The White House has announced U.S. Cyber Trust Mark, an Internet of Things (IoT) cybersecurity labeling program intended to provide consumers with measure of confidence when buying IOT devices. The FCC expects to roll out the program sometime in 2024.
The release said the initiative would “raise the bar for cybersecurity across common devices, including smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more.” The U.S. Cyber Trust Mark will appear as a distinct shield logo on devices that meet specific cybersecurity criteria established by the National Institute of Standards and Technology (NIST). The NIST criteria will provide an extensive list of security criteria categories of protection and functionality that devices must meet to carry the Cyber Trust Mark, including requiring strong password, protecting stored data, allowing user configuration and offering regular security updates, to mention just a few requirements. The full list of standards is still being determined.
NIST will be prioritize high security risk devices such as home routers that are often abused by attackers to steal PII and construct botnets for launching DDoS attacks. These standards are expected to be completed in 2023.The FCC will also be providing a QR code that will link to a national registry of certified devices to provide security information for registered products.
I have two comments on this. The first is from George McGregor, VP, Approov:
“This is a good initiative. Although the NIST guidelines make it clear that the IOT “product” must include all elements of the solution it would be good to see more specific security guidelines on the mobile apps which will almost always be part of an IOT solution. This is because mobile apps present specific security challenges which must be addressed in order to protect data and protect the device.”
The second comment is from David Mitchell, Chief Technical Officer, HYAS:
“The U.S. Cyber Trust Mark is a big step forward to deal with the ever-expanding market of sub-par IoT devices proliferating into our homes & businesses. It will be interesting to see how the vendors react and when and to what extent the EU and other allies participate. While there is no current language around retroactively certifying the millions of later model devices already in service, it is a key piece that needs to be understood.
“Due to the additional workload required by the vendors to meet these criteria, it would not be surprising if there were cost increases for these devices — and hopefully not such a significant cost that consumers will decide to choose the non-certified devices.”
As always the Devil is in the detail. So I personally will wait until I see further detail on this before passing a final judgement. But this is a good move in my opinion. And I hope it forces companies to focus on making secure IoT products for consumers.
UPDATE: Allen Drennan, Co-Founder & Principal, Cordoniq adds this comment.
Many IoT devices were built using insecure protocols, and if they did implement transport layer security, these utilize outdated ciphers and hashes, or open source TLS modules that are also outdated and subject to hacking. Ideally, as part of the cybersecurity initiatives it will be important to not only make sure all devices implement up to date TLS standards for communications, but are also required to frequently update their internal security stacks as new threats are discovered and need to be addressed.
Another important aspect is the reliance on the UDP protocol for many IoT devices like thermostats, baby monitors, wireless cameras and more with most vendors not implementing current accepted security protocols such as DTLS for connectionless communications. This area is seldomly addressed with most consumer products used today.