IoT devices need built-in security standards, UL says

Right now, you have no idea if the connected gadget you buy is a security problem waiting to get plugged in.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

There's currently no security standards for the millions of Internet-of-Things devices out on the market. 

James Martin/CNET

When you buy a new lightbulb, you know that it's energy efficient and will last for a while because of an Energy Star label on the package. But when you buy an internet-connected lightbulb, there's almost no way of telling if it's secure from hackers. 

Underwriters Laboratories, the electronics safety organization, is looking to fix that by introducing security ratings for internet-of-things devices. UL is known for its safety standards certifications for products, ensuring, for instance, that the charger you bought online isn't a counterfeit that'll set your house on fire

Now UL wants to set the security standard for cybersecurity threats -- a notorious issue for IoT devices. 

"These days, when you look at products, they have been moving from an analog function to a digital function," said Andrew Jamieson, UL's director of security and technology. "From that context, the security of the software directly affects the safety of the product, so we have to really start thinking about that." 

There is no unified standard for connected gadgets, which means that the smart TV you buy could be a hacking concern waiting to get plugged in. Unless you researched all your connected gadgets yourself, there'd be no way of knowing without a standard.

Connected devices are expected to sell up to 20.4 billion units by 2020, and without security standards, it leaves massive potential for hackers to take over devices and use them for cyberattacks. In 2016, hackers took advantage of exposed cameras and DVRs to launch one of the largest cyberattacks ever, causing widespread internet outages.  

A 2018 Worldwide Threat Assessment from Robert Ashley, director of the US Defense Intelligence Agency, warned that weak security on IoT devices posed one of the "most important emerging cyberthreats" to national security.

Lawmakers have proposed legislation to improve IoT security, and experts have suggested security labels like what UL plans to roll out.  

The security standards come in five tiers: diamond, platinum, gold, silver and bronze. 


UL's security ratings for IoT devices will have five tiers.


They are given based on seven requirements: software updates, data and cryptography, logical security, system management, customer identifiable data, protocol security, and process and documentation. 

Each requirement has its own checklist of security practices. For example, to get the bare minimum verification under data and cryptography, your device can't have default passwords. To get the diamond verification, your device would need to be protected from brute-force attacks -- when hackers spam password attempts until the correct one is chosen. 

UL laid out its standards and requirements in a whitepaper it published in June

Jamieson noted that only a small percentage of available IoT products would meet that diamond standard and that many connected devices currently on the market might not even meet UL's minimum standards. It's not a reflection of UL's strict requirements, but rather how poor the security is on the majority of IoT devices. 

"The commercial pressures have not allowed for people to differentiate in security," Jamieson said. "That's resulted in security not being built in, even at the lowest level." 

Don't expect to see this on products immediately. UL said that it's working with IoT makers and that the standards are still in the early stages. It expects to be able to make more announcements in the first quarter of 2020. 

UL doesn't expect to see changes overnight for IoT security, either. The hope is that as the UL security ratings gain traction, people will be more likely to buy the secured products and push IoT makers to focus more on improving security.

"If people come up and see two TVs, and one is $100 more expensive, but it has the security rating, we're hoping people will decide on the more secure systems," Jamieson said. "It's about finding a way to incentivize companies to build security in."