Technology

We’re one step closer to a global cybersecurity standard for smart home devices

Published

4 months ago

March 18, 2024

We’re one step closer to a global cybersecurity standard for smart home devices

As useful as connected devices like video doorbells and smart lights are, it’s wise to exercise caution when using connected tech in your home, especially after years of reading about security camera hacks, fridge botnet attacks, and smart stoves turning themselves on. But until now, there hasn’t been an easy way to assess a product’s security chops. A new program from the Connectivity Standards Alliance (CSA), the group behind the smart home standard Matter, wants to fix that.

Announced this week, the CSA’s IoT Device Security Specification is a baseline cybersecurity standard and certification program that aims to provide a single, globally recognized security certification for consumer IoT devices.

Device makers who adhere to the specification and go through the certification process can carry the CSA’s new Product Security Verified (PSV) Mark. If that security camera or smart lightbulb you’re buying carries the mark, you’ll know it has met requirements to help secure it from malicious hacking attempts and other intrusions that could impact your privacy.

“It’s a huge step forward to have a global consumer IoT security certification. It’s so much better than not having one,” Steve Hanna, Infineon

“Research continually shows that consumers rate security as an important device purchase driver, but they don’t know what to look for from a security perspective to make an informed purchase decision,” Eugene Liderman, director of mobile security strategy at Google, tells The Verge. “Programs like this will give consumers a simple, easily identifiable indicator to look for.”

Liderman is part of the CSA working group that defined the 1.0 spec for the program, which has been developed by over 200 member companies of the CSA. These include (along with Google) Amazon, Comcast, Signify (Philips Hue), and several chipmakers such as Arm, Infineon, and NXP.

According to Tobin Richardson, CEO of the CSA, products carrying the PSV Mark could start to appear as soon as this holiday shopping season.

The CSA’s new product security verification mark.

Image: CSA

One cybersecurity mark to rule them all

The CSA’s announcement on March 18th follows last week’s news that the FCC has approved implementing its new cybersecurity labeling program for consumer IoT devices in the US. Both programs are voluntary, and the CSA’s label doesn’t compete with the US Cyber Trust Mark. Instead, it goes a step further, taking all of the US requirements and adding cybersecurity baselines from similar programs in Singapore and Europe. The end result is a single specification and certification program that can work across multiple countries (see sidebar).

The CSA’s IoT cybersecurity standards requirements

The following IoT device cybersecurity standards and regulations are the core requirements of the standard the CSA’s specification and certification program for its Product Security Verified Mark:

US NIST requirements – NIST 8259, MIST IR 8425, NIST SP 800-213, and various laws
EU ETSI requirements – such as IEC 62443 & ETSI EN 303 645
Cyber Security Agency Singapore IoT labeling scheme

According to Tobin Richardson of the CSA, this is a comprehensive set of requirements that should cover most, if not all, of other government requirements. However, the spec can be updated with any additional requirements as more countries participate.

Richardson says the goal is for the CSA’s PSV Mark to be recognized by governments, so manufacturers can go through just one certification process to sell in all the major markets. This could reduce cost and complexity for manufacturers and potentially bring more choice to consumers.

The PSV Mark has been recognized by the Cyber Security Agency of Singapore, and the CSA says it is working on mutual recognition with similar programs in the US, EU, and the UK. “It’s very likely, and with some [countries], it’s a certainty,” says Richardson. “It’s mainly a matter of tying up some paperwork.”

To get the PSV Mark, devices must comply with the IoT Device Security Specification 1.0 and go through a certification program that involves answering a questionnaire and providing accompanying evidence to an authorized test laboratory. Highlights of the requirements include:

Unique identity for each IoT Device
No hardcoded default passwords
Secure storage of sensitive data on the device
Secure communications of security-relevant information
Secure software updates throughout the support period
Secure development process, including vulnerability management
Public documentation regarding security, including the support period

According to the CSA, the voluntary program applies to most connected smart home devices — including lightbulbs, switches, thermostats, and security cameras — and can be applied retroactively to products in the market. Along with the PSV Mark, “A printed URL, hyperlink, or QR code on the mark gives consumers access to more information about the device’s security features,” the CSA says in its press release.

The program is focused specifically on device security — making sure the physical device itself can’t be accessed — rather than privacy. “But there is a close linkage in that you can’t have privacy without security,” says Richardson. While security impacts privacy, this program doesn’t offer many requirements around how a manufacturer uses the data a device collects. The CSA has a separate Data Privacy Working Group dealing with that can of worms.

Better security, but still not perfect

The current iteration of the program isn’t a silver bullet to solve IoT device security concerns. Steve Hanna of Infineon Technologies, a 25-year cybersecurity researcher and chair of the CSA working group for the program, told The Verge there’s still more he’d like to see incorporated. “But we have to crawl, walk, and then run,” he says. “It’s a huge step forward to have a global consumer IoT security certification. It’s so much better than not having one.”

Google’s Liderman also points out that meeting the minimum security standard doesn’t guarantee a device is vulnerability-free. “We greatly believe that the industry needs to raise the bar over time, especially for sensitive product categories,” he says.

The CSA plans to keep the specification updated, requiring companies to recertify at least every three years. Additionally, Richardson says there will be a requirement for an incident response process, so if a company encounters a security issue — such as Wyze’s recent problems — it must fix those before it can be recertified.

An API could allow a smart home platform app to alert you to a device’s security status before it can join your network

To address concerns about misuse of the label, Hanna says the CSA will have a database of all certified products on its website so you can cross-check a company’s claims. He also says there are plans to make the information available in an API, which could allow your smart home platform app to alert you to a device’s security status before it can join your network.

Hanna cautions against setting expectations too high. “Some companies are excited about it to recognize the work they have already done, but we shouldn’t expect every product to have this,” he says. Some may find they have problems that mean they can’t get certified, he says. “If or when these become required by governments, that’s where the rubber hits the road.”

A voluntary program may seem like a finger in the dam, but it does solve two basic problems. For manufacturers, it makes it simpler to comply with regulations from multiple countries in one step, while for consumers, it opens an avenue to information about what type of security practices a company adheres to.

“Without a label or a mark, it can be difficult as a consumer to make a purchasing decision based on security,” says Hollie Hennessy, an IoT cybersecurity expert at tech analyst firm Omdia. While the program being voluntary could be a barrier to adoption, Hennessy says her firm’s research indicates people are more likely to purchase a device with privacy and security labeling.

Ultimately, Hennessy believes that a combination of standards and certifications like this, along with regulations and legislationis needed to solve consumer concerns about privacy and security in connected devices. But this move is a big step in the right direction.

Technology

Here’s your first look at Amazon’s Like a Dragon: Yakuza

Published

4 hours ago

July 26, 2024

Press Room

Here’s your first look at Amazon’s Like a Dragon: Yakuza

Amazon says that the show “showcases modern Japan and the dramatic stories of these intense characters, such as the legendary Kazuma Kiryu, that games in the past have not been able to explore.” Kiryu will be played by Ryoma Takeuchi, while Kento Kaku also starts as Akira Nishikiyama. The series is directed by Masaharu Take.

Like a Dragon: Yakuza starts streaming on Prime Video on October 24th with its first three episodes.

Technology

Exciting AI tools and games you can try for free

Published

4 hours ago

July 26, 2024

Press Room

Exciting AI tools and games you can try for free

I’m not an artist. My brain just does not work that way. I tried to learn Photoshop but gave up. Now, I create fun images using AI.

You need a vacation. We’re giving away a $1,000 getaway gift card for your favorite airline. Enter to win now!

Some AI tech is kind of freaky (like this brain-powered robot), but many of the new AI tools out there are just plain fun. Let’s jump into the wide world of freebies that will help you make something cool.

20 TECH TRICKS TO MAKE LIFE BETTER, SAFER OR EASIER

Create custom music tracks

Not everyone is musically inclined, but AI makes it pretty easy to pretend you are. At the very least, you can make a funny tune for a loved one who needs some cheering up.

AI to try: Udio

Perfect for: Experimenting with song styles

Starter prompt: “Heartbreak at the movie theater, ‘80s ballad”

Cheerful man sitting in front of his computer monitor eating and working. (iStock)

Just give Udio a topic for a song and a genre, and it’ll do the rest. I asked it to write a yacht rock song about a guy who loves sunsets, and it came up with two one-minute clips that were surprisingly good. You can customize the lyrics, too.

Produce quick video clips

The built-in software on our phones does a decent job at editing down the videos we shoot (like you and the family at the beach), but have you ever wished you could make something a little snazzier?

AI to try: Invideo

Perfect for: Quick content creation

TIME-SAVING TRICKS USING YOUR KEYBOARD

Starter prompt: “Cats on a train”

Head to Invideo to produce your very own videos, no experience needed. Your text prompts can be simple, but you’ll get better results if you include more detail.

You can add an AI narration over the top (David Attenborough’s AI voice is just too good). FYI, the free account puts a watermark on your videos, but if you’re just doing it for fun, no biggie.

Draft digital artwork

You don’t need to be an AI whiz skilled at a paid program like Midjourney to make digital art. Here’s an option anyone can try.

Closeup shot of an unrecognizable woman using a laptop while working from home. (iStock)

AI to try: OpenArt

Perfect for: Illustrations and animations

Starter prompt: “A lush meadow with blue skies”

OpenArt starts you off with a simple text prompt, but you can tweak it in all kinds of funky ways, from the image style to the output size. You can also upload images of your own for the AI to take its cues from and even include pictures of yourself (or friends and family) in the art.

If you’ve caught the AI creative bug and want more of the same, try the OpenArt Sketch to Image generator. It turns your original drawings into full pieces of digital art.

YOUR BANK WANTS YOUR VOICE. JUST SAY NO.

More free AI fun

Maybe creating videos and works of art isn’t your thing. There’s still lots of fun to be had with AI.

Good time for kids and adults: Google’s Quick, Draw! Try to get the AI to recognize your scribblings before time runs out in this next-gen Pictionary-style game.
Expose your kid to different languages: Another option from Google, Thing Translator, lets you snap a photo of something to hear the word for it in a different language. Neat!
Warm up your vocal chords: Freddimeter uses AI to rate how well you can sing like Freddie Mercury. Options include “Don’t Stop Me Now,” “We Are the Champions,” “Bohemian Rhapsody” and “Somebody To Love.”

Mother works from home while her child sits on the couch

A mother uses a laptop while a little boy uses a tablet. (iStock)

If you’re not tech-ahead, you’re tech-behind

Award-winning host Kim Komando is your secret weapon for navigating tech.

Technology

There is no fix for Intel’s crashing 13th and 14th Gen CPUs — any damage is permanent

Published

11 hours ago

July 26, 2024

Press Room

There is no fix for Intel’s crashing 13th and 14th Gen CPUs — any damage is permanent

On Monday, it initially seemed like the beginning of the end for Intel’s desktop CPU instability woes — the company confirmed a patch is coming in mid-August that should address the “root cause” of exposure to elevated voltage. But if your 13th or 14th Gen Intel Core processor is already crashing, that patch apparently won’t fix it.

Citing unnamed sources, Tom’s Hardware reports that any degradation of the processor is irreversible, and an Intel spokesperson did not deny that when we asked. Intel is “confident” the patch will keep it from happening in the first place. (As another preventative measure, you should update your BIOS ASAP.) But if your defective CPU has been damaged, your best option is to replace it instead of tweaking BIOS settings to try and alleviate the problems.

And, Intel confirms, too-high voltages aren’t the only reason some of these chips are failing. Intel spokesperson Thomas Hannaford confirms it’s a primary cause, but the company is still investigating. Intel community manager Lex Hoyos also revealed some instability reports can be traced back to an oxidization manufacturing issue that was fixed at an unspecified date last year.

This raises lots of questions. Will Intel recall these chips? Extend their warranty? Replace them no questions asked? Pause sales like AMD just did with its Ryzen 9000? Identify faulty batches with the manufacturing defect?

We asked Intel these questions, and I’m not sure you’re going to like the answers.

Why are these still on sale without so much as an extended warranty?

Intel has not halted sales or clawed back any inventory. It will not do a recall, period. The company is not currently commenting on whether or how it might extend its warranty. It would not share estimates with The Verge of how many chips are likely to be irreversibly impacted, and it did not explain why it’s continuing to sell these chips ahead of any fix.

Intel’s not yet telling us how warranty replacements will work beyond trying customer support again if you’ve previously been rejected. It did not explain how it will contact customers with these chips to warn them about the issue.

But Intel does tell us it’s “confident” that you don’t need to worry about invisible degradation. If you’re not currently experiencing issues, the patch “will be an effective preventative solution for processors already in service.” (If you don’t know if you’re experiencing issues, Intel currently suggests the Robeytech test.)

And, perhaps for the first time, Intel has confirmed just how broad this issue could possibly be. The elevated voltages could potentially affect any 13th or 14th Gen desktop processor that consumes 65W or more power, not just the highest i9-series chips that initially seemed to be experiencing the issue.

Here are the questions we asked Intel and the answers we’ve received by email from Intel’s Hannaford:

How many chips does Intel estimate are likely to be irreversibly impacted by these issues?

Intel Core 13th and 14th Generation desktop processors with 65W or higher base power – including K/KF/KS and 65W non-K variants – could be affected by the elevated voltages issue. However, this does not mean that all processors listed are (or will be) impacted by the elevated voltages issue.

Intel continues validation to ensure that scenarios of instability reported to Intel regarding its Core 13th and 14th Gen desktop processors are addressed.

For customers who are or have been experiencing instability symptoms on their 13th and/or 14th Gen desktop processors, Intel continues advising them to reach out to Intel Customer Support for further assistance. Additionally, if customers have experienced these instability symptoms on their 13th and/or 14th Gen desktop processors but had RMA [return merchandise authorization] requests rejected we ask that they reach out to Intel Customer Support for further assistance and remediation.

Will Intel issue a recall?

Will Intel proactively warn buyers of these chips about the warning signs or that this update is required? If so, how will it warn them?

Intel targets to release a production microcode update to OEM/ODM customers by mid-August or sooner and will share additional details on the microcode patch at that time.

Intel is investigating options to easily identify affected processors on end user systems. In the interim, as a general best practice Intel recommends that users adhere to Intel Default Settings on their desktop processors, along with ensuring their BIOS is up to date.

Has Intel halted sales and / or performed any channel inventory recalls while it validates the update?

Does Intel anticipate the fix will be effective for chips that have already been in service but are not yet experiencing symptoms (i.e., invisible degradation)? Are those CPUs just living on borrowed time?

Intel is confident that the microcode patch will be an effective preventative solution for processors already in service, though validation continues to ensure that scenarios of instability reported to Intel regarding its Core 13th/14th Gen desktop processors are addressed.

Intel is investigating options to easily identify affected or at-risk processors on end user systems.

It is possible the patch will provide some instability improvements to currently impacted processors; however customers experiencing instability on their 13th or 14th Generation desktop processor-based systems should contact Intel customer support for further assistance.

Will Intel extend its warranty on these 13th Gen and 14th Gen parts, and for how long?

Given how difficult this issue was for Intel to pin down, what proof will customers need to share to obtain an RMA? (How lenient will Intel be?)

What will Intel do for 13th Gen buyers after supply of 13th Gen parts runs out? Final shipments were set to end last month, I’m reading.

Intel is committed to making sure all customers who have or are currently experiencing instability symptoms on their 13th and/or 14th Gen desktop processors are supported in the exchange process. This includes working with Intel’s retail and channel customers to ensure end users are taken care of regarding instability symptoms with their Intel Core 13th and/or 14th Gen desktop processors.

What will Intel do for 14th Gen buyers after supply of 14th Gen parts run out?

Will replacement / RMA’d chips ship with the microcode update preapplied beginning in August? Is Intel still shipping replacement chips ahead of that update?

Intel will be applying to microcode to 13th/14th Gen desktop processors that are not yet shipped once the production patch is released to OEM/ODM partners (targeting mid-August or sooner). For 13th /14th Gen desktop processors already in service, users will need to apply the patch via BIOS update once available.

What, if anything, can customers do to slow or stop degradation ahead of the microcode update?

Intel recommends that users adhere to Intel Default Settings on their desktop processors, along with ensuring their BIOS is up to date. Once the microcode patch is released to Intel partners, we advise users check for the relevant BIOS updates.

Will Intel share specific manufacturing dates and serial number ranges for the oxidized processors so mission-critical businesses can selectively rip and replace?

Intel will continue working with its customers on Via Oxidation-related reports and ensure that they are fully supported in the exchange process.

Why does Intel believe the instability issues do not affect mobile laptop chips?

Intel is continuing its investigation to ensure that reported instability scenarios on Intel Core 13th/14th Gen processors are properly addressed.

This includes ongoing analysis to confirm the primary factors preventing 13th / 14th Gen mobile processor exposure to the same instability issue as the 13th/14th Gen desktop processors.

That’s all we’ve heard from Intel so far, though Hannaford assured us more answers are on the way and that the company is working on remedies.

Again, if your CPU is already damaged, you need to get Intel to replace it, and if Intel won’t do so, please let us know. In the meanwhile, you’ll want to update your BIOS as soon as possible because your processor could potentially be invisibly damaging itself — and if you know your way around a BIOS, you may want to adjust your motherboard to Intel’s default performance profiles, too.

Lastly, here is that Robeytech video that Intel is recommending to Redditors to potentially help them identify if their chip has an issue. Intel says it’s looking into other ways to identify that, too.