The IT Nerd

Yesterday, the White House announced the launch of a cybersecurity label for internet-connected devices, known as the U.S. Cyber Trust Mark, completing public notice and input over the last 18 months.

You can get more details here:  https://www.whitehouse.gov/briefing-room/statements-releases/2025/01/07/white-house-launches-u-s-cyber-trust-mark-providing-american-consumers-an-easy-label-to-see-if-connected-devices-are-cybersecure/

Roger Grimes, data-driven defense evangelist at KnowBe4, commented:

“There are a lot of things to like about this program, especially the focus on IoT cybersecurity basics, such as changing default passwords, patching, data protection, and a software/hardware bill of materials. Allowing consumers to scan a QR code and get information from a decentralized IoT registry is a terrific idea. Those reasons alone are reasons enough for the program. But the devil is in the details and many of the security requirements are really just recommendations, such as the entire program itself (i.e., vendors do not need to participate), are voluntary and only suggestions. I wish many basic cybersecurity defenses such as the customer being forced to change the default password and automatic patching were required to be in the program. It would make the program much more valuable. 

“As another example, vendors participating in the program must tell consumers if they have a hard-coded default password instead of just preventing any vendor from having a hard-coded default password. The way I read the current requirements, a vendor could apply the mark if they simply told the consumer they only patched once a year, never automatically, and that the consumer had to manually remember and go out of their way to look for and apply a patch, if any are ever available. What percentage of consumers are going to do that? It would be far better to automatically patch your product without consumer involvement.

“But now, the way the program is written, a vendor simply disclosing that they purposefully have included very dangerous substandard cybersecurity practices seems still sufficient for using the mark. So, you could have some IoT vendors really going out of their way to make very secure products that require very little attention from the consumer and other IoT vendors not applying the same high cybersecurity practices and getting to use the same mark simply for telling the consumer they use substandard cybersecurity practices, assuming the consumer actually scans the QR code and reads the information. Wouldn’t it be better if the mark actually meant the vendor was using generally accepted safe cybersecurity practices?

“When I see an FCC safety mark on an electrical cord or lamp, I know it’s safe. I don’t have to scan a code and read information to find out if it is actually safe. I wish the Cyber Trust Mark label meant the same thing…that the device was actually safe as designed. I think the problem is that consumers will see the mark and automatically assume the device meets expected cybersecurity standards and maybe it does and maybe it doesn’t.”

This is a good move because consumers need to know that the gear that they buy is safe and secure. Because right now it’s kind of the Wild West out there with gear that might have vulnerabilities that are just waiting to be exploited. Which is not a good situation for anyone.

UPDATE: Andrew Obadiaru, CISO, Cobalt:

     “The FCC’s launch of the US Cyber Trust Mark is a crucial step toward improving IoT security. In our work testing IoT devices and embedded systems, we frequently uncover hardcoded credentials, exposed debug ports, and misconfigurations – vulnerabilities that give attackers easy access to networks. Once inside, adversaries can move laterally, disrupt operations, steal sensitive data, or launch ransomware attacks.

We recommend manufacturers prioritize regular penetration testing and firmware reviews to catch and fix these issues early. Addressing vulnerabilities before products reach the market reduces the risk of exploitation, safeguarding both consumers and enterprises while strengthening overall trust in connected devices.”

This entry was posted on January 8, 2025 at 8:52 am and is filed under Commentary with tags White House. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.