Since the founding of our company, SAM has welcomed efforts by government agencies and regulators worldwide to raise consumer awareness about cybersecurity in the IoT space. These efforts benefit both consumers and the network operators connecting them to the digital world. Consumers benefit by being better informed about an IoT product’s security attributes at the “point of sale” and operators benefit as this increased awareness amongst consumers will make it easier to develop and sell new network-based security services.
The latest development comes from the United States, where the White House has introduced the “Cyber Trust Mark” program. This program aims to certify IoT devices bearing the label, ensuring they meet essential security attributes safeguarding consumers’ networks and device data. While voluntary, this initiative, led by the Federal Communications Commission, is set to begin implementation in 2024. This is part of an initiative that includes a collaboration between the White House and the National Institute of Standards and Technology (NIST) to establish cybersecurity standards tailored to routers.
These moves will have a positive impact on the IoT ecosystem on a variety of levels. Yet, while product labels will increase consumer awareness and education, they cannot address the ongoing evolution and fragmentation of IoT devices. Thousands seemingly hit the market each year, making “constant” security unattainable. Even a seemingly secure device could falter over time without proper software updates, which in reality, the average consumer does not do.
This fact is part of a trend that has led to a situation where most home and small business devices and networks lack adequate protection. This vulnerability arises due to various reasons, including the widespread use of consumer electronics devices that have become connected IoT devices through home routers. While some vulnerabilities may only be an inconvenience for some users, other can open the door to malicious activities. One of the most pressing challenges in the realm of IoT is the sluggish discovery-to-patching process by firmware vendors, leaving users exposed indefinitely. This issue highlights a critical gap in home security, where the timely resolution of IoT vulnerabilities should be a requirement, not a “luxury.”
However, for consumer electronics in general, it takes time to create a fix, to test it in the field and then to distribute it. And for IoT devices, it’s a different matter altogether, as numerous devices have minimal security and no ongoing security patch program. Or the devices are no longer on the market at all. This condition creates a significant window of opportunity for hackers who are well aware of these vulnerabilities and often have ample time to exploit them before the vendors issue a remedy, leaving end users vulnerable to attacks. Even when the patch is ready for deployment, there is still the question of how it will be deployed onto the users’ devices. Some devices can be updated via the corresponding app on the smartphone. Others, however, need to be updated manually – a lengthy and quite complicated process for even those who are tech savvy.
Katherine Gronberg, Head of Government Services at NightDragon, who works frequently with NIST and the White House on matters relating to IoT security, has commented: “With the explosion of IoT devices available from a wide variety source, consumers have until now not had any help in deciding what to buy or even to be mindful of security. The Cyber Trust Mark will allow consumers to identify products that have been designed and manufactured according to secure development guidelines and that offer some basic security features, most of which will likely not require any actions by the device user. While this program doesn’t apply to IoT devices that are already in use today, it will create a more informed customer and may make other parties in the ecosystem such as retailers or ISPs more conscious of the problem and might motivate them to take action.”
One action that the industry has seen recently is a renewed focus on routers, as seen in a recent security advisory issued by the US NSA, in which one of its recommendations was for consumers to exchange ISP-issued routers for ones they would purchase themselves. And there is another router-focused technique that more and more ISPs are using to help their customers with IoT network security, namely the “hot patching” measure, which uses a router-based software agent to provide protection for the router itself and every device connected to it.
Hot patching is designed as a “one stop” protection program in which an ISP would download an agent to a router to provide constant real-time monitoring and alerts. Hot patching is based on what is known as “deep packet inspection,” or DPI, which is a well-known and long-standing technique wherein the payload of packets traversing a data network is inspected and analyzed. The result empowers consumers with comprehensive router and device security, eliminating vulnerability monitoring and patching complexities.
While security labeling undoubtedly enhances consumer awareness and overall IoT security, the quest for constant security calls for a gateway-based solution. Such a solution can act as the ultimate backstop to industry and government initiatives, securing IoT devices and the connecting network.
Therefore, we believe the “Cyber Trust Mark” program will certainly be a great benefit for the consumer or “end user” and the increased awareness about IoT security it will raise gives ISPs an excellent opportunity to play a more proactive role that will be welcomed by their customers and which will increase IoT network security in meaningful ways.