This week, the Biden-Harris administration announced a new cybersecurity labeling program for smart devices—machines and gadgets such as “smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more.” The new US Cyber Trust Mark will certify that a particular product meets a set of minimum security standards so that consumers can make informed buying decisions and stay safe online—although it will be voluntary for manufacturers to participate. If all goes well, you should see the new label on tech packaging as soon as next year.
Any device that’s connected to the internet is, to some degree, vulnerable to hackers and other bad actors. While most of us can easily imagine computers and smartphones being hacked, the reality is that anything with an internet connection (cars, surgery-performing robots, routers, Wi-Fi cameras, smart speakers, fridges, and everything else that you can connect to over the web) can be a target.
The good news is that this isn’t wildly common. Chances are your smart fridge or fitness tracker hasn’t been hacked, but the point is that it could be. And it’s much easier for hackers when smart and internet of things (IOT) device manufacturers don’t make much effort to secure their products, like requiring strong passwords or pushing security updates for known vulnerabilities.
One of the easiest examples to understand are web-connected or internet protocol (IP) cameras. Last year, a Cybernews report found that there were 3.5 million IP cameras, like CCTV cameras and baby monitors, facing the open internet and that “some popular brands either offer default passwords or no authentication” which means that anyone who can find the link can log in. Hackers can also try common weak passwords or, if they know an email address associated with a particular account, try passwords that have previously been revealed—a kind of attack called credential stuffing.
And some bad actors do just that. A new report this week found that access to cameras in children’s bedrooms and child sexual abuse material from those cameras was being sold through Telegram.
The US Cyber Trust Mark can’t single-handedly fix these kinds of hacks, but it could help consumers avoid the most insecure devices. It’s meant to be like the Energy Star rating, which is awarded to electronic devices that meet the required energy efficiency standards, but for basic computer security.
In the press briefing, the Biden-Harris administration says that the Federal Communications Commission (FCC) will administer the voluntary certification program. Before it goes into effect next year, the agency will seek public comment, and the National Institute of Standards and Technology (NIST) will publish the “specific cybersecurity criteria” that devices have to meet. Some of the proposed criteria would be requiring “unique and strong default passwords, data protection, software updates, and incident detection capabilities.”
While the standards are all still a bit up in the air, we have a better idea of how the mark itself will work. As well as the mark on the front of the box, there will be a QR code linked “to a national registry of certified devices to provide consumers with specific and comparable security information about these smart products.” In other words, if the program works as intended, the QR code should let you check if a device has received the latest security patches.
For now, the program is voluntary—though some big players have signed up. Amazon, Best Buy, Cisco Systems, Connectivity Standards Alliance (the group behind the Matter smart home standard), Google, Infineon, LG, Logitech, OpenPolicy, Qualcomm, and Samsung were all part of the announcement. Apple, however, was conspicuously absent and has not responded to a request for comment by The Washington Post.
So, will the US Cyber Trust Mark work to encourage smart device manufacturers to better secure their products? Or will the standards end up too watered down by the time they go into effect next year? We’ll just have to wait and find out.