The Biden-Harris administration has introduced a new cybersecurity labelling initiative for smart devices, aiming to enhance consumer safety in the digital realm. Under the name "US Cyber Trust Mark", this program is designed to certify products, including: "smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more", that meet minimum security standards. The label will serve as a guide for consumers, enabling them to make informed purchasing decisions, and is anticipated to appear on tech packaging as early as next year. It's important to note that manufacturer participation in this labelling program is voluntary so grab more tips on how to protect your smart home.
The increasing prevalence of internet-connected devices, especially those not guided with a VPN service, makes them susceptible to potential hacking and unauthorised access. While conventional targets like computers and smartphones are commonly associated with cyberattacks, virtually any device connected to the internet, such as cars, medical robots, routers, Wi-Fi cameras, smart speakers, and refrigerators, can be vulnerable as well.
To mitigate such risks, the US Cyber Trust Mark aims to encourage manufacturers to prioritise security in their products. By implementing strong security measures like robust password and timely security updates, device manufacturers can significantly enhance their products' resilience against potential attacks.
A relevant example illustrating the vulnerability of internet protocol (IP) cameras emerged last year when Cybernews reported that over 3.5 million IP cameras, including CCTV cameras and baby monitors, were exposed to the internet without adequate authentication. The lack of proper security measures, such as default passwords, porous internet activity without hide VPN, or no authentication, made it easier for hackers to access these devices. Furthermore, the technique of "credential stuffing", wherein hackers try previously revealed passwords associated with specific email addresses, poses another threat.
In an attempt to reduce the prevalence of insecure devices, the US Cyber Trust Mark, similar to the Energy Star rating, will serve as a reliable indicator of basic computer security compliance. The Federal Communications Commission (FCC) will oversee the voluntary certification program, with public input being sought before its implementation next year. The National Institute of Standards and Technology (NIST) will be responsible for defining the specific cybersecurity criteria that devices must meet for certification. Some of the proposed criteria include the requirement for unique and robust default passwords, data protection measures, software updates, and incident detection capabilities.
Although the exact standards are yet to be finalised, details regarding the functionality of the mark have emerged. Besides featuring the mark on the packaging, a QR code will be included, linking consumers to a national registry of certified devices. This registry will provide specific and comparable security information about the smart products, including information about the latest security patches, if applicable.
While the program currently operates voluntarily, notable industry players such as Amazon, Best Buy, Cisco Systems, Connectivity Standards Alliance, Google, Infineon, LG, Logitech, OpenPolicy, Qualcomm, and Samsung have already shown support and participation. However, Apple's absence from the list has raised questions about the program's effectiveness and the level of industry-wide commitment to securing smart devices.
As the US Cyber Trust Mark prepares to be rolled out, the efficacy of this initiative in encouraging manufacturers to enhance the security of their products remains to be seen. With the standards and criteria subject to further refinement, only time will tell whether the program will succeed in bolstering the security landscape of internet-connected devices.