as home security cameras, TVs, internet-connected appliances, fitness trackers, climate control systems, and baby monitors, and it signals that the internet-connected device comes with a set of security features approved by NIST.
>
> Vendors will label their products with the Cyber Trust Mark logo if they meet the National Institute of Standards and Technology (NIST) cybersecurity criteria. These criteria include using unique and strong default passwords, software updates, data protection, and incident detection capabilities. Consumers can scan the QR code included next to the Cyber Trust Mark labels for additional security information, such as instructions on changing the default password, steps for securely configuring the device, details on automatic updates (including how to access them if they are not automatic), the product's minimum support period, and a notification if the manufacturer does not offer updates for the device.
"Americans are worried about the rise of criminals remotely hacking into home security systems to unlock doors, or malicious attackers tapping into insecure home cameras to illicitly record conversations," the Biden administration [2]said on Tuesday.
"The White House launched this bipartisan effort to educate American consumers and give them an easy way to assess the cybersecurity of such products, as well as incentivize companies to produce more cybersecure devise [sic], much as EnergyStar labels did for energy efficiency.
[1] https://www.bleepingcomputer.com/news/security/us-govt-launches-cybersecurity-safety-label-for-smart-devices/
[2] https://www.whitehouse.gov/briefing-room/statements-releases/2025/01/07/white-house-launches-u-s-cyber-trust-mark-providing-american-consumers-an-easy-label-to-see-if-connected-devices-are-cybersecure/
No such thing for cloud only devices (Score:5, Insightful)
As long as they ONLY function with cloud there is no such thing as trust. The zero trust model is the most robust security model in cybersecurity. Everything else is a farce. If you are forced to trust the maker of the device and don't have the ability to lock them out and still use all your devices features, then there is no trust. Cloud devices outside of your control where you have to authenticate to someone else's servers and ask their permission to control a device behind your firewall is the type of trust that only idiots give.
Re: (Score:1)
And yet here you are posting on /. Did you make your own computer, or are you trusting the manufacturer? I'm sure you're using an air-gapped device to run your browser.
Re:No such thing for cloud only devices (Score:4, Informative)
Oh yea, I build my own machines, I run linux, I run rooted android that has been de-googled running island. I am root of my domain and no company is or ever will be. Even my chamberlain garage door opener which is cloud ready with an app, is not being used like that. I will NEVER allow a company to control my devices for me. My garage door opener uses a set of dry contact wired to the button in the house that I can control remotely via a tiny web server on a raspberry pi zero. If I am outside my home I use VPN to get access. I realize most people will not go to these extremes, but no one should be allowing that cloud controlled crap in their house if they even remotely value security and privacy.
Re: (Score:2)
Amen to this! Right approach on security. But requires a bit of electronics knowledge, as most smart devices are kind of black boxes that work only with server in China or wherever, to which you start by giving them your wifi password. Hell no to that! So my not yet hacked smart energy meter sits so far in a grounded metal cable box without required wifi and phone app access. Just because it has a screen and one day it will be reverse engineered to decouple and add it to some Raspi or Arduino.
Re: (Score:2)
That's adorable.
Re: (Score:2)
When I got my new fiber-to-the-home internet service the modem I got required me to set up some kind of account with the manufacturer to make any changes to the system. I can't trust this modem, I have no true ownership of the device if I can't set my own password and such to where it can lock out the manufacturer.
This is new to me since I've had different internet access devices in the past that let me set a local password and such without some registration with the manufacturer.
I don't trust the governme
SCOTUS (Score:3)
Can't wait for SCOTUS to usurp NIST's authority to establish standards. The Cyber Trust Mark can sit along side Full Self Driving, just another line of bullshit.
But hey, at least there's a QR code so you can set a password, no doubt that's gonna help security. Wonder if there will be one to disable the back doors?
what about an min update lifetime? (Score:3)
what about an min update lifetime?
Re: (Score:2)
Products should have an end of life date on the box, like a food use by date. Consumers understand those. Once updates end, once the cloud server goes offline, it should be treated like expired milk.
Certified == safe?! (Score:1)
It is extremely hard to believe that complying with a certification causes something to be "safe." Please please please, just call it "saf er ." Or say "it complies with several best practices."
Calling it "safe" is asking for trouble and is 100% likely to end up undermining the reputation of the certification, since certified devices are still going to get caught going things against the interests of their owners.
"approved by NIST" (Score:3)
"approved by NIST" meaning:
> We guarantee there is at least one back-door in this device, for US agencies to use them as surveillance devices. No guarantees are made on how many additional back-doors were installed by those cheapest overseas manufacturers who were involved in building this device or its components. Adversaries or data brokers who missed to inject their back-door into our supply chain will need to pay for your data, or employ their own hackers to steal our back-door credentials.
Re:"approved by NIST" (Score:4, Insightful)
It's probably going to be more like we paid an auditor to send us a form to fill out with basic security practice questions, and we then gave them the answers that they wanted to hear. Then they send us a certificate saying that we could put their logo on our product.
You know, it will be pretty much like every other SOC audit you've done before. Other than having to provide a few screenshots of some select cherry picked functions where the senior engineers actually did what they were supposed to do, there isn't any real third party verification. Nobody is going to let them dig into that crap back-end code that we outsourced to Bulgaria that's probably filled with security holes.
Re: (Score:2)
> It's probably going to be more like we paid an auditor
It's "we paid an auditor a fuckton of money ". Nothing NIST does is ever remotely cheap, which means only the most overpriced products will get the trust mark, and as with web trust marks most of them will be with dodgy vendors who use the trust mark to lure in suckers (this is an actual fact, it was studied quite a bit back when web trust marks were popular).
Why the FCC and not CISA? (Score:2)
Will Amazon allow non-certified devices to be sold on its site?
And the next logical step (Score:2)
"Vendors will label their products with the Cyber Trust Mark logo if they meet the National Institute of Standards and Technology (NIST) cybersecurity criteria."
And the next logical step is that the counterfeiters and scammers will faithfully duplicate the 'Cyber Trust Mark logo', and update their labels, logos, and boxes.
IMHO this Cyber Trust Mark logo will just give people a false sense of security; it shouldn't reassure anyone for one second.
Only US backdoors! We promise! (Score:2)
More likely US backdoors will be in there, but whether there are any others as well is unclear. Dark times.
I will regard this a "mark of shame" and treat it as a strong "do not buy under any circumstances".
I imagine .. (Score:4)
.. that Chinese manufacturers have already re-purposed some of the presses they used for making [1]CE labels [hqts.com] to making these.
[1] https://www.hqts.com/differences-between-ce-conformite-europeenne-and-ce-china-export/
Re: (Score:2)
Bingo. They'll duplicate it with no problem.
Re: (Score:3)
In any case it's kinda worthless because it's only valid between the time it's issued and when the next vuln pops up. So the text on it should say "NIST Certified At One Point Possibly Secure Device".
Re: (Score:2)
The CE thing was never true. It appears to be a Wiki Myth. Some MEP in the EU claimed it happened, Wikipedia cited them as a source, and it became accepted truth.
It would be pointless to do it. There is no CE certification, you apply it to your own product as an oath that it meets certain standards and design rules. There are consequences if you lie and get caught, but if you were willing to create a fake CE logo then you wouldn't be worrying about that anyway.