A more secure Singapore
To better secure Singapore’s cyberspace, a new Cybersecurity Labelling Scheme (CLS) will be launched in 2020 with the goal to help consumers make informed purchasing choices.
In an increasingly digital world, a lot of assets, interaction and information pass through the cyberspace. With all these digital interactions comes increased security risks, and in Singapore, the Cyber Security Agency (CSA) is taking a step to secure Singapore’s cyberspace and raise cyber hygiene levels with this announcement.
Singapore is seeing an increase in the purchases as well as the usage of smart devices, and not everyone in the market is fully aware of the potential implications and security risks for devices, especially those with minimal or weak security.
The CLS, a first in the Asia-Pacific region, will comprise different levels of cybersecuritycybersecurity ratings to help consumers make better and more informed choices about the security features of the smart devices they purchase.
In the beginning, the CLS will impact two product types, being Wi-Fi routers and smart home hubs.
Cyber attacks on smart devices
Smart devices, including smart home hubs are not immune from cyber attacks.
In 2017, Armis disclosed a new attack vector — BlueBorne. BlueBorne is an airborne attack vector that uses Bluetooth to allow an attacker to penetrate and take control over targeted devices. It is worth noting that the attack does not require the targeted device to be paired to the attacker’s device and it does not need to be set to the discoverable mode. This impacts smart devices such as Google Home and Amazon Echo. For specifically these smart devices, the security researchers at Armis worked with Google and Amazon on multiple occasions to push security patches to improve the security of the 15 million Amazon Echo and 5 million Google Home devices around the world.
In 2019, SRLabs discovered a new vulnerability affecting both Google and Amazon smart speakers that could allow hackers to eavesdrop on or phish unsuspecting owners of these smart devices. SRLab researchers noted that by uploading malware disguised as an innocuous Google action or Alexa skill, attackers could get the smart devices to silently record users or even ask them for the password to their Google account.
There was no evidence that this vulnerability was exploited in the real world as SRLabs disclosed the vulnerability to both Google and Amazon before going public with the findings.
Both these incidents revealed vulnerabilities on smart devices produced by the largest enterprises with big security teams behind their products. One can imagine how much security is being considered in the product strategy of smart devices or IOT devices by smaller companiesproduct strategy of smart devices or IOT devices by smaller companies than Google and Amazon, which is why this labeling scheme can be a good first step to improve the security of all devices in the market in Singapore.
So, what’s on the cybersecurity labels?
According to the CSA factsheet, the cybersecurity labels will provide an indication of the security provisions based on a series of assessments and tests on:
- Meeting basic security requirements such as ensuring unique default passwords
- Adherence to the principles of Security-by-Designprinciples of Security-by-Design
- Absence of common software vulnerabilitiescommon software vulnerabilities
- Resistance to basic penetration testingpenetration testing
These labels will allow smart devices with better cybersecurity provisions in the market, while incentivizing manufacturers and product vendors to develop products with recognized and improved security features. CSA notes that “the scheme will be aligned to widely-accepted global security standards for consumer IoT products”.
The CLS is an initiative under the Safer Cyberspace Masterplan — a larger plan to empower a cyber-savvy population, safeguard activities in cyberspace, and secure Singapore's digital core. More details on the master plan will be announced later this year.
When eventually implemented for all products, the CLS is a step towards a safer cyberspace for all. However, consumers and businesses should not solely rely on these labels to protect against cyber attacks and potential cyber threatspotential cyber threats. On top of that, it is crucial to adopt a holistic cybersecurity strategyadopt a holistic cybersecurity strategy that focuses on your people, processes, and technology.
- Check the sender’s email domain, link URLs, and be wary of any downloads
- Make sure our computers are up to date on patches and updates
- When surfing the web, use HTTPS where possible (not HTTP)
- Take care of your passwords
- Use Multi-Factor Authentication (MFA) where possible
We will update this post when more information on the CLS is available.