Cybersecurity Labeling for IoT

Smart devices are to be more secure for consumers

Blog Cybersecurity Labeling for IoT

| 6 min read

Contact us

IoT devices cybersecurity needs to be better

The number of Internet of things (IoT) devices in the world is big and on the rise. By July 2023, it was 15.14 billion. And it is estimated that, by the start of the new decade, they will be about 29.42 billion. Basically, their amount seems to almost double every five years. Right now, large corporate networks may have millions of such smart devices connected to them. That could be up to 30% of all the connected devices.

Organizations use IoT devices for several reasons. Some, such as those in the healthcare sector, find them useful for tracking equipment and tools remotely via sensors or offering remote support to practitioners in augmented reality. Others, like those in the retail sector, may use IoT devices to boost the efficiency of their logistics (e.g., monitoring that inventory is where the inventory system claims it should be).

IoT devices are, however, known to be insecure, as they generally come with default, guessable usernames and/or passwords, use outdated software components, do not encrypt data, and do not get regular software updates, or these are not always successful. Possibly a part of the fault lies in manufacturers' eagerness to deploy their devices massively and quickly, which outweighs any importance given to security tests during development. Another contributing factor may be the lack of strict government regulations on the cybersecurity of such devices.

The fact is that the lack of compliance with security requirements in IoT devices represents an important risk. By the start of 2023, organizations globally received a mean of 59.7 attack attempts weekly targeting those devices. Insecure gadgets, making up a big chunk of the organizations' attack surfaces, are then the focus of a lot of activity by malicious hackers. Indeed, e.g., highly skilled groups of cybercriminals who have enough resources to attack their targets repeatedly, aka advanced persistent threats (APTs), are leveraging zero-day security vulnerabilities in smart home cameras, connected car systems, wearable devices, etc., to do surveillance and carry out espionage campaigns.

Cybersecurity labeling program in the United States

The above has motivated nations to include in their cybersecurity strategies an item regarding actions to increase cybersecurity on smart devices to protect consumers. Accordingly, in the U.S., the White House and the Federal Communications Commission (FCC) created a program, named U.S. Cyber Trust Mark, that aims to certify and label Internet-enabled devices as secure and will possibly be ready to start in late 2024.

The program is part of the United States National Cybersecurity Strategy Implementation. It is in the process of establishing guidelines for manufacturers to follow voluntarily in the products they develop and deploy. These products include smart televisions, microwaves, refrigerators, fitness trackers, climate control systems, and more. The guidelines shall be based on recommended cybersecurity criteria published by National Institute of Standards and Technology (NIST). Further, the program proposes that complying products get a cybersecurity label "in the form of a distinct shield logo" (see here the proposed logo). This label would help consumers easily choose smart devices that may be less vulnerable to cyberattacks than those without the label. And to help choice even more, and also promote transparency and competition, the FCC plans to use a QR code that consumers can scan to access a national registry listing the products with their security information, which can then be used by the consumer to establish comparisons.

Although NIST is still working to define the requirements for consumer-grade routers, and other agencies are undertaking research to develop requirements for other smart devices, we can still summarize, in our own words, the recommended criteria that NIST has already made public.

The source we refer to is the white paper from February 4, 2022, titled "Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products." It is a response to the Executive Order 14028, "Improving the Nation's Cybersecurity," which tasks NIST with, among other things, formulating cybersecurity criteria and labeling approaches for IoT. Most of this agency's criteria can be satisfied by the IoT product's software and/or hardware, and some apply to the developer. We present them briefly as follows:

  • Asset identification: The product has a unique identifier and inventories all of its connected components.

  • Product configuration: The product's default setting is secure, and authorized users, services or components can change settings and also revert them to default.

  • Data protection: The product and its components protect the data they store and transmit from unauthorized access, disclosure and modification.

  • Interface access control: The product and its components restrict logical access to local and network interfaces to only the authorized users, services or components.

  • Software update: There is a secure and configurable mechanism to update the software of the product's components (even non-executable software data).

  • Cybersecurity state awareness: The product detects cybersecurity incidents affecting or effected by its components and the data they store and transmit.

  • Documentation: The developer creates exhaustive documentation on the product that consumers can read before purchase and mentions information such as the product's intended use, compliance and noncompliance with requirements, components, security tests passed, as well as the vendor's methods of receiving reports of vulnerabilities, processes for recording reported vulnerabilities, policy for responding to such reports, policy for disclosing verified vulnerabilities, and processes for receiving news from component suppliers about changes in the latter's products.

  • Information and query reception: The developer receives information relevant to the cybersecurity of the product and responds to queries about it.

  • Information dissemination: The developer discloses through a channel information and events throughout the product's support lifecycle, including updates to terms of support, needed maintenance, new vulnerabilities, data breaches, as well as other cybersecurity relevant information, like steps for vulnerability remediation and the developer's security practices and certifications related to such practices.

  • Product education and awareness: The developer educates users and creates awareness on the product's cybersecurity related information, such as that regarding configuration and patch management to mitigate risks.

Get started with Fluid Attacks' Security Testing solution right now

This sounds like it's going to be a gigantic step for IoT devices cybersecurity. Remarkably, the White House's statement about the program mentions the manufacturers and retailers that have announced their support and commitment to the program, and these include big names. These are the participants mentioned: Amazon, Best Buy, Carnegie Mellon University, Cisco Systems, Connectivity Standards Alliance, Consumer Reports, Consumer Technology Association, CyLab, Google, Infineon, the Information Technology Industry Council, IoXT, KeySight, LG Electronics U.S.A., Logitech, OpenPolicy, Qorvo, Qualcomm, Samsung Electronics, UL Solutions, Yale and August U.S.

Cybersecurity labeling programs already running in Europe

By the way, other nations have already introduced their own labeling programs. Finland was the pioneer and then Germany followed. And this is crucial, since Europe has been reported as the region whose IoT devices have been targeted the most in early 2023 (about 70 attacks per organization every week). Let's take Germany's case of cybersecurity labeling as an example. The country's Federal Office for Information Security (BSI in German) started the program by the end of 2021 with routers and email services and now also validates and labels IoT devices (e.g., Xiaomi's smart cameras and vacuums). The developers who want to participate voluntarily need to comply with the BSI's criteria. These are based on the European standard "Cyber Security for Consumer Internet of Things: Baseline Requirements" (the same source for Finland's program), which is a 2020 document whose provisions have lots in common with those we described above, published by NIST years later. If the product earns the label with the BSI, valid for at least two years, it will be visible for consumers, who will access the security information by entering the URL in the label or scanning the added QR code. Just in November this year the BSI launched a nationwide advertising campaign for consumers to be aware of the label.

This effort in Europe is significant and can prepare developers for what's looming over them: The European Union's Cyber Resilience Act (CRA) is expected to take effect next year. All digital products destined for the European market will need to comply with cybersecurity requirements throughout their lifecycles. Fines for infringement, which includes acts like deception and noncompliance, will go from about €5M to €15M (we expand on this regulation in our dedicated blog post).

IoT is just the beginning

While in the U.S. the labeling program will start with IoT, we see that in Germany their own has been addressing other software products as well. The U.S. may follow these steps soon, though, since NIST has also the task to identify "secure software development practices or criteria for a consumer software labeling program." Their public 2022 white paper already mentions technical criteria as claims that developers can make about their product. In a nutshell, a group of the criteria reads that the vendor adheres to accepted secure software development practices throughout the software development lifecycle (SDLC).

How about being ahead of the curve by securing your software now? In our Continuous Hacking solution, we use several security testing techniques by default to verify your application's compliance with several secure development guidelines and cybersecurity standards. You can see all results when you log in on our platform and swiftly manage all vulnerabilities throughout the SDLC. As we provide you with fix recommendations through several options (including AI-generated, step-by-step guidance, and, in our flagship plan, advice from our hacking team), you can take action fast to fulfill the security requirements needed. Start your free trial now.

Subscribe to our blog

Sign up for Fluid Attacks' weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Robs on Unsplash

Consequential data breaches in the finance sector

Photo by Towfiqu barbhuiya on Unsplash

Data protection in the financial sector, tips and more

Photo by Jasmin Egger on Unsplash

If the essential security layer is flawed, you're toast

Photo by Christian Wiediger on Unsplash

The need to enhance security within the fintech sector

Photo by Claudio Schwarz on Unsplash

Is your financial service as secure as you think?

Photo by mitchell kavan on Unsplash

Bringing the zero trust model to life

Photo by Brian Kelly on Unsplash

We need you, but we can't give you any money

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.