Product cyber security, resilience, awareness, regulations. I work with IoT product manufacturers, solution providers, accreditation bodies and end-users to make cyber work. Keywords: EN 303 645, EN 18031, CRA, RED, PSTI
In March 2024, CISA published an advisory on vulnerable smart locks from Chirp Systems. The locks use a default hardcoded password. There is even a CVE (CVE-2024-2197). This is a classical use-case of everything going wrong with #IoT products: - Hardcoded default passwords in smart locks leading to safety risks. This is unacceptable. An ultra-basic risk assessment would catch this. Because that's the sole reason for having a lock: prevent unauthorized access. - A researcher tried to report the vulnerability in... MARCH 2021. That's 3 years ago. The vendor has no VDP and obviously did not respond, even to the governmental agency. Unfortunately, there is no penalty in the US for such behavior. If you design IoT products, please implement a VDP using our guidance: cetome.com/vdp. - There is no secure update? Woops now everybody using Chirp is vulnerable because they aren't going to check CISA website or any other security-focused website. This is always a big debate, to disclose or not. - CISA is recommending network segmentation / a firewall / a VPN... This is absolutely not clear if this would mitigate this risk, because we don't know if the password is exploitable over Bluetooth or only over the Internet. If you can exploit this in Bluetooth, this is pointless and the only remediation is to disable "keyless" entry until a fix is available. My solution would be to buy something better I guess? But then we're back to square one: how do we identify "better"? We can develop cyber security labels, but would you buy the "Cyber Trust Mark" labelled product for $100 when you can find a vulnerable lock for only $70? So we're back to square two (can we say that?): regulations and enforcement. That's why we have #PSTI in 2 weeks, #RED and #CRA in Europe. Indeed, the 29th of April 2024, it will be illegal to sell such products in the UK! Note to myself: don't buy a smart lock yet.
It is doable. Well, at least, it is in the making right now! In the US the NIST have been working on a labeling program for consumer IoT since the EO 14028 of 2021 (and going back to previous work inspired by existing systems in Singapore and I-dont-remember-where in Northern Europe). The latest news are from February. It is now in the hand of the FCC for deployment. This has always been one of my favorite project! https://www.nist.gov/itl/applied-cybersecurity/nist-cybersecurity-iot-program/consumer-iot-cybersecurity Of course, from the start, it was clear for everyone that beyond some basic characteristics (ex no default pass) the label shall not be only static, rather a QR code leading do a dynamic page with information: latest firmware update, EOL date, human readable vulnerability disclosure etc https://www.theverge.com/2024/3/18/24104906/csa-iot-device-security-specification-product-security-verification-mark For now, it's planed to be voluntary based, like our French "nutri-score" for food, hoping for the same kind of incentive. It would be great if we had such a program in Europe.
Matt Tett
7mo
Agreed Cédric. Binary labels do not work. Cybersecurity “Certifications” cannot be static. Cybersecurity cannot be awarded “stars”and ratings. Theatre of security for the sake of it. Product security is only as good as the day you’re in it. False security assurance benefits no consumer. Constant surveillance (and suspension or revocation of conformity) for evaluated products that conform to baseline requirements as vulnerabilities are disclosed (and hopefully remediated) is required, and that’s just one of the unique pieces of IP developed by and protected in the IoT Security Trust Mark™ scheme.
Product cyber security, resilience, awareness, regulations. I work with IoT product manufacturers, solution providers, accreditation bodies and end-users to make cyber work. Keywords: EN 303 645, EN 18031, CRA, RED, PSTI
7moLooks like the VPN would not do anything because it's an API issue. CISA, do better or ask people with #IoTsecurity expertise? IoT is not OT. More info here: https://krebsonsecurity.com/2024/04/crickets-from-chirp-systems-in-smart-lock-key-leak/