UL won’t release their IoT certification standards unless companies pay $800. The certification process take months.
UL, formerly the non-profit Underwriters Laboratory, recently released its new UL 2900 certification for IoT devices. It’s designed to be a new standard for IoT security but as Ars Technica reported on April 13, there’s a catch. The company refuses to let security experts review the standards or the process it uses to certify devices unless they fork over $800. This has some security experts concerned.
Security researcher Rob Graham, CEO of Errata Security told the site, “No review copy of their proposal seems weird, and counter to basic security principles of transparency.”
According to UL’s website, the company has taken an active role in creating specific standards for IoT interoperability and tools for testing compliance with standards and certification. Tech site Boing Boing reports that the certification process can take months and that certification is only good for one year.
UL does offer a list of the testing they do on their website:
- Scanning the product’s software executables and libraries for known vulnerabilities and exposures.
- Static analysis on all source code that is made available to the laboratory by the vendor of the product.
- Static analysis of all compiled executables and libraries of the product for known malware and vulnerabilities.
- Dynamic runtime analysis of all software in the product to look for software weaknesses that cannot be discovered using static code analysis.
- Robustness testing for all external interfaces and communication protocols of the product, using generational fuzz testing techniques, if available, and template-based fuzz testing techniques otherwise. Robustness testing aims to test the product’s resilience against unexpected or malformed input.
- Limited penetration testing.
The UL has minimum standards for each step in the testing process but says they are proprietary and won’t disclose them. Ken Modeste, UL’s chief of cybersecurity technical services, defended the company by saying they worked closely with the U.S. Department of Homeland Security (DHS) and other U.S. government agencies to develop the specs and doesn’t think the lack of a freely available standard was a problem, but many security experts disagree.
“Too many unhealthy products will pass the bare-minimum certification process,” Peiter “Mudge” Zatko, the former head of cybersecurity research at DARPA, told Ars Technica. “The result is that users will [conclude] they are ‘healthy’ (when they are unhealthy).”