12 votes

Finland launches data security guarantee label – certification symbol serves as a guarantee to consumers that a device's basic information security features are in order

Posted by mycketforvirrad
Tags: security, finland, smart devices, certifications, features, data protection, rights.consumer, source.yle, short read
https://yle.fi/uutiset/osasto/news/finland_launches_data_security_guarantee_label/11087480

Link information

This data is scraped automatically and may be incorrect.

Title
Finland launches data security guarantee label
Published
Nov 26 2019
Word count
361 words

1 comment

  1. anahata
    Link
    This certification is "based on" the ETSI EN 303 645 standard (of which I can only find drafts). I'm reading through this specification and some of it seems to be pretty basic, some of it is very...

    This certification is "based on" the ETSI EN 303 645 standard (of which I can only find drafts). I'm reading through this specification and some of it seems to be pretty basic, some of it is very vague and hard to enforce / interpret. The points are as follows:

    • No universal default passwords
    • Implement a means to manage reports of vulnerabilities
    • Keep software updated
    • Securely store sensitive security parameters
    • Communicate securely
    • Minimize exposed attack surfaces
    • Ensure software integrity
    • Ensure that personal data is protected
    • Make systems resilient to outages
    • Examine system telemetry data
    • Make it easy for consumers to delete personal data
    • Make installation and maintenance of devices easy
    • Validate input data

    These are defined in section 4 starting on page 12.

    They do mandate response windows for reports by researchers (90 days, which is on the upper end of what I'd call reasonable), but they don't mandate response windows for updates. They do mandate the OEM disclose what the support period is for a device (this is very valuable and rare for consumer devices!), but not what that support period is.

    They have reasonable policies around passwords and keys, mandating that they're either device-unique or otherwise not-default (no backdoors based on default passwords or keys). The policies for minimizing attack surfaces are valid (default deny and what you'd otherwise expect). Some of the wording here is a little vague, though.

    "Ensure software integrity" mandates secure booting, which may get in the way of flashing alternate ROMs if an exploit isn't found. Personal data protection is required for GDPR compliance. The outage resilience will be nice; sometimes you don't see this in consumer kit so it's great that it's required. The point about deleting personal data is also relevant for GDPR compliance. Examining telemetry data is very vaguely worded and will be hard to enforce. There's a requirement that the user should be informed about the telemetry data, if any, and IIRC this is for GDPR compliance as well.

    Validating input data is, as you probably know, one of the hardest parts of software development. The requirement is nice, but actually doing it is another matter.

    In sum, about as good of an effort as you can expect. Do read the specification yourself and make your own decision about it, though; don't just take my opinionated word for it. It's not a very long read.

    4 votes