Internet of Things (IoT) devices continue to underpin business operations of enterprises across the globe. Over 29 billion connected devices are expected to be online by 2027, but their vulnerability to cyberattacks can quickly overshadow any positive benefits they bring. As critical industries like healthcare and finance grow incredibly reliant on these devices, companies need to be able to trust these systems will remain secure against attacks.

Enter the Federal Communications Commission (FCC), which signed off on a voluntary labelling program for wireless IoT products in March 2024. Designed to support consumers when making purchasing decisions and put pressure on manufacturers to meet the highest cybersecurity standards, the program will go a long way to forming an effective defense against hackers and other malicious entities.

What does the program involve?

A number of rules and regulations have been set out as part of the program. This includes a ‘U.S Cyber Trust Mark’ logo, which will appear on any wireless consumer IoT products that have met the program’s rigorous standards. Alongside the mark will be a QR code, which users can scan to discover more details about the security of the product, including updates on whether software patches are automatic or need to be done manually, for example.

This voluntary program is dependent on collaborations between public and private entities. The FCC has full oversight, with approved third-party label administrators managing activities like evaluating product applications, authorizing the use of the label and educating consumers. Any compliance testing required as part of the program will be handled only by accredited laboratories.

Protecting consumer devices

So what consumer products are we talking about here? Well, the FCC has already provided a list of eligible products for the program. Home security cameras, voice-activated shopping devices, internet-connected appliances, fitness trackers, garage door openers, and baby monitors, have all been identified as IoT devices applicable for the U.S Cyber Trust Mark.

This scheme comes at a pivotal time for device security. Let’s take home security cameras as an example: as of 2023, over 10 million Americans had installed a Ring doorbell within their homes. Yet despite being created to specifically protect its users, these cameras are continually undermined by hacking errors and misuse. A 2023 complaint filed by the Federal Trade Commission (FTC) accused Ring of failing to implement key security protections, enabling hackers to take control of customer accounts, including live and recorded footage. Around 117,000 customers were affected, leading to a $5.6 million USD lawsuit.

There are numerous incidents of concerns relating to products listed by the FCC, from the 60 million records exposed by an unsecured fitness tracking database, to people accessing cameras and microphones linked to baby monitors. By ensuring that these device types are meeting key security standards, the hope is that the number of attacks thwarted can be significantly increased.

The importance of strong cybersecurity

The program is not the only thing the FCC is currently working on to improve general cybersecurity: it is also seeking public opinion on the addition of potential disclosure requirements. For example, whether the software or firmware of an IoT product is developed or deployed by a company located in a country presenting national security concerns. This also extends to whether customer data collected by the same product would then be transmitted to servers located in the offending country.

To best protect IoT devices however, manufacturers should also look to leverage Roots of Trust (RoT) and enable the concept of trusted computing. For example, the Trusted Platform Module (TPM) is a secure crypto-processor which can ensure secure operations within a device once attached. A TPM helps to protect a user’s identity and data by storing the necessary keys for encryption, decryption and authentication. Once a device is booted up, the TPM will review its health and only allow it to operate if it’s in a trustworthy state. It also offers enhanced security through the signing and verifying of data.

Manufacturers can also use the Device Identifier Composition Engine (DICE) for enhanced security. Through DICE, a unique secret is held by the hardware; if an attack is executed against the device, the secret associated with the compromised layer can’t be used to breach further layers, limiting the potential damage. In the DICE architecture, the hardware retains a foundational secret known as the Unique Device Secret (UDS). This secret underpins a layered security approach, where each layer independently generates its own unique secret, derived from the UDS.

If an attack compromises one layer, then that secret cannot be utilized to compromise the subsequent layers, confining the scope of potential damage, and enhancing overall device security. Should any malicious code be detected, DICE will also facilitate a rapid re-keying process to preserve integrity.

In 2023, only 14% of consumers surveyed by Utimaco viewed smart devices as secure, despite the growing rate of adoption. Through a combination of TPM/DICE and the U.S Cyber Trust Mark will give users greater assurance that the IoT devices so pivotal to their personal and professional lives are well protected against malicious behaviour.