Let’s talk about UL’s device security rankings

This week, GE Appliances became the first appliance company to achieve UL’s gold-level certification under UL’s new IoT security framework. While this is a good thing—and I’m not knocking GE Appliances for its efforts and attention to security—I thought it would be a good time to talk about exactly what UL’s gold certification means for security.

UL launched its IoT device certification program last year, with five levels ranging from bronze to diamond depending on the strength of various security practices. I recently downloaded the full specifications to understand what made a device gold vs. diamond, and whether or not a gold-certified device was really secure.

Since GE Appliances is touting its gold-level certification for many of its connected appliances, and because that certification is in the middle of the overall certification pack, let’s take a look at what that level means. On an overview page, UL says when gold-certified products store and transmit data they will use industry-supported encryption. Gold-certified devices also are “secure and ready for use without unnecessary intervention by the user,” and if the device connects to an app, that app is monitored and maintained for security concerns. All of which sounds pretty good until you read about all of the certifications in detail.

Gold-certified devices, for example, don’t have a hardware root of trust. That means there’s no secure element on the device side to ensure it can’t be co-opted to run malicious code. Gold certification doesn’t require user data to be anonymized (only diamond-certified devices do that) nor does it ensure that when error messages or logs files are sent those files won’t expose sensitive information. And they don’t require notification if the company decides to change the privacy policies associated with data and the device.

Still, gold-certified devices are probably secure enough for most home appliances. Companies have to make trade-offs between security and convenience, and also between cost and convenience. Implementing the highest levels of security on a common device doesn’t always make sense if the data it has isn’t sensitive, or if it’s not a device that can be controlled remotely to create physical damage.

However, in general, I’m frustrated that gold is the middle of the certification pack, leaving silver and bronze certifications as viable options. To achieve a bronze-level certification, a device basically has to avoid using a default password, allow a factory reset with the push of a button, and have an update policy. What it doesn’t need to do is monitor the app or cloud for vulnerabilities. Nor does it need to anonymize or erase customer data on request, or to have a vulnerability management program.

I’m not sure I’d trust a bronze-certified device to count my eggs, much less do anything close to a real job in my smart home. And yet, I worry that a consumer might pick up a product, see that it has a bronze-level UL security certification, and think they were getting some kind of commitment to security that the device won’t deliver.

Beau Woods, a cybersecurity expert and advocate with I Am The Cavalry, says that it’s good to see companies like GE Appliance using the UL certification because it shows that they are thinking about security. But he does wish the lowest UL certification had more security elements to it.

“I think there are some good things in bronze, but I think there should be a lot more in bronze,” he says. For example, he thinks having a vulnerability disclosure program is essential for any connected product, and to really do that well a company should have a software bill of materials so they know what’s in their product that might be vulnerable.

But having a software bill of materials isn’t mandated until a product tries for the two levels above gold. And even at the bronze level, it doesn’t appear that a company has to have some way a security researcher could reach out to a vendor to let them know their software has a bug. Woods thinks that should be part of any security program.

I personally worry that someone might look at a gold certification and think it was the best option. Gold might be good for a washing machine or fridge, but it’s not good enough for a consumer device that has sensitive data or a device connected to critical infrastructure systems or banking accounts. So I suppose my hope is that as UL rolls out these labels people will get more sophisticated about what certifications matter based on the device role and the data it has.