Singapore to propose Infosec tech rating – a review

BlackHat Asia recently hosts Singapore’s Deputy Chief Executive Brigadier General Gaurav Keerthi. Gaurav Keerthi was speaking on Singapore’s initiative for a voluntary “Cybersecurity Labelling Scheme” that is aimed at rating consumer’s broadband gateway.

In his speech, Gaurav Keerthi draws parallel between the importance of public utility such as water supply & sewerage, focusing on the aspects of fresh water and ensuring good governance. This is crucial for public health and safety. On this note, he equates infosec/cyber security to having access to clean water and proper sewerage. He opines that the citizens can be “scolded”  into better behavior.

Today, Singapore already offers Singpass to its citizens, an authentication/authorization services which allows the citizens to access services in a secured manner. This service is also offered to corporatations such as banks and financial sector to prevent having islands of authentication services.

To make the Cybersecurity Labelling Scheme wholesome, Gaurav Keerthi explains that it will expanded to connected devices. The first phase would be focused on ISP provided gateways and smart hubs, using a 4 star rating. Details on how the devices will be rated is going to be released during Singapore International Cyber Week which starts on October 5th, 2020. Being the Asian leader, Gaurav Keerthi mentions that Singapore plan to share the labelling scheme to other countries in the notion of public good.

My take on the matter

It’s a laudable effort from Singapore, taking a forefront on consumer devices. It’s no secret that consumer devices have wrecked havoc due to poor security. Cheap embedded devices such as IP CCTV Cameras have been known to cause issues, and was primed at source of Mirai botnet.

Firstly, lets understand why the choice of smart hubs and ISP gateway as a first stab into the scheme. ISP gateways are the most common and necessity for a household to get internet access. The device is either provided by the Service Provider as a bundle, or purchased by the end user. Today, these devices, from a physical perspective will be required to go through a type approval, which is a mandatory process. Such processes are for example CE marking from EU to ensure interoperability and ensure no conflict of operations against other devices while conforming to the requirements such as operating frequency/spectrum. Some might even say this will be a similar attempt, but from the cyber security perspective.

Analysis and Questions

To dissect this further, and raise some pertinent questions about the implementation of the Cybersecurity labelling scheme, I have grouped it into 8 categories.

Devices

Physical devices are often manufactured by OEM and sold by ISP. Often, we see that OEM also sells these devices in the open market. Bundled packages would include devices being thrown in as a freebie as part of the offerings. These devices have a lifetime, and some ISPs do not refresh these devices after its End-Of-Life, but at times position themselves to offer new package in order for the consumer to get new devices. Consumer may opt for a new package, or be happy with the current offerings and only choose to update the devices by themselves by purchasing from the retailer. This creates the responsibility conundrum between the ISP and the OEM provider. Reason, some models of these devices may be specific to an ISP (due to exclusivity contract nature).

Question:

  1. 1. Who is responsible in ensuring that the devices are certified under the scheme? The ISP? The OEM? The reseller? The consumer? What governs the relationship? Contractual? Explicit requirements?

Responsibility

Each device has 4 parties associated to it. The end-user, usually the consumer. The retailer, if its purchased from them. The reseller, in this case ISP, who pre-selects and provides the device. And the manufacturer, who produced the device. Each party is part and parcel of the whole value chain will have, some roles to play. The assessor will be the one conducting the scheme audit and certification.

Question

  1. Are these lines of responsibilities clear?
  2. Are they defined and the relationship in the ecosystem explicit, outlining their roles and responsibility?

Process

The process of this scheme defines how the whole thing works. It starts by establishing the requirements, roles and responsibilities, liabilities and limitations. While the scheme is voluntary, in the subsequent section, you will see how it can become a precursor to other things.

Questions

  1. Probably the most easiest question to answer – What is the certification process?
  2. Is the certification process a one time?
    1. Does it recur?
    2. How often is it retested to ascertain continuous compliance
  3. Once a device is certified, is the rating lifetime?
  4. How does device obsolescence affect rating?
  5. Is there a requirement on minimum device lifetime support as part of this scheme?
  6. How much does the process cost?
  7. Is there a requirement to the parties responsible in ensuring that the devices continue to serve at the rating provided?
    1. If so, what do they need to do? (I.e. timeframe to issue patches, automated patching, etc)
    2. If not, is there a downgrade process and how is that communicated?

Scope of Scheme

There are many variables in having this scheme. While the device is one, the moving parts (metaphorically) varies, depending on the complexity of the device. Hence, it is necessary to see what is being certified.

Questions

  1. Is the hardware itself certified?
  2. Are the supporting cables and peripherals certified?
  3. What are the determinant factor for a peripheral or supporting items such as cables be required for certification?
  4. Is the software/firmware certified?
    1. Is the certification based on version?
    2. Is the certification based on family of hardware support?
    3. A user compiles his/her own firmware (aka Tomato) for his/her router. Are those certificates? If so how? Codebase? Version? And back Roles & Responsibility
  5. Some devices have embedded micro codes. Does the scheme cover micro codes? SOC? Chip level instructions?
  6. How does the star scoring work? Equal weightage for all components, or in parts? Weighted? Percentage? Traffic lights style?

Let’s look at more complex aspects of this venture. While some of this may sound hypothetical, history has shown that anything and everything will eventually take place.

Vulnerabilities

Anything that has a piece of code, may also have a piece of error or bug.  It can be at a compiler level, code level, or even binary level. The security of the device ultimately defined on how well the code executes and is resistant against attacks. Devices with code often has 3 types of code (i) Specific code (usually due to hardware) (ii) Common Code (Free or Open Source) and (iii) Proprietary Code. The term bug is loosely used in this article to refer to vulnerability or software defect.

  1. Hardware bugs have been quite common, with the recent Intel CPU based hardware vulnerability. Does the scheme take into account hardware based vulnerability checks? This will have impact on even laptops as most Intel CPUs  still have some vulnerability to these types of attacks.
  2. Hardware bugs are often resolved with updated drivers (though drivers themselves pose security risks). Are these components part of the scheme? Drivers and even hardware/firmware are often guarded with strong agreements.
  3. I am a gateway developer, who purchases a hardware solution and develop an application on top of the platform. I do not have access to hardware layer information but have the application code for it. Can I get star rating for the scheme?
  4. Open Source Code is a common sight in any commercial product. Is the testing of these code done as part of the product or evaluated separately?
  5. What’s the impact when a common Open Source component (for e.g. OpenSSL) has a vulnerability? Does this warrant a review of the component as its own ? If so, will the scheme cover all Open Source components?

Pricing

Any product, given the time and effort to produce it will formulate the pricing strategy of that device.

  1. Will higher rated device be priced higher?
  2. Will the pricing also cause product isolation (cheaper devices will not run secure firmware?)

Consumer View – Simple vs Complex

At the end of the day, its the consumer who will take the simplified look. “I will only go for 4 star rating because i want to be secure” Herein lies the problem

Ah Chong (A local food court hawker) walks to the shop, wants to buy a gateway. He looks at this set of requirements, which his friend advice meets the scheme 4-star requirements.

  • CPU – MCX1234 – 4 star
  • Hardware – Cap Ayam revision 2.2.5 – 4 star
  • Cables – Xiao Kia  power code with Xiao Kia Ethernet cable – 4 star
  • Firmware – Potato Router version 1.2.99 – 4 star

Ah Chong checks every single component to make sure its 4 star before buying it, by going to the Scheme websites, putting each item one by one.

Is this simple? Or complicated?

2 days later, Potato Router firmware using OpenSSL 0.9.8h has a Remote Code Execution vulnerability and there is active exploitation (for this scenario). The router has a firmware update page, but requires Ah Chong to login, download the latest firmware.

Is this simple? Or Complicated?

Ah Chong buys the router 4 days after the vulnerability was announced. Being non-technical, he has no clue about the matter and is not aware of the latest tech/cyber security development. The packaging shows the information as 4 star validation, which is accurate as of the point of manufacturing.

Is Ah Chong deceived? Is he still confident of his purchase decision?

Future of the Scheme

For all intents and purposes, these schemes are beneficial and brings good to the society. It helps raise the bar for social and economic improvements through cyber security enhancements in total. However, future considerations need to be taken into account

  1. Today the scheme is voluntary. Once the scheme proves itself, its only natural for the governments to make it mandatory. Will it stay voluntary?
  2. Once it becomes mandatory, its easy to include requirements such as TLS MITM, traffic snooping, etc as a requirements for these devices (especially for gateways). Will this be an eventuality at the name of cyber security?

Moving Forward

There is no doubt that this initiative is necessary. Long has it been that consumer devices suffer from insufficient security controls. However the issue isn’t that simple. I fear that CSA Singapore may have oversimplified the matter. Oversimplification is a problem in Cyber Security and will due be a problem by itself. I understand drawing the parallel between the 1800 water issues and cyber security, but the issue and complexity is far from it. This is indeed an interesting development, and I am curious to know how CSA intends to address the concerns raised above.

P/S: Fellow journalist who happens to use these materials, do give me some credit, thanks!

Reference

  1. The Register – https://www.theregister.com/2020/10/01/singapore_infosec_strategy/
  2. Mirai Botnet – https://www.csoonline.com/article/3258748/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html
  3. Spectre and Meltdown – https://meltdownattack.com/