New proposal aims to boost IoT security with a sticker


Many consumers are unhappy that new devices are vulnerable to hacking and sellers are quick to discontinue support. Now, the FCC is here to save the day with a new proposal – the “I promise” sticker.

To better protect users of smart devices, the Federal Communications Commission (FCC) has proposed a cybersecurity labeling program.

The new initiative is supposed to cover devices such as Wi-Fi routers, digital personal assistants, home security cameras and systems, voice-activated shopping, GPS trackers, medical devices, garage door openers, baby monitors, fitness trackers or any other internet-connected appliances, known as Internet of Things (IoT) devices.

However, while the underlying problem is real and devices often lack adequate cyber security for their users, the proposed solution seems lightweight for many – including one of the FCC’s commissioners.

For one, adoption of the labeling program would be voluntary and no strict requirements have been proposed. Labels “would provide information to consumers about the relative security of a smart device or product.”

Cyber Trust Mark logos
The proposed U.S. Cyber Trust Mark logos

“Smart devices or products bearing the commission’s proposed IoT cybersecurity label would be recognized as adhering to certain cybersecurity practices for their devices,” the FCC promised in a press release.

The FCC hopes that the program will be akin to the Energy Star program – which helps consumers to identify energy-efficient appliances – and promote more cybersecure smart devices.

To add to the confusion, Europeans already have their own separate sticker, “Cybersecurity Made in Europe.” This promises even less, only assuring users that the company is geographically located in Europe.

The problem is real

Many smart products already connect to and communicate over networks, with their number skyrocketing and bringing enormous security challenges. IoT devices are susceptible to a wide range of vulnerabilities, such as default passwords, a lack of regular security updates, weak encryption, and insecure authentication.

Even physical security may be compromised, as often IoT devices are installed in public spaces or remote locations, susceptible to theft, tampering, vandalism, or unauthorized access.

More than 1.5 billion attacks against smart devices were recorded in the first six months of 2021 alone, the FCC writes. And 25 billion connected devices will be in operation by 2030.

“There are now so many new devices – from smart televisions and thermostats to home security cameras, baby monitors, and fitness trackers – that are connected to the internet,“ FCC Chairwoman Jessica Rosenworcel said.

While beneficial, increased interconnection also brings increased security risk.

“After all, every device connected to the internet is a point of entry for the kind of cyberattacks that can take our personal data and compromise our safety. That is true for the biggest connections to the largest businesses and the smallest connections to the devices in our homes,” she argues.

She believes the new program will help consumers make good choices about what they bring into their homes and businesses.

“So when you need a baby monitor or new home appliance, you will be able to look for the Cyber Trust Mark and shop with greater confidence. What’s more, because we know devices and services are not static, we are proposing that along with the mark, we will have a QR code that provides up-to-date information on that device,” she added.

The FCC seeks input on how to best establish the labeling program, including its scope, mechanisms, standards, and education, to provide consumers “with peace of mind.”

Many doubt its effectiveness

The new label is supposed to assure users that the manufacturers adhere to widely accepted cybersecurity standards. However, the strictest requirement proposed so far requires manufacturers to disclose the length of time they’ll provide security updates for their devices and whether they’ll fix known security vulnerabilities.

FCC Commissioner Nathan Simington raised some doubts himself. He started an online discussion on the social news website Hacker News on the proposed regulation, stating that he “fought hard for one of these criteria to be the disclosure of how long the product will receive security updates.” And he only hopes that the commitments on this label will be legally enforceable.

“It’s too early to declare victory. Many manufacturers oppose making any commitments about security updates, even voluntary ones. These manufacturers are heavily engaged at the FCC and are represented by sophisticated regulatory lawyers,” Simington said as he urged readers to express their comments to the FCC.

In an official statement, Simington noted that he only supports the initiative because it includes disclosing the period during which a device’s manufacturer commits to issue security updates – the “bare minimum” of transparency.

“I suspect that some manufacturers will choose to not pursue a label rather than commit themselves to doing the right thing,” Simington said.

Users on Hacker News shared similar opinions. The main issues raised included: lack of enforcement, consumer confusion due to a lack of understanding, security labels being overly complex and technical, and users falling victim to a false sense of security.

“I think a “security label” would give a false sense of safety. Requiring manufacturers to respond to critical security vulnerabilities for a given period of time sounds like a good idea, but such rules often have unintended side effects (like impacting startups, who maybe couldn't afford the certification or can't guarantee long-term support). What we really need is local-only device access so that I can firewall a device off completely from the internet and still make full use of it with a local controller like a home assistant,” one user opined.

Increased manufacturing costs are also a risk, with fears that it may be passed on to consumers, making devices more expensive.

Many agree that the FCC’s proposal is a step in the right direction, but some hoped for further and mandatory security requirements. In contrast, others claim that there is no silver bullet for IoT security.

“We recognize that while the IoT cybersecurity label would not constitute a guarantee that the participating IoT product can withstand every single cyberattack, it should provide meaningful assurance to consumers that the IoT devices and products that display the label satisfy certain minimum cybersecurity standards and have specific cyber capabilities that demonstrably reduce relevant vulnerabilities appropriate to the class of device,” the FCC stated in a proposed rulemaking.

A lot of work ahead

Manufacturers seeking a label will have to adhere to standards. Those will be based on NIST’s criteria and developed jointly with the industry.

The FCC proposes implementing a single binary label with layering and a QR code, directing users to more detailed information on the particular product.

That information includes consumer-friendly “specific security information, such as the device manufacturers’ level of support, software update history, privacy policy, and similar information.”

While the FCC proposes “to require that the manufacturer disclose the guaranteed minimum support period for an IoT device or product,” it also recognizes that “the length of such a support period is at the discretion of the manufacturer, and may even be zero.”

Participation would be voluntary. However, the participants would be required to ensure their IoT products comply with the requirements.

Discussions are ongoing on whether “all or only critical patches will be supported, the regularity with which such patches are made available, and whether they are automatically deployed.”

Also, an IoT Registry has been proposed, that will publicly disclose a catalog of devices with the FCC’s label and other updated important information.

The program's success will also depend on a “robust” consumer education program.

The FCC describes IoT devices as those that are internet-connected, capable of intentionally emitting RF energy, have at least one transducer (sensor or actuator) for interacting directly with the physical world, and are coupled with at least one network interface (e.g., Wi-Fi, Bluetooth) for interfacing with the digital world.

Separate third-party CyberLABs would be authorized to properly test and assess the compliance of each IoT product with overall IoT security standards.

IoT forms a significant pillar in the recently released National Cybersecurity Strategy, which promised to continue advancing the development of IoT security labeling programs so that “consumers will be able to compare the cybersecurity protections offered by different IoT products, thus creating a market incentive for greater security across the entire IoT ecosystem.”

Europeans have a different sticker

The €25 billion EU cybersecurity market has the "Cybersecurity Made in Europe" label with a totally different goal. It is designed to promote European cybersecurity companies and increase their visibility on the European and global markets. For 600 euros, the label is valid for 12 months and confirms the company’s geographical location.

Cybersecurity made in Europe

However, the common baseline for IoT security across the European Union is provided by the European Telecommunications Standards Institute (ETSI), which published the European standard (i.e., EN 303 645) that specifies cybersecurity requirements for consumer IoT devices and products.

The standard defines a set of 13 high-level provisions for IoT device manufacturers to ensure the security and privacy of their products. These provisions cover several areas, including secure communication, access control, and software updates.