A member of the Federal Communications Commission explains the security label that leads to the solution of the ``problem of not knowing how long security updates will be applied'' of IoT devices

On July 19, 2023, the Biden administration announced a new cybersecurity labeling program for IoT devices. Mr. Nathan Symington, a member of the Federal Communications Commission (FCC), said about this program, which will make it possible to periodically correct security vulnerabilities that exist in smart home appliances such as smart TVs. I solicited opinions from the public.

Ask HN: I'm an FCC Commissioner proposing regulation of IoT security updates | Hacker News


IoT devices, which connect things around us to the Internet and allow them to be managed by smartphones and PCs, are always accompanied by security threats. Manufacturers are required to respond quickly as soon as vulnerabilities are discovered, but Symington says, ``Many manufacturers are neglecting their efforts.''

Even if a manufacturer designs a patch to fix a vulnerability, it can take a long time to apply it to a user's device, and it's not uncommon for manufacturers to discontinue security updates prematurely. is. These 'security update support periods' are often not made known to consumers, and even well-informed users may not know how long their devices will be secure.

In order to improve such problems, the security labeling program for smart devices was announced under the Biden administration. This program allows consumers to choose safer products by labeling devices that meet certain security standards with the 'US Cybertrust Mark' to differentiate them from other products.

In addition to simply attaching a label, it is also mandatory to display a QR code along with the label. When consumers scan this QR code, they will be shown the latest information about their device and will be able to see details such as how long the security update is on the device and what user data the device collects. The FCC requires devices to be recertified annually for program eligibility, which would require manufacturers to take more aggressive security measures than ever before.

Biden administration announces new security standards compliant label 'US Cybertrustmark' for IoT devices-GIGAZINE

The above program is currently soliciting public comments for implementation from 2024. Under these circumstances, Symington, who has promoted the program, appeared on the social news site Hacker News and called for discussion on the program.

“I have struggled to have one of the criteria for the Security Labeling Program include disclosing how long consumers can receive security updates,” Symington said. We want the commitments on this label, including the support period, to be enforceable under contract, tort lawsuits, and other laws.'

“Many manufacturers object to committing to security update periods, even voluntarily. That's why your opinion matters, because you know a lot about security issues, and you're always thinking, 'Why aren't there rules for this sort of thing?' Please take this opportunity to leave a comment on the rules you think,' and asks you to submit your opinion to the public comment.

Symington's post has received various comments on Hacker News. One user said, 'I'm a firmware engineer, how does the FCC define security flaws? The remote update mechanism itself can pose security issues, so some devices should only be able to update if the owner has physical access to the device. Is the manufacturer

responsible for the damage caused by attacks on vulnerable devices that have not been updated?'

Another user prefaced, “writing from Ukraine,” and added, “As part of modern warfare, it must be said that cybercrime has increased tremendously. If a hostile intelligence agency hacks a device that emits radio waves, the coordinates of the device may be set as an attack target.' I vented.

In addition, 'If there is a vulnerability in the software in the first place, there is almost no point in continuing to update it for many years, and there is no guarantee that the manufacturer will completely comply with the period. Rather than the rule of information disclosure, all IoT devices sold I think there needs to be a minimum security standard that must be met beforehand, something that puts the burden on manufacturers to build more secure devices upfront, rather than just committing to patching later. This will allow consumers to use secure devices without requiring any security knowledge. We sympathize with manufacturers' concerns about the cost of implementing this, but we urge them to act quickly. 'If we do so, we can prevent IoT disasters before the market expands further. We would like you to consider proposing the minimum necessary security.'

in Web Service,   Security, Posted by log1p_kr