Cyber Trust Mark: A step in the right direction

With so many devices having Internet connectivity these days, it is hard to know what you can trust and what you cannot. Internet of Things (IoT) devices, like your thermostat or smart plugs, can come with security concerns that open your home network to attackers. Devices may outright ship with software vulnerabilities that can be exploited because security was not a core thought in their creation. Not many companies want to spend additional time, money and effort in patching these systems that get sold for cheap like in the smart plug example. If a company does issue a fix, it can be difficult to let consumers know to update the software on their front door lock and even more difficult for consumers to know how to actually perform that update.

Informing the public

The Federal Communications Commission (FCC) is stepping in to provide at least an easy recognizable stamp on devices that meet certain criteria. Much like the Energy Star ratings you have seen on electronics that help you pick out what is good for your electric bill, this mark aims to give a little peace of mind to the security of what you’re buying.

Starting in August 2023 when the FCC looked for public comment on the matter, rules were adopted by the FCC in March 2024. The program itself is still being stood up by the FCC, but the prospects look promising.

The new mark

The Cyber Trust Mark, a specific logo that is placed on consumer IoT devices, “will appear on wireless consumer IoT products that meet the program’s cybersecurity standards”, according to the FCC. What does that mean exactly? It means a company producing a consumer IoT device like a home security camera or smart appliance had their product tested by an FCC-accredited CyberLAB. This mark will also come with a QR code you can scan with your phone to see information like configuring the device securely and changing the default password.

What is a CyberLAB?

According to Federal Regulations, a CyberLAB must be accredited to the following:

  • (1) Technical expertise in cybersecurity testing and conformity assessment of IoT devices and products.
  • (2) Compliance with accreditation requirements based on ISO/IEC 17025 (incorporated by reference, see § 8.201).
  • (3) Knowledge of FCC rules and procedures associated with products compliance testing and cybersecurity certification.
  • (4) Necessary equipment, facilities, and personnel to conduct cybersecurity testing and conformity assessment of IoT devices and products.
  • (5) Documented procedures for conformity assessment.
  • (6) Implementation of controls to eliminate potential conflicts of interests, particularly with regard to commercially sensitive information.
  • (7) That the CyberLAB is not an organization, its affiliates, or subsidiaries identified by the listed sources of prohibition under § 8.204.
  • (8) That it has certified the truth and accuracy of all information it has submitted to support its accreditation.

Overall, the above requirements at least boil down to three primary things. First, a CyberLAB must have expertise in IoT devices when it comes to security. That seems a given for their role in this process. Second, there is a significant control mechanism for conflicts of interest in its job which is what you would want. Finally, truth and accuracy are called out specifically as a part of the accreditation process. I find the second requirement the most interesting, because a major concern with testing these devices will be protecting commercially sensitive information that is discovered in the process. This should help companies feel more comfortable in having their products tested for the FCC mark.

Final thoughts

I do not think this mark and effort will solve all the problems with security issues related to IoT devices. After all, it will still be up to the individual consumer to put security into practice and this program is entirely voluntary. Even so, I think this is a correct move to take some of the burden off consumers when it comes to securing their homes. It at least gives a little peace of mind when buying an IoT devices, and works to better inform the public which at the end of the day, is always a good thing.