The application of a small label to consumer products can lead to big changes in consumer behavior. We see this in people’s dietary habits: health-conscious consumers now choose the less saturated fat or carb heavy option from the supermarket shelf because the label allows them to compare products’ ingredients. It’s the same with environmental consciousness: the ENERGY STAR® mark in the US or the energy labeling scheme in the EU, means consumers can now make a more educated choice when purchasing a fridge, TV, or washing machine. These labeling systems are not perfect, leaving a lot to the consumer to interpret and is dependent on their choice to be effective. The concept for security labeling for IoT devices is equally imperfect.
Like energy labels, we are at the beginning of the ever changing real-time label that is sorely needed for secure, always connected embedded devices.
The same principle behind the energy labels is set to be applied to the security features of connected consumer devices. Having labels that provide an independent validation of each device's specific security status will put pressure on manufacturers to take security seriously. Already, powerful voices in the industry are pushing for the adoption of common standards for basic security product labeling. This is the right thing to do. Frankly, it’s also economically advantageous for the consumer electronics industry to raise its game on security. No one wants consumers’ love affair with all things tech to chill over fears that their privacy will be compromised, or that they will be exposed to a ransomware attack.
In any case, if the industry does not move forward with security labeling voluntarily, it is likely to be forced to do so in many regions and countries, as a recent announcement from the US government indicates.
Making Security Labeling Effective and Transparent
Google and others have made some wise suggestions on ways to make a security labeling scheme properly independent, verifiable, and accountable. Yet one important dimension to this question has not been fully aired: the time-dependent nature of a security validation.
Security labeling is not like food labeling. A bar of chocolate or a can of soup remains unaltered from the point when they leave the factory to the moment they are consumed. The analysis of food ingredients is a one-time-only event. If the soup has 400 Calories when it’s made, it will have 400 Calories when the consumer sits down to eat it.
The static nature of food labels is in stark contrast to a security label. On shipment from the factory, all model units of a consumer electronics product will have an identical security status. But more-or-less as soon as it is with the consumer and connected to a network, the security status will begin to diverge from another’s, even if the units are physically identical. Consumers will apply updates and security patches at different times. Only some updates may be accepted–if at all. This means that a one-time-only security label for every model unit will be misleading. A product labeled as highly secure when it leaves the factory will not remain highly secure if the consumer fails to install essential updates—all the while taking false comfort in the protection apparently afforded by the label.
The answer is for the security label to provide a link to an online portal with the real-time security status of the device–and only that device. The portal would draw on the update history to determine current vulnerability and exposure to the risk of attack.
This is understandably a more complicated endeavor for the device manufacturer than the application of a one-time-only label. But it need not be difficult–and for customers of FoundriesFactory®, it is not. That’s because an integral feature of FoundriesFactory is that it logs and time-stamps every code change, and adds it automatically to a device’s Software Bill-of-Materials (SBOM). The platform also automates the deployment of all code changes and manages the way they are delivered to devices in the field via The Update Framework (TUF)-based tools. It provides full traceability in real time of the software content of every unit in an entire fleet of installed devices. Creating a portal for publishing a per-device security status is a simple matter of reading data out of FoundriesFactory and publishing it online, tied to a unique and secure device identifier.
It’s the sensible solution to the question of how to inform consumers about the security status of the devices they own. We call on industry influencers to add this extra dimension to the debate about how best to implement device security labeling.
To learn more about the many integrated features within FoundriesFactory, go ahead and book a personalized demo experience with one of our experts.
You can also trial FoundriesFactory free for 30 days to find out for yourself how easy labeling management can be. Experience the benefit of ensuring your full range of products are secure for their entire lifecycle.