The goal of the new US Cyber Trust Mark, coming voluntarily to Internet of Things (IoT) devices by the end of 2024, is to keep people from having to do deep research before buying a thermostat, sprinkler controller, or baby monitor.
If you see a shield with a microchip in it that’s a certain color, you’ll know something by comparing it to other shields. What exactly that shield will mean is not yet decided. The related National Institute of Standards and Technology report suggests it will involve encrypted transmission and storage, software updates, and how much control a buyer has over passwords and data retention. But the only thing really new since the initiative’s October 2022 announcement is the look of the label, a slightly more firm timeline, and more input and discussion meetings to follow.
At the moment, the Mark exists as a Notice of Proposed Rulemaking (NPRM) at the Federal Communications Commission. The FCC wants to hear from stakeholders about the scope of devices that can be labeled and which entity should oversee the program, verify the standards, and handle consumer education.
Consumer-grade routers, according to the White House, are the priority target, with work slated to be finished on their assessment by the end of 2023. The Department of Energy intends to develop labeling for smart meters and power inverters.
Vending machine vectors
The movement to implement a standard is slow and vague, but the problem for IoT devices is real. The FCC’s release cites “one third party estimate” (seemingly Kaspersky) of more than 1.5 billion attacks against IoT devices in the first six months of 2021. And IoT devices are everywhere: The FCC points to research group Transforma’s estimate of more than 25 billion connected IoT devices operating worldwide by 2030.
When connected devices are so common and ubiquitous, they become easy to overlook. FCC Chair Jessica Rosenworcel cited a case in point first told by cybercrime author Misha Glenny in her comments Tuesday. A bank, heavily fortified in its account, transfer, and other cybersecurity, was eventually penetrated. The vector wasn’t a server, computer, or even a fallible human. It was a vending machine, which had been given its own IP address and not updated against common threats.
Implementing the standard is “not a small task,” Rosenworcel said at the program’s announcement. “Because the future of smart devices is big. And even bigger is the opportunity for us to ensure that every consumer, business, and every bank with a vending machine can make smart choices about the connected devices they use. So let’s get to it.”
What counts as “secure”?
What an “Aqua” shield on a home security camera versus a black, green, red, or white-on-black shield means is not clear yet. Each shield will come with an accompanying QR code, where a customer can see the details of how that device earned its particular shield shade.
Many labels have come to define the comparison-shopping experience: UL, EnergyStar, J.D. Power, and the like. But IoT devices present a more complicated scenario for a distinctively shaded shield label on a box (or ecommerce product page). Just a few of those complications—some raised by proponents themselves—are:
- Devices that contain multiple interconnected IoT devices inside themselves, like routers
- How to rate the other parts of an IoT device: its cloud server, smartphone apps, open source software used to build it
- Products that are updated with entirely new features and security changes, which the “box” may no longer reflect
- New vulnerabilities exposing devices once considered safe to serious exposure
- Differing standards for what counts as secure for devices with cameras or sensors versus a refrigerator with a smart screen or a climate sensor.
- How data privacy does or does not count toward “security”
- Whether a company’s stated commitment to updates plays into a rating
Carnegie Mellon University’s CyLab, one of the key groups consulted by the FCC and White House, is pushing for more information on product boxes and pages about data collection, rather than offloading it all to a phone scanner. “Our latest research shows that while accessing this information through a QR code can be helpful, consumers prefer to have important security and privacy information readily available on product packaging.”
Amazon, Best Buy, LG, Samsung, Google, and other firms have expressed support for the initiative, as has the Consumer Technology Association industry group. As noted by The Washington Post’s Geoffrey Fowler, Apple is a conspicuous absence. It raises yet another question about the effectiveness of a label if a notable vendor refuses to take part.
Listing image by Federal Communications Commission