Cyber Trust Mark to Distinguish Secure Smart Home Devices

 
 
 

Cyber Trust Mark to Distinguish Secure Smart Home Devices

Setting a standard for the security of devices connected to the Internet of Things.

By David Geer

Parents increasingly are reporting strange voices coming over hacked baby monitors. For instance, a mother in Crescent City, FL, recently told First Coast News that after buying and installing a baby monitor, she heard a voice saying, “kill, kill, kill, kill,” that was not coming from any person in the house; it was coming from the monitor.

A quick online search for ‘hacked baby monitors’ shows news, social media, and video reports from parents about voices coming over their baby monitors. Until now, there was no way to tell a secure monitor or other smart home device from another.

In January, the White House officially launched the U.S. Cyber Trust Mark program, also referred to as the IoT Labeling Program, as a mechanism for companies providing wireless smart home devices to test and certify the security of their products. The Federal Communications Commission (FCC) will manage the voluntary program. Companies that receive certification earn the right to put the new FCC IoT Label with the trademarked Cyber Trust Mark shield image and a QR code on their product packaging. The QR code will enable consumers to access a link with current information about the security of the product and its adherence to the standard. Consumers can expect to see certified products on the shelves later this year.

According to Grace Burkard, director of operations for ioXt, an alliance for standardizing security and privacy for Internet of Things (IoT) devices, the FCC appointed Cybersecurity Label Administrators (CLAs) and a Lead Administrator to certify products that comply with the program’s rules so manufacturers can use the FCC IoT Label. UL Solutions, a global independent test and certification company for electrical equipment, is the Lead Administrator. The ioXt is one of the CLAs, which manage the ongoing program under FCC oversight.

According to the FCC Cyber Trust Mark page, accredited and FCC-recognized CyberLABs will test consumer IoT products for initial acceptance in the U.S. Cyber Trust Mark program. The Lead Administrator, Cybersecurity Label Administrators, and CyberLABs must achieve accreditation to international standard ISO/IEC 17025, a standard for calibration and testing laboratories that ensures the accuracy and reliability of the labs and their results.

Compliance monitoring and enforcement

The CLAs will identify or develop and recommend the post-market surveillance activities and procedures for the FCC IoT Labeling Program, which is producing the U.S. Cyber Trust Mark standard, according to the FCC’s Report and Orderdated March 2024.

Post-market surveillance activities monitor the safety of products after they reach the marketplace. According to the FCC Small Entity Compliance Guide dated August 2024, these surveillance activities include testing samples of the products the CLA has previously certified to use the FCC IoT Label.

In extreme product non-compliance cases, the FCC has levied fines against manufacturers. According to an FCC news release from November 2024, the FCC proposed a $734,872 fine against China-based video doorbell maker Eken for violating FCC rules by providing false information.

Cybersecurity standards for the Cyber Trust Mark

According to Burkard, the IoT Labeling Program is in a 90-day stakeholder period/process where the Lead Administrator, UL Solutions, is gathering stakeholders and meeting with them to define technical and non-technical standards for products to achieve certification. “They will coalesce these recommendations and provide them to the FCC for approval at the end of the stakeholder period. The cybersecurity standards will be based on the NIST IR 8425 guidelines,” said Burkard.

The NIST IR 8425 describes six IoT product cybersecurity capabilities as follows:

  • It must be possible for consumers to distinguish the product from others, and there must be an inventory of all its parts. This enables software updates, data protection, and digital forensics for experts to analyze data when responding to a cyber incident.

  • The product must be configurable, with settings consumers can set and change for greater security. For example, they should be able to set strong passwords on the devices.

  • The product and its parts must enforce data protection. For example, it should be able to delete or cut access to data from or about the customer if it is stored on the product. It has to protect data traveling between product components or outside the product.

  • The product must control access to interfaces to keep it safe from unauthorized access or tampering. Interfaces include physical device ports, such as USB ports, and network connections, such as the Internet.

  • The smart device must use software updates from trusted sources. It should receive, verify, and install updates safely. The product must update itself automatically or inform the consumer when an update is available.

  • The product should be aware of the state of its cybersecurity, monitoring its data and components. It must maintain a record of its behaviors. If something unusual happens, like someone trying to break in or the device acting strangely, it can detect and alert the consumer.

2025 Manufacturer Product Submission Timeline

According to Burkard, the CLAs must achieve accreditation with the ISO 17065 standard before manufacturers can submit products for U.S. Cyber Trust Mark certification. They can’t do that until the scope and technical and non-technical requirements of the Trust Mark program are finalized and approved by the FCC, Burkard said.

“These critical components will be determined during the stakeholder process, which has already experienced delays, with an undetermined extension request likely forthcoming,” said Burkard.

According to Burkard, the deadline for the stakeholder period to conclude is now May 4. “Following this, CLAs can initiate their scheme extension process, which typically takes 4-6 months to complete. Based on this timeline—and provided no additional delays are introduced by any organization or agency—certification availability is projected for a window between August and October,” explained Burkard. The scheme extension process refers to the steps CLAs must take to obtain ISO/IEC 17065 accreditation for the U.S. Cyber Trust Mark program.

A Source of Truth for Cyber Trust Mark Certified Products

According to Burkard, the location of a comprehensive list of all Cyber Trust Mark certified products for viewing by consumers will be discussed further during the stakeholder process. “Currently, each CLA will be responsible for their registry of certified products on their websites,” said Burkard.

According to Yuvraj Agarwal, a computer science researcher at Carnegie Mellon University, ideally, consumers scanning the QR code on the label should be linked to a central location, whether UL Solutions or the FCC, not a manufacturer’s website. Agarwal said it would be wonderful to have a search interface where consumers can find certified products and compare them.

Cost sharing

According to Burkard, the stakeholder process will determine how the costs of the labeling program will be shared among manufacturers and retailers. When anything costs money, those costs are passed down the line to some extent, said Burkard.

According to Agarwal, companies expressing interest in the U.S. Cyber Trust Mark include Best Buy, Samsung, and Google. These are examples of potential stakeholders.

Consumer trust

According to Burkard, “The FCC spearheads the program in collaboration with other federal agencies, adding credibility as it reflects governmental oversight and alignment with national cybersecurity policies. Unlike many existing cybersecurity certifications, which often focus on enterprise or specific industry needs, this program is tailored to consumer IoT devices.”

According to Alison King, vice president of Government Affairs at Forescout, a cybersecurity company, the Cyber Trust Mark program wants to address the existing cybersecurity ecosystem, which incentivizes products that are first to market rather than empowering consumers to make informed purchases based on independently verified standards backed by the FCC.

“The effectiveness of this approach is unclear, particularly if the cost of certification increases prices for more secure products,” said King.

David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.

About ioXt Alliance

The ioXt Alliance is the global standard for securing IoT devices, offering certification and cybersecurity guidelines that ensure the safety and reliability of connected products. With the mission to make IoT safer for consumers and businesses alike, the ioXt Alliance works with manufacturers, policymakers, and industry stakeholders to promote best practices in cybersecurity.

Contacts
Grace Burkard
Director of Operations
marketing@ioxt.com
https://www.ioxtalliance.org/

 
In the NewsHueman Studio