As governments worldwide strive to bolster IoT security, the landscape is evolving rapidly. From the US Cyber Trust Mark program to the recent groundbreaking legislation in the UK, the global efforts to enhance IoT security are gaining momentum. Can these labels truly protect consumers amidst the evolving world of IoT devices? Read further as we uncover the hidden threats in this ever-expanding ecosystem.
Since the founding of our company, SAM has welcomed efforts by governments worldwide to raise consumer awareness about cybersecurity in the IoT space. These efforts benefit both consumers and the network operators connecting them to the digital world. Consumers benefit by being better informed about an IoT product’s security attributes at the “point of sale” and operators benefit as this increased awareness amongst consumers will make it easier to develop and sell new network-based security services.
The foundation for recent advancements in IoT security was laid by the United States in 2023 with the introduction of the “Cyber Trust Mark” program. This initiative aimed to certify IoT devices bearing the label, ensuring they meet essential security attributes safeguarding consumers’ networks and device data. While voluntary, this program, led by the Federal Communications Commission, is set to grace devices around 2024. An intriguing note, the White House has explored collaboration with the National Institute of Standards and Technology (NIST) to establish cybersecurity standards tailored to routers – a development slated for late 2023.
Now, turning to recent developments, the UK has implemented groundbreaking legislation mandating minimum-security standards for internet-connected smart devices. This regulation represents a significant stride in global IoT security, as manufacturers are now legally required to protect consumers from hackers and cybercriminals, reinforcing efforts to enhance cybersecurity on a global scale starting from April 29.
The positive outlook for the IoT ecosystem is apparent. Yet, while product labels bring enlightenment to consumers, they can’t address the ongoing evolution and fragmentation of IoT devices. Thousands flood the market, making “constant” security unattainable. Even a seemingly secure device could falter over time without proper software updates, which in reality, the average consumer neglects. Consider popular IoT gadgets commonly procured from global marketplaces like AliExpress. Despite the strides made in the US and the UK, these devices, often originating from China, may fall outside the purview of existing regulations, exposing consumers to potential unpatched vulnerabilities.
Katherine Gronberg, Head of Government Services at NightDragon, who works frequently with NIST and the White House on matters relating to IoT security, said: “With the explosion of IoT devices available from a wide variety of sources, consumers have until now not had any help in deciding what to buy or even to be mindful of security. The Cyber Trust Mark will allow consumers to identify products that have been designed and manufactured according to secure development guidelines and that offer some basic security features, most of which will likely not require any actions by the device user. While this program doesn’t apply to IoT devices that are already in use today, it will create a more informed customer and may make other parties in the ecosystem such as retailers or Internet Service Providers more conscious of the problem and might motivate them to take action.”
The described vulnerabilities arise due to various reasons, including the widespread use of consumer electronics devices that have become connected IoT devices through home routers. While some vulnerabilities may only be an inconvenience for some users, others can open the door to malicious activities. One of the most pressing challenges in the realm of IoT is the sluggish discovery-to-patching process by firmware vendors, leaving users exposed indefinitely. This issue highlights a critical gap in home security, where the timely resolution of IoT vulnerabilities is of the essence.
This is why there is a renewed focus on routers and in fact, the US NSA issued a security advisory earlier last year in which one of its recommendations was for consumers to exchange ISP-issued routers for ones they would purchase themselves. This recommendation not only underscores the importance of router security but also presents an opportunity for ISPs. They can capitalize on this opportunity to offer enhanced security services, differentiating themselves in the market and fostering stronger customer loyalty. This, in turn, leads us to the “hot patching” measure that uses a router-based agent to provide protection for the router itself and every device connected to it.
Hot patching is designed as a “one stop” protection program in which an ISP would download an agent to a router to provide constant real-time monitoring and alerts, all without compromising user privacy. Hot patching is based on what is known as “deep packet inspection,” or DPI, which is a well-known and long-standing technique wherein the payload of packets traversing a data network is inspected and analyzed. This approach ensures comprehensive router and device security while eliminating vulnerability monitoring and patching complexities.
While security labeling undoubtedly enhances consumer awareness and overall IoT security, the quest for constant security beckons a gateway-based solution. Such a solution acts as the ultimate backstop to industry and government initiatives, securing IoT devices and the connecting network.
In this ever-shifting IoT landscape, the “Cyber Trust Mark” both elicits praise and faces perplexities, leaving us to wonder: Can it truly weather the fragmented storm? While these regulatory measures represent crucial steps forward, they alone are insufficient to address the multifaceted challenges posed by the proliferation of IoT devices.