UL announced its IoT Security Rating program and the UL Verified Mark Wednesday at CES, a new effort to measure how hackable IoT and smart devices are. The company also said that appliance giant GE would be the first company to submit its products for testing.
IoT devices from smart light bulbs to voice-activated assistants are pushing deeper and deeper into our homes, despite continued reports that such devices can be hacked. UL (formerly Underwriters Laboratories), with its leadership position in testing product safety, no doubt saw an opportunity to create standards and perform testing to assure consumers that there are adequate levels of protection from individuals seeking to eavesdrop or steal data. The UL Verified Mark is also a public statement that GE and other participating companies considered cybersecurity when designing its products.
UL said that it is “testing and assessing all connected products on the GE Appliances IoT security platform, including dishwashers, washers, dryers, refrigerators, ovens, water heaters and water softeners, to help demonstrate baseline security capabilities and protection of their consumer’s data at the appliance, on the GE Appliances mobile app and in the cloud.”
The products are tested against their implementation of baseline security practices. UL said those practices are aligned with the National Institute of Standards and Technology’s draft NISTIR 8259, the European Telecommunications Standards Institute’s IoT security framework, ETSI TS 103 645; and Council to Secure the Digital Economy’s CSDE C2 Consensus. UL’s testing will also demonstrate compliance for the cybersecurity laws governing IoT security and data collection that went into effect January 1 in Oregon and California (including the California Consumer Privacy Act).
UL will offer five rating tiers, from Bronze to Diamond, which the participating company can use on rated products. The company has published descriptions of what the various UL security levels mean. The Bronze tier, for example, includes such basics as no default passwords, a secure reset button that wipes the device of data, and secure connections and update capabilities.
If the device provides additional security features, it stands to receive a higher-tier rating. The Silver rating includes the disclosure of what data is collected by the device, with the opportunity to opt in. The Gold rating includes the assurance that the device is secured out of the box, and that data is stored and transmitted using encryption. The Platinum level adds basic protections against malware and hacking. The maximum Diamond rating includes more aggressive malware protection and the requirement that stored data not be personally identifiable—a capability many of us might prefer to see in lower tiers.
UL says the verified products are evaluated on “an ongoing basis” to capture changes and improvements as products evolve.
The UL Verified Mark is no guarantee that a device won’t be hacked, especially if a consumer picks a dumb, easily guessed password. What the UL Verified Mark provides, however, is some assurance that the manufacturer itself is paying as close attention to device security as you, ideally, are also doing.