White House introduces US Cyber Trust Mark to help consumers identify secure IoT devices – News

The White House has launched the U.S. Cyber Trusk Mark, a new voluntary cybersecurity labeling program for internet-connected devices that aims to help consumers easily identify products that meet established cybersecurity standards.

Administered by the Federal Communications Commission, the Cyber Trust Mark will appear as a distinct shield logo label on certified devices (pictured), including smart thermostats, baby monitors, home security cameras, fitness trackers and other app-controlled appliances. To earn the label, products must comply with cybersecurity criteria set by the U.S. National Institute of Standards and Technology and undergo testing by accredited laboratories.

The program seeks to address concerns over the security risks associated with internet of things-connected devices that are often overlooked when it comes to security. The idea is that by providing a clear and recognizable label, consumers will be able to make informed choices about the cybersecurity of the products they purchase.

“This will help consumers make informed decisions about the products they bring into their homes, will differentiate trustworthy products in the marketplace and create incentives for manufacturers to meet higher cybersecurity standards,” the FCC states on the new U.S. Cyber Trust Mark page.

Major industry players, including Amazon.com Inc., Best Buy Co. Inc., Google LLC, LG Electronics USA Inc., Logitech Inc. and Samsung Electronics Co Ltd., have expressed support for the initiative. The first Cyber Trust Mark labeled products are expected to be available later this year.

Though the labeling scheme is voluntary, it may not be much of a choice for manufacturers going forward if they want U.S. government business. Reuters reports that the White House is planning an executive order in the final days of the administration of President Joe Biden that will restrict the U.S. government to only buying Cyber Trust Mark products beginning in 2027.

The labeling sounds good in theory, but cybersecurity experts are not all entirely positive. Tim Erlin, security strategist at security research firm Wallarm Inc., told News via email that “there’s no doubt that the Cyber Trust Mark program represents meaningful forward progress in protecting consumers, but there’s also no doubt that it represents a low bar for cybersecurity.”

“The Cyber Trust Mark program ultimately requires that manufacturers follow NIST.IR.8425, which was finalized in 2022,” Erlin explained. It’s incredibly difficult to create technology requirements that will remain completely relevant for years to come” and that “the contributors did a reasonable job of future-proofing the requirements, but they are necessarily less specific because of that need. The devil will be in the implementation details.”

Andrew Obadiaru, chief information security officer at offensive security services company Cobalt Labs Inc., was more upbeat, saying that “he FCC’s launch of the US Cyber Trust Mark is a crucial step toward improving IoT security.

“In our work testing IoT devices and embedded systems, we frequently uncover hardcoded credentials, exposed debug ports, and misconfigurations – vulnerabilities that give attackers easy access to networks,” Obadiaru wrote. “Once inside, adversaries can move laterally, disrupt operations, steal sensitive data, or launch ransomware attacks.”

Cobalt recommends that manufacturers make regular penetration testing and firmware reviews a priority to catch and fix these issues early. “Addressing vulnerabilities before products reach the market reduces the risk of exploitation, safeguarding both consumers and enterprises while strengthening overall trust in connected devices,” he said.

Image: FCC