UL, the 122-year-old safety standards organisation whose various marks (UL, ENEC, etc.) certify minimum safety standards in fields as diverse as electrical wiring, cleaning products, and even dietary supplements, is now tackling the cybersecurity of Internet of Things (IoT) devices with its new UL 2900 certification.
But there’s a problem: UL’s refusal to freely share the text of the new standard with security researchers leaves some experts wondering if UL knows what they’re doing.When Ars requested a copy of the UL 2900 docs to take a closer look at the standard, UL (formerly known as Underwriters Laboratories) declined, indicating that if we wished to purchase a copy—retail price, around £600/$800 for the full set—we were welcome to do so.
Independent security researchers are also, we must assume, welcome to become UL retail customers.
“It’s very concerning,” Brian Knopf of I Am The Cavalry, a group of security researchers focused on public safety issues, told Ars. “Without transparency, the research community cannot help improve or audit the standards.” As Ars has previously reported, Knopf is leading an effort to develop a five-star cybersecurity rating system for IoT devices.
Security researcher Rob Graham, CEO of Errata Security and a prominent critic of the UL approach to cybersecurity, agreed with Knopf. “No review copy of their proposal seems weird, and…counter to basic security principles of transparency.”
Ken Modeste, UL’s chief of cybersecurity technical services, defended the company’s position. “Our whole mission is public safety,” he told Ars. “We’ve been here since 1894. We want to help industry and the public to choose safe products.”
Modeste pointed out that UL has been involved in the cybersecurity space for a decade, and employs around 600 staff focused on financial cybersecurity–certifying point-of-sale (POS) terminals, PCI compliance, and so forth.
That, he said, led to talks with the US Department of Homeland Security (DHS) and other US government agencies to develop the technical specifications for UL 2900. “UL is probably one of the best organisations engaged in cybersecurity,” he added.
Modeste did not acknowledge that the lack of a freely available standard was even a problem, pointing out that numerous government and industry stakeholders have seen the standard and contributed to its development, and that UL charges rates comparable to organisations like the IEEE or IEC.
Instead, he emphasised that UL’s goal is to provide “the ability for a vendor to have some repeatable and reproducible way to evaluate their product to ensure it meets some minimum requirements.”
Mudge weighs in
That goal may be of even greater concern than their lack of transparency, according to Peiter “Mudge” Zatko, the former head of cybersecurity research at DARPA who is now building the Cyber Independent Testing Laboratory (CITL), a US Air Force-funded “Consumer Security Reports” for IoT devices.
Mudge told Ars he has evaluated over 100,000 pieces of software, many of them IoT devices, and based on that work he prefers a “nutritional label” or “Monroney Sticker” model that isn’t pass/fail, but rather offers more fine-grained detail.
The Monroney Sticker is the window label, required for all new cars sold in the US, that provides consumers with information such as fuel efficiency, smog emissions, and most importantly safety ratings.
“Too many unhealthy products will pass the bare-minimum certification process,” Mudge said, “and the result is that users will [conclude] they are ‘healthy’ (when they are unhealthy).”
He was also critical of UL’s business model. “[UL] are a for-profit organisation,” he wrote. “I worry about that as it creates [a] perverse incentive structure.
Empowering the consumer is not where they derive their value/profit, and that goal can become masked or forgotten in the pursuit of profit.”
After more than a century as a not-for-profit, UL changed their status in 2012 and are now a for-profit corporation.
“Don’t get me wrong,” he added, “I’m a fan of some for-profit models, but not as much when it comes to safety.”
How do you certify a moving target, anyway?
IoT vendors wishing to certify their products as UL 2900-compliant submit their widget, including source code, to UL for evaluation.
Although head-quartered in the Chicago area, UL has offices around the world, including a large office in the Netherlands, Modeste said, that will support IoT vendors in the EU who are under pressure from ENISA, the European Union Agency for Network and Information Security, to up their security game. “Most UL customers have global reach and global brands,” Modeste said.
The certification process can take several months, and results in product certification valid for twelve months.
But security is a process, not a product.
Even a perfectly-secured device could find itself punctured like a piece of emmental cheese due to previously-undiscovered vulnerabilities, during the certification window—or, even more likely, within the twelve-month post-certification period. How does UL 2900 handle this challenge?
“During [the certification process] the vendor is required to inform us of…any software changes,” Modeste said, “so we can work with them to validate, continue to evaluate the product up the end before issuing the certificate.” Vendors will also be required to securely patch vulnerable devices in a timely manner.
How precisely will this work? Without a copy of the UL 2900 tech specs to examine, we’ll just have to take Modeste’s word the process has been adequately reviewed.
For his part, Knopf thinks it’s a feel-good exercise unlikely to improve the abysmal state of IoT security. “I don’t think the UL path is the right one,” he said. “It will probably end up like PCI [the credit card industry data protection standard]. Makes people feel safe, but completely useless in reality.”
In the face of these criticisms, Modeste agreed that UL 2900 may not be perfect but defended the standard as a step in the right direction.
“There’s no silver bullet for security, or magic wand that will solve everyone’s security problems,” he said. “It’s a first step, a start…to help the industry to elevate their security mechanisms and their products.”
A goal we can all agree on.
The only question is, is UL 2900 the best way to get us from here to there?
J.M. Porup is a freelance cybersecurity reporter who lives in Toronto. When he dies his epitaph will simply read “assume breach.” You can find him on Twitter at @toholdaquill.
This post originated on Ars Technica UK