Cybersecurity

FCC approves cybersecurity trust mark for IoT products

In the future, consumers may check their baby monitors and smart toasters for a shield logo.
article cover

Brendan Smialowski/Getty Images

· 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

Look out, “I voted.” There’s a new sticker that smart device makers may want to show off.

On March 15, the Federal Communications Commission unanimously approved a voluntary labeling program that adds Cyber Trust Marks to security cameras, garage door openers, baby monitors, and other internet-connected (aka internet of things, or IoT) products that meet required security standards.

The packaging check mark aims to help consumers make informed purchasing decisions and encourage cybersecurity practices in a field that has seen many design vulnerabilities—and hacks exploiting them.

“This would strengthen the chain of connected IoT products in consumers’ homes, which in turn could strengthen the larger national IoT ecosystem,” Debra Jordan, chief of the Public Safety and Homeland Security Bureau, said in a prepared statement during the March 15 meeting before the unanimous vote.

How it works

  • The shield logo will appear on the packaging of internet-connected products passing standards, including NIST’s “IoT Core baseline for consumer products,” or NIST IR 825, FCC Commissioner Geoffrey Starks said.
  • An FCC-selected lead administrator and cybersecurity labeling administrators will develop additional testing procedures.
  • The shield will be accompanied by a QR code that consumers can scan for additional security details, such as the product’s guaranteed minimum support period.

Why now? An April 2023 report from Bitdefender found that the average US household has 46 internet-connected devices and experiences an average of eight attacks daily. The Mirai botnet, which used vulnerabilities in IoT devices to create a giant denial-of-service machine, has spawned similar disruptive variants. Poor IoT security design has also raised alarming privacy concerns. In February, Consumer Reports highlighted vulnerabilities in many of today’s video doorbells.

“[C]heap IoT products can threaten security, our privacy, the sanctity of our homes. They can allow remote access into your home, allow bad actors to monitor comings and goings, lead to data theft,” Starks said in the open hearing this month.

Early reactions. Having a simple way for consumers to understand a product’s security properties is very useful, according to Johannes Ullrich, dean of research for the SANS Technology Institute, but standards-makers must be ready to adjust to consumer reactions.

“Most people don’t go in a store to buy these devices. So how will this be advertised on Amazon? Will I be able to filter by Cyber Trust Mark devices when I buy a device on Amazon? I think those are the little things that really need to come together for this to become useful,” Ullrich told IT Brew.

The FCC’s program description emphasizes the initiative’s adaptable nature: how its QR Code-embedded URL, for example, offers up-to-date information if a manufacturer’s status changes.

“The lead administrator should ensure that the Cyber Trust Mark standards are dynamic and can be updated and so much work remains here before we'll see this actually on a package,” Starks said before the vote.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.