The Federal Communications Commission (FCC) is at the beginning of an important effort to secure connected consumer devices through the implementation of a voluntary labeling program. The agency plans to ask manufacturers of connected devices to attest that they follow a set of criteria in exchange for a voluntary U.S. Cyber Trust Mark. The Trust Mark will consist of a label and QR code located on the IoT product’s packaging as well as a secondary label accessed via the QR code with additional information about the device’s security.
Consumer Reports believes that the creation of some kind of security label for consumer IoT devices has only become more pressing since it was first proposed as part of a May 2021 Executive Order issued in the wake of the Colonial Pipeline and Solar Winds cyber attacks.
Our homes are getting smarter and less secure
As of the end of 2022, 41% of American homes have one or more connected devices, and almost a third of homes have more than three devices, according to data from Parks Associates. Aside from consumers actively picking up smart lighting or video doorbells, they are also unwittingly purchasing connected televisions and appliances. Smart appliances made up 38 percent of models offered at retail as of August 2022, up from 21 percent in August 2019, according to data from Gap Intelligence. In September 2022, Samsung said it would no longer ship home appliances without Wi-Fi by the end of this year.
Cyberattacks against smart home gear are not rare. Attacks have relied on improperly stored passwords, insecure network connections as well as the use of default passwords. These attacks distress consumers, and can also act as a vector for larger attacks against U.S. infrastructure as was the case with the Mirai botnet back in 2016.
As we add more computing and internet connections to devices in our homes, we’re increasing the attack surface, opening up hundreds of new potential targets. But demand from consumers for the added features connected devices offer means that despite security risks, IoT devices will continue to gain ground in homes and businesses.
The best way to protect against cyberattacks is to radically improve the security associated with these products, and the most tenable way to do this is through a well thought out U.S. Cyber Trust Mark.
The U.S Cyber Trust Mark explained
The FCC’s voluntary labeling program will award manufacturers who invest in security with a mark they can place on their products to indicate that they are secure. Within the industry, companies are already investing in better cyber hygiene, and such a program would reward their efforts by allowing them to show consumers why their product is better than a device that doesn’t have that mark.
However, the mark must represent actual security best practices to address consumer concerns and the legitimate federal worries about a widening attack surface thanks to insecure devices. To this end, Consumer Reports proposes that the voluntary labeling program set forth criteria that create a reasonably secure product.
We believe the program should have three elements; the aforementioned U.S. Cyber Trust Mark located on the box or at the point of purchase, a QR code that sends users to a second layer of information that includes specifics about the security and sensors on the devices, and an in-depth IoT product registry that includes data about the product security in a machine-readable format. To be effective Consumer Reports would like to see the program follow these basic criteria:
- The label should evaluate the IoT product in its entirety, not as only a hardware device. This is because an IoT product includes the sum of all its parts including the cloud, the app, the networking between the device and the app, as per the NIST 8425 definition.
- Any device maker should follow basic cybersecurity principles, such as not using default or easily anticipated passwords, a vulnerability disclosure program and a patching program that include regular security updates.
- Device makers should commit to updating their device using over-the-air updates for a set number of years and disclose this support lifetime on the product’s box and at point of purchase.
- Device makers should securely store device data at rest on the device and in the cloud, and in motion when traversing local and public networks using accepted encryption methods.
- Because privacy and security are deeply intertwined, manufacturers should disclose the types of sensors inside a device, the data those sensors collect, and who has access to that data as part of the second layer of data shared by the manufacturer.
- Manufacturers should submit a Software Bill of Materials (SBOM) associated with the connected device and the cloud applications supporting it.
The device dilemma
For any IoT system, there are dozens of additional elements associated with good cyber hygiene beyond just the device itself, and a conformity assessment for the label should ensure that the label certifies the IoT product as a whole, not just the physical device are secure. This would require manufacturers to follow best practices to protect data in their clouds and in their apps as well as on the device. Many attacks attempt to wrangle data from the cloud back ends of connected devices because that is where the data is.
Let’s see some disclosures here!
Consumer Reports also believes that improved logging and communication around data handling will benefit security for individual consumers and national security. For example, understanding when an employee at a device manufacturer accesses consumer data can ensure that consumer data stays secure and also act as an important clue in the aftermath of a cyberattack. Additionally, providing logging associated with access to a connected device or its behavior can also prevent bad behavior such as using a device for stalking a member of a household.
Since security is always changing, having a vulnerability disclosure program that both invites responsible vulnerability reporting as well as implements patches once those vulnerabilities are discovered is essential. Any connected device is likely to face some form of potential attack during its lifetime, and a responsible manufacturer should have a process for soliciting vulnerabilities, responding to them, and then patching those problems with an over-the-air update. Without such a process, any connected device will devolve into a security problem over time.
Wait, how long will this thing be secure?
Promoting a guaranteed support time frame on the devices at sale will ensure that consumers will know up front how long their device will remain secure. Today, no one purchasing a video doorbell knows how long the device will be supported with security and regular software updates. As the connected products consumers buy become more expensive and have greater longevity, knowing how long the product receives security updates becomes even more important. Imagine buying a washing machine thinking it will last 15 years, only to discover a few years into the life of the product that it will only get security updates for the next five years.
Security plus privacy is a win
The data gathered by connected devices can be intensely personal and can range from health information to a consumers’ Wi-Fi password. Security cameras can provide an eye inside homes while connected appliances can share information about a family’s daily habits and make up. Protecting consumers means encrypting this data while it’s inside the local network and when it travels to the cloud. It should also be stored securely in the cloud to prevent attackers from grabbing data for thousands of devices in one hack. Using encryption also makes the labeled devices less of an easy target for hackers.
Additionally, device data can be sensitive, so it’s imperative that consumers understand what data their devices are gathering. This is why Consumer Reports would like to see manufacturers disclose the types of sensors on their devices, and the data those sensors gather in the Layer 2 label associated with the device. We also want manufacturers to disclose who they share that sensor data with.
The star of this program is actually a database
Because security is such a complicated and changing area, we think the best way to communicate conformity with the label will include a machine-readable database that can be accessed by third parties. This IoT product registry will allow companies to build automated services that pull security data, such as the guaranteed supported life of a product to help consumers, retailers and even building owners to manage their devices securely.
These automated services might include pulling unsupported inventory from retailers’ shelves or automatically quarantining unsupported devices from a consumer’s network. The database will also provide a powerful tool for compliance in case the FCC needs to revoke a label. The database should also include access to a software bill of materials (SBOM) that discloses the relevant software used in the device itself and the software associated with the application and cloud components.
SBOMs have become a mandatory requirement for connected medical devices and are recommended by the U.S. Cybersecurity and Infrastructure Security Agency for all types of software. Adding a requirement that connected consumer devices provide an SBOM in exchange for a voluntary label provides more tools to ensure that these devices stay secure over time. When manufacturers know what’s inside their products, they can match their existing software against known vulnerabilities and then implement patching in a faster and more thorough manner.
Our comments in the FCC’s Notice of Proposed Rulemaking cover all of these points and explain why these policies will offer consumers and the nation a trusted label that can improve our overall cyber security. You can review Consumer Report’s full comments here.