UL MCV 1376:2019-06 Methodology for Marketing Claim Verification: Security Capabilities Verified to level Bronze/ Silver/Gold/Platinum/Diamond.
Software updates must be supported, using network or wireless interfaces where available
Description I guidance:
No matter how well software is designed or tested, there will always be bugs and vulnerabilities that are missed. This is just a fact of software development and the sheer complexity of any body of code. So, the update of the software must be allowed in any device to ensure that it can be patched when any such bugs are found. It is an additional requirement that the software update must be able to be performed across a wireless or network interface, should the device provide such an interface. This increases the ease of use for the customer, removing disincentives to install updates. Security of the wireless and/or network interfaces is of course also important, and this is covered in later requirements.
This requirement ensures that such updates are possible, minimizing the risk that devices become permanently vulnerable through new attack methods that are discovered after the initial evaluation I shipping of the device. Checking for malicious changes to the software update is not covered under this requirement, and is instead addressed in a later requirement.
Automatic software updates must be enabled by default
Description 1 guidance:
Although software must be maintained to ensure on-going patching of security vulnerabilities, it is reasonable to expect that customers may not always know about the latest vulnerability in a device. Therefore it is important that automatic updates are implemented to update the software in a device, so that customers do not become a blocking factor in patching a high risk vulnerability. It is expected that device vendors will need to consider business / operational logic of the device when implementing such updates, so that a system does not reset during operation, but such business logic is considered outside of the scope of this assessment. It is important to note that although this requirement outlines the need for automatic updates to be supported. it does not mandate when and how such updates are provided, and device vendors may choose to deploy only high risk patches through such mechanisms. In all cases, vulnerabilities rated to CVSS 7 or higher must be patched within 1 month, those rated between CVSS 4 to 7 must be patched within 3 months, and vulnerabilities rated to less than 4 may be left unpatched.
Software updates must be cryptographically authenticated, and provide anti-roll back features
Description I guidance:
Although it is important to support software updates to ensure that devices can be patched and maintained in the field, such features can lead to additional vulnerabilities — where a tad actor can install their own software into the device to prevent its normal operation.
To prevent this, its important that any software update is cryptographically authenticated. Often this will be implemented by using a digital signature across the firmware image, which can be checked by the original firmware (or bootloader of the device) prior to installation. Using a digital signature based on a public key algorithm (such as RSA, or DSA) ensures that the devices themselves don’t need the part of the key (the private or secret key) that is used to generate the authentication data.UL MCV 1376 pdf download.