Cyber Security Awareness of White Label Products
01 Sep 2020
IoT Product Safety Trends and Services
The concept of white label products (a product with a major retailer's brand label that is manufactured by another company) is not new. Major retailers have done this for decades and have often ensured such products have gone through appropriate electrical and safety certifications to ensure that they don't have any risks or that the device will not be a fire or electrical hazard in a consumer's home.
The new trend is for retailers to "white label" connected smart home products that fall into the Internet of Things (IoT) category. These products come with an unusual set of potential risks that few retailers fully appreciate prior to adding products to their corporate white label product lines.
If a retailer sells a traditional smart light bulb that has been manufactured by a smart bulb company with the smart bulb manufacturer's branding on it, and a security flaw in the smart bulb is used to compromise the home network and personal information of the consumer who purchased the bulb, the consumer will complain to or seek damages from the company whose branding was on the smart bulb. However, if that same smart bulb is placed under a white label, the retailer is now accepting the cyber risks, as the consumer now views that smart bulb as a product of the retailer.
To ensure any consumer IoT product is safe prior to adding it to a white label program, retailers should ensure the product has had rigorous independent cybersecurity testing and, when possible, cybersecurity certifications. Cybersecurity testing on systems, devices, and consumer products can range from security design reviews, vulnerability assessments, penetration testing, and threat risk assessments.
Some of cybersecurity standards only focus on the device and do not consider the risks of consumer smart products that have mobile applications and cloud services. For example, a smart doorbell stores video in a cloud server and requires the use of a mobile application. This means that if the cloud service and mobile application themselves are not secure, an attacker could potentially view video recordings or talk with people through the smart doorbell.
To help circumvent this problem Intertek developed a consumer cybersecurity program, Cyber Assured, designed to ensure that all cybersecurity aspects of a connected product have been tested. This program reviews the security of the smart product such as a doorbell or light bulb, as well as the security of the cloud service and mobile applications used to interact with the smart device. In addition, the mark includes QR code consumers can scan to view details on the certification of the product. The Cyber Assured mark gives consumers the confidence that it is safe to install the product's app onto their mobile phone and connect the device to their home WiFi network.
While Cyber Assured was developed to help any developer of a consumer IoT product ensure the cybersecurity of any connected device, the program also provides an easy solution to any retailer who is looking at adding IoT products to their white label product line.
Joe Dawson,
Principal Software Security Analyst
Joe Dawson is a Principal Software Security Analyst for Intertek EWA-Canada based in St. John's, Newfoundland. Joe has over 30 years' experience in Software Development, Data Communications, and Information Security, in both the public and private sectors. He currently sits on the Standards Technical Panels for all the UL 2900 family of standards and sits on one of the IEC 62443 standards committees.