'Cyber kangaroo' ratings for IoT security? Jump to it, says Australia's cyber security minister

Proposed labelling scheme will try to match similar efforts in UK, USA

Australia's government hopes that somewhere in the world, a vendor of consumer-grade connected electronics is willing to admit it's rubbish at security by giving itself a low score in a proposed safety rating system.

The idea of security ratings for internet things emerged during last year's 360° Cyber Security Game, co-hosted by the Australian National University's National Security College and Rand Corporation. Vulture South's Simon Sharwood was a participant in the games, and was even a member of the team that suggested a star-rating scheme.

The report [PDF] that summarised the Game made detailed the idea as follows:

One proposed solution was to create a check-mark system for quality assurance of cyber devices that is both visible on device packaging and understandable to consumers. Exercise participants colloquially described this as a ‘cyber kangaroo’ logo. Local governments, together with industry, have an opportunity to develop a framework for the cyber kangaroo, including the design of the measurement criteria and enforcement and monitoring mechanisms. This group could also consider how to respond the first time a product with the cyber kangaroo logo is hacked and who would be responsible for responding to such an attack.

(The Register emphasises the “cyber kangaroo” was, we assure you, someone else's idea.)

Fairfax Media now reports that Australian bureaucrats have been in touch with companies like Amazon, Google, Microsoft, Telstra, Optus and others over the scheme.

Dan Tehan, Australia's minister assisting the prime minister for cyber security, has pointed to draft legislation in America and said “this is something we might need to look at”.

He also said talks had begun to try and make sure Australia, the USA and Britain could take a harmonised approach to any legislation. ®

Bootnote: Vulture South saw plenty of comic potential in the idea of product labelling, but moved too slowly. Infosec researcher Troy Hunt summed up the issue nicely here.

Similar topics

Other stories you might like

  • How to keep a support contract: Make the user think they solved the problem

    Look what you found! Aren't you clever!

    On Call Let us take a little trip back to the days before the PC, when terminals ruled supreme, to find that the more things change the more they stay the same. Welcome to On Call.

    Today's story comes from "Keith" (not his name) and concerns the rage of a user whose expensive terminal would crash once a day, pretty much at the same time.

    The terminal in question was a TAB 132/15. It was an impressive bit of kit for the time and was capable of displaying 132 characters of crisp, green text on a 15-inch CRT housed in a futuristic plastic case. Luxury for sure, unless one was the financial trader trying to use the device.

    Continue reading
  • Apple kicked an M1-shaped hole in Intel's quarter

    Chipzilla braces for a China-gaming-ban-shaped hole in future results, predicts more product delays

    Intel has blamed Apple's switch to its own M1 silicon in Macs for a dip in sales at its client computing group, and foreshadowed future unpleasantness caused by supply chain issues and China's recent internet crackdowns.

    Chipzilla's finances were robust for the third quarter of its financial year: revenue of $19.2 billion was up five per cent year over year, while net income of $6.8 billion was up 60 per cent compared to 2020's Q3.

    But revenue for the client computing group was down two points. CFO George Davis – whose retirement was announced today – was at pains to point out that were it not for Apple quitting Intel silicon and Chipzilla exiting the modem business, client-related revenue would have risen ten per cent.

    Continue reading
  • How your phone, laptop, or watch can be tracked by their Bluetooth transmissions

    Unique fingerprints lurk in radio signals more often than not, it seems

    Over the past few years, mobile devices have become increasingly chatty over the Bluetooth Low Energy (BLE) protocol and this turns out to be a somewhat significant privacy risk.

    Seven boffins at University of California San Diego – Hadi Givehchian, Nishant Bhaskar, Eliana Rodriguez Herrera, Héctor Rodrigo López Soto, Christian Dameff, Dinesh Bharadia, and Aaron Schulman – tested the BLE implementations on several popular phones, PCs, and gadgets, and found they can be tracked through their physical signaling characteristics albeit with intermittent success.

    That means the devices may emit a unique fingerprint, meaning it's possible to look out for those fingerprints in multiple locations to figure out where those devices have been and when. This could be used to track people; you'll have to use your imagination to determine who would or could usefully exploit this. That said, at least two members of the team believe it's worth product makers addressing this privacy weakness.

    Continue reading

Biting the hand that feeds IT © 1998–2021