Connect with us

Technology

We’re one step closer to a global cybersecurity standard for smart home devices

Published

on

We’re one step closer to a global cybersecurity standard for smart home devices

As useful as connected devices like video doorbells and smart lights are, it’s wise to exercise caution when using connected tech in your home, especially after years of reading about security camera hacks, fridge botnet attacks, and smart stoves turning themselves on. But until now, there hasn’t been an easy way to assess a product’s security chops. A new program from the Connectivity Standards Alliance (CSA), the group behind the smart home standard Matter, wants to fix that.

Announced this week, the CSA’s IoT Device Security Specification is a baseline cybersecurity standard and certification program that aims to provide a single, globally recognized security certification for consumer IoT devices.

Device makers who adhere to the specification and go through the certification process can carry the CSA’s new Product Security Verified (PSV) Mark. If that security camera or smart lightbulb you’re buying carries the mark, you’ll know it has met requirements to help secure it from malicious hacking attempts and other intrusions that could impact your privacy. 

“It’s a huge step forward to have a global consumer IoT security certification. It’s so much better than not having one,” Steve Hanna, Infineon

“Research continually shows that consumers rate security as an important device purchase driver, but they don’t know what to look for from a security perspective to make an informed purchase decision,” Eugene Liderman, director of mobile security strategy at Google, tells The Verge. “Programs like this will give consumers a simple, easily identifiable indicator to look for.”

Advertisement

Liderman is part of the CSA working group that defined the 1.0 spec for the program, which has been developed by over 200 member companies of the CSA. These include (along with Google) Amazon, Comcast, Signify (Philips Hue), and several chipmakers such as Arm, Infineon, and NXP.

According to Tobin Richardson, CEO of the CSA, products carrying the PSV Mark could start to appear as soon as this holiday shopping season.  

The CSA’s new product security verification mark.
Image: CSA

One cybersecurity mark to rule them all

The CSA’s announcement on March 18th follows last week’s news that the FCC has approved implementing its new cybersecurity labeling program for consumer IoT devices in the US. Both programs are voluntary, and the CSA’s label doesn’t compete with the US Cyber Trust Mark. Instead, it goes a step further, taking all of the US requirements and adding cybersecurity baselines from similar programs in Singapore and Europe. The end result is a single specification and certification program that can work across multiple countries (see sidebar). 

Advertisement

Richardson says the goal is for the CSA’s PSV Mark to be recognized by governments, so manufacturers can go through just one certification process to sell in all the major markets. This could reduce cost and complexity for manufacturers and potentially bring more choice to consumers. 

The PSV Mark has been recognized by the Cyber Security Agency of Singapore, and the CSA says it is working on mutual recognition with similar programs in the US, EU, and the UK. “It’s very likely, and with some [countries], it’s a certainty,” says Richardson. “It’s mainly a matter of tying up some paperwork.”

To get the PSV Mark, devices must comply with the IoT Device Security Specification 1.0 and go through a certification program that involves answering a questionnaire and providing accompanying evidence to an authorized test laboratory. Highlights of the requirements include:

Advertisement
  • Unique identity for each IoT Device
  • No hardcoded default passwords
  • Secure storage of sensitive data on the device
  • Secure communications of security-relevant information
  • Secure software updates throughout the support period
  • Secure development process, including vulnerability management
  • Public documentation regarding security, including the support period

According to the CSA, the voluntary program applies to most connected smart home devices — including lightbulbs, switches, thermostats, and security cameras — and can be applied retroactively to products in the market. Along with the PSV Mark, “A printed URL, hyperlink, or QR code on the mark gives consumers access to more information about the device’s security features,” the CSA says in its press release.

The program is focused specifically on device security — making sure the physical device itself can’t be accessed — rather than privacy. “But there is a close linkage in that you can’t have privacy without security,” says Richardson. While security impacts privacy, this program doesn’t offer many requirements around how a manufacturer uses the data a device collects. The CSA has a separate Data Privacy Working Group dealing with that can of worms.  

Better security, but still not perfect

The current iteration of the program isn’t a silver bullet to solve IoT device security concerns. Steve Hanna of Infineon Technologies, a 25-year cybersecurity researcher and chair of the CSA working group for the program, told The Verge there’s still more he’d like to see incorporated. “But we have to crawl, walk, and then run,” he says. “It’s a huge step forward to have a global consumer IoT security certification. It’s so much better than not having one.”

Google’s Liderman also points out that meeting the minimum security standard doesn’t guarantee a device is vulnerability-free. “We greatly believe that the industry needs to raise the bar over time, especially for sensitive product categories,” he says.

The CSA plans to keep the specification updated, requiring companies to recertify at least every three years. Additionally, Richardson says there will be a requirement for an incident response process, so if a company encounters a security issue — such as Wyze’s recent problems — it must fix those before it can be recertified. 

Advertisement

An API could allow a smart home platform app to alert you to a device’s security status before it can join your network

To address concerns about misuse of the label, Hanna says the CSA will have a database of all certified products on its website so you can cross-check a company’s claims. He also says there are plans to make the information available in an API, which could allow your smart home platform app to alert you to a device’s security status before it can join your network.

Hanna cautions against setting expectations too high. “Some companies are excited about it to recognize the work they have already done, but we shouldn’t expect every product to have this,” he says. Some may find they have problems that mean they can’t get certified, he says. “If or when these become required by governments, that’s where the rubber hits the road.”

A voluntary program may seem like a finger in the dam, but it does solve two basic problems. For manufacturers, it makes it simpler to comply with regulations from multiple countries in one step, while for consumers, it opens an avenue to information about what type of security practices a company adheres to.

“Without a label or a mark, it can be difficult as a consumer to make a purchasing decision based on security,” says Hollie Hennessy, an IoT cybersecurity expert at tech analyst firm Omdia. While the program being voluntary could be a barrier to adoption, Hennessy says her firm’s research indicates people are more likely to purchase a device with privacy and security labeling.

Advertisement

Ultimately, Hennessy believes that a combination of standards and certifications like this, along with regulations and legislationis needed to solve consumer concerns about privacy and security in connected devices. But this move is a big step in the right direction.

Continue Reading
Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Technology

Drake threatened with lawsuit over diss track featuring AI Tupac

Published

on

Drake threatened with lawsuit over diss track featuring AI Tupac

While Drake’s fans have been having a ball with the Canadian rapper’s recently released track dissing fellow rapper Kendrick Lamar, the legal team representing Tupac Shakur is threatening to take legal action if the song isn’t pulled off the internet.

Billboard reports that late rapper Tupac’s legal team is ready to take Drake to court over the release of “Taylor Made,” Drake’s recently released song featuring the AI-generated voices of Shakur and Snoop Dogg. In a statement about Drake’s creation of “Taylor Made,” litigator Howard King called the song a “blatant abuse of the legacy of one of the greatest hip-hop artists of all time” and said the Shakur estate never cleared the use of Tupac’s voice.

“The Estate is deeply dismayed and disappointed by your unauthorized use of Tupac’s voice and personality,” King said. “The Estate would never have given its approval for this use.”

For the past few weeks, a number of rap artists, including Lamar, Drake, and J. Cole, have been pointedly attacking one another (and entertaining everybody else) through their music after years of simmering tensions over — among other things — who’s the biggest in the game. In response to “Like That,” Future’s recently released song featuring Lamar in which he calls Drake out for making previous jabs, Drake dropped “Push Ups,” a track poking fun at Lamar’s height, shoe size, and the details of his old deal at Top Dawg Entertainment. 

Rather than waiting for a response, Drake also debuted “Taylor Made” on April 19th, and the song immediately raised eyebrows — less so for its reference to Taylor Swift and more so for its prominent use of voices from West Coast rappers (one of whom is quite dead) who did not seem to be involved in any of the ongoing beef. Following the release of “Taylor Made,” Snoop uploaded a video to Instagram with an assortment of emoji seemingly indicating bemusement.

Advertisement

Tupac’s estate wants “Taylor Made” pulled within 24 hours, and if Drake made the song without their permission, we might just see it disappear. But as much as this beef has been about garnering attention, Drake could be very willing to go to court to make his case.

Continue Reading

Technology

Fox News AI Newsletter: AI predicts your politics with single photo

Published

on

Fox News AI Newsletter: AI predicts your politics with single photo

Welcome to Fox News’ Artificial Intelligence newsletter with the latest AI technology advancements.

IN TODAY’S NEWSLETTER:

– AI can predict political orientations from blank faces – and researchers fear ‘serious’ privacy challenges
– Google to provide AI to military for disaster response
– AI could predict whether cancer treatments will work, experts say: ‘A natural progression’

BLANK SPACE: Researchers are warning that facial recognition technologies are “more threatening than previously thought” and pose “serious challenges to privacy” after a study found that artificial intelligence can be successful in predicting a person’s political orientation based on images of expressionless faces. 

Split image of former President Trump and President Biden

Former President Donald Trump and President Biden are seen in a split image. (Getty Images)

DISASTER RESPONSE: An artificial intelligence venture backed by Google is partnering with the military to use AI in responding to natural disasters.

Advertisement

‘NATURAL PROGRESSION’: A chemotherapy alternative called immunotherapy is showing promise in treating cancer — and a new artificial intelligence tool could help ensure that patients have the best possible experience.

Immunotherapy split

GOOGLE AI MOVES: Google announced on Thursday that it will consolidate a pair of its internal teams that are focused on building artificial intelligence models.

COUNTERING SCAMS: Unfortunately, scammers are using artificial intelligence to mimic the voices of people, potentially turning these fake voices into things like kidnapping scams. This particular scam seems to be rare, but it’s happening.

SCAMMER

An illustration of a scammer. (Kurt “CyberGuy” Knutsson)

 

Subscribe now to get the Fox News Artificial Intelligence Newsletter in your inbox.

FOLLOW FOX NEWS ON SOCIAL MEDIA

Advertisement

Facebook
Instagram
YouTube
Twitter
LinkedIn

SIGN UP FOR OUR OTHER NEWSLETTERS

Fox News First
Fox News Opinion
Fox News Lifestyle
Fox News Health

DOWNLOAD OUR APPS

Fox News
Fox Business
Fox Weather
Fox Sports
Tubi

Advertisement

WATCH FOX NEWS ONLINE

Fox News Go

STREAM FOX NATION

Fox Nation

Stay up to date on the latest AI technology advancements and learn about the challenges and opportunities AI presents now and for the future with Fox News here.

Advertisement

Continue Reading

Technology

A morning with the Rabbit R1: a fun, funky, unfinished AI gadget

Published

on

A morning with the Rabbit R1: a fun, funky, unfinished AI gadget

There were times I wasn’t sure the Rabbit R1 was even a real thing. The AI-powered, Teenage Engineering-designed device came out of nowhere to become one of the biggest stories at CES, promising a level of fun and whimsy that felt much better than some of the more self-serious AI companies out there. CEO Jesse Lyu practically promised the world in this $199 device.

Well, say this for Rabbit: it’s real. Last night, I went to the swanky TWA Hotel in New York City, along with a few hundred reporters, creators, and particularly enthusiastic R1 buyers. After a couple of hours of photo booths, specialty cocktails, and a rousing keynote and demo from Lyu — in which he made near-constant reference to and fun of the Humane AI Pin — we all got our R1s to take home. I’ve been using mine ever since, and I have some thoughts. And some questions.

It might be a little big for some hands, but the R1 fits nicely enough in mine.

From a hardware perspective, the R1 screams “kinda meh Android phone.” Here are the salient specs: it’s about three inches tall and wide and a half-inch thick. It weighs 115 grams, which is about two-thirds as much as the iPhone 15. It has a 2.88-inch screen, runs on a 2.3GHz MediaTek MT6765 processor, and has 128 gigs of storage and four gigs of RAM. It has a speaker on the back, two mics on the top, and a SIM card slot on the side right next to the USB-C charging port. It only comes in one color, a hue Rabbit calls “leuchtorange” but is often known as “brilliant orange” or “luminous orange.” It’s definitely orange, and it’s definitely luminous.

At this point, the best way I can describe the R1 is like a Picasso painting of a smartphone: it has most of the same parts, just laid out really differently. Instead of sitting on top or in the back, the R1’s camera sits in a cutout space on the right side of the device, where it can spin its lens to face both toward and away from you. 

Advertisement

The R1 is like a Picasso painting of a smartphone

After spending a few hours playing with the device, I have to say: it’s pretty nice. Not luxurious, or even particularly high-end, just silly and fun. Where Humane’s AI Pin feels like a carefully sculpted metal gem, the R1 feels like an old-school MP3 player crossed with a fidget spinner. The wheel spins a little stiffly for my taste but smoothly enough, the screen is a little fuzzy but fine, and the main action button feels satisfying to thump on. 

When I first got the device and connected it to Wi-Fi, it then immediately asked me to sign up for an account at Rabbithole, the R1’s web portal. I did that, scanned a QR code with the R1 to get it synced up, and immediately did a software update. I spent that time logging in to the only four external services the R1 currently connects to: Spotify, Uber, DoorDash, and Midjourney. 

The Rabbithole app is for managing your logins and seeing your notes. It needs some work.

Once I was eventually up and running, I started chatting with the R1. So far, it does a solid job with basic AI questions: it gave me lots of good information about this week’s NFL draft, found a few restaurants near me, and knew when Herbert Hoover was president. This is all fairly basic ChatGPT stuff, and there’s some definite lag as it fetches answers, but I much prefer the interface to the Humane AI Pin — because there’s a screen, and you can see the thing working so the AI delays don’t feel quite so interminable. 

Advertisement

Because there’s a screen, the AI delays don’t feel quite so interminable

Almost immediately, though, I started running into stuff the R1 just can’t do. It can’t send emails or make spreadsheets, though Lyu has been demoing both for months. Rabbithole is woefully unfinished, too, to the point I was trying to tap around on my phone and it was instead moving a cursor around a half-second after every tap. That’s a good reminder that the whole thing is running on a virtual machine storing all your apps and credentials, which still gives me security-related pause.

Oh, and here’s my favorite thing that has happened on the R1 so far: I got it connected to my Spotify account, which is a feature I’m particularly excited about. I asked for “Beyoncé’s new album,” and the device excitedly went and found me “Crazy in Love” — a lullaby version, from an artist called “Rockabye Baby!” So close and yet so far. It doesn’t seem to be able to find my playlists, either, or skip tracks. When I said, “Play The 1975,” though, that worked fine and quickly. (The speaker, by the way, is very much crappy Android phone quality. You’re going to want to use that Bluetooth connection.)

The R1’s Vision feature, which uses the camera to identify things in the scene around you, seems to work fine as long as all you want is a list of objects in the scene. The device can’t take a photo or video and doesn’t seem to be able to do much else with what it can see.

The R1 has a camera, but it’s not a particularly useful one yet.
Advertisement

When you’re not doing anything, the screen shows the time and that bouncing rabbit-head logo. When you press and hold the side button to issue a command, the time and battery fade away, and the rabbit’s ears perk up like it’s listening. It’s very charming! The overall interface is simple and text-based, but it’s odd in spots: it’s not always obvious how to go back, for instance, and you only get to see a line or two of text at a time at the very bottom of the screen, even when there’s a whole paragraph of answer to read.

Rabbit’s roadmap is ambitious: Lyu has spent the last few months talking about all the things the R1’s so-called “Large Action Model” can do, including learning apps and using them for you. During last night’s event, he talked about opening up the USB-C port on the device to allow accessories, keyboards, and more. That’s all coming… eventually. Supposedly. For now, the R1’s feature set is much more straightforward. You can use the device to play music, get answers to questions, translate speech, take notes, summon an Uber, and a few other things. 

The back of the R1 has its speaker, scroll wheel, and camera. And fingerprints.

That means there’s still an awful lot the R1 can’t do and a lot I have left to test. (Anything you want to know about, by the way, let me know!) I’m particularly curious about its battery life, its ability to work with a bad connection, whether it heats up over time, and how it handles more complex tasks than just looking up information and ordering chicken nuggets. But so far, this thing seems like it’s trying to be less like a smartphone killer and more like the beginnings of a useful companion. That’s probably as ambitious as it makes sense to be right now — though Lyu and the Rabbit folks have a lot of big promises to eventually live up to and not a lot of time to do so.

Photography by David Pierce / The Verge

Advertisement
Continue Reading

Trending