Amazon, Best Buy, Google may soon sell home smart devices with ‘hacker-safe’ label

Consumers are accustomed to seeing a variety of labels and seals of approval on products during the shopping process, ranging from the Energy Star to sustainability standards. Next, shoppers should be aware that the federal government is developing a hacking-safe seal of approval for home gadgets and appliances.

Last July, the Biden administration and the Federal Communications Commission proposed the creation of the U.S. Cyber Trust Mark program, a voluntary cybersecurity product labeling initiative to assist consumers in selecting internet-connected devices that have been certified by manufacturers as safe from hackers, scammers, and other cyber criminals.

The final details have yet to be determined, but as proposed, the program will require participating manufacturers of smart, internet of things (IoT) devices, such as doorbell cameras, voice-activated speakers, baby monitors, TVs, kitchen appliances, thermostats, and fitness trackers, to adhere to a set of cybersecurity standards developed by the National Institute of Standards and Technology (NIST). This includes unique passwords, data security, software patches and updates, and incident detection capabilities.

Smartphones, personal computers, routers, and certain internet-connected medical devices, such as smart thermometers and CPAP machines, are currently excluded from the program because they are regulated by the Federal Drug Administration. Motor vehicles and the data stored in them are also excluded, as they are regulated by the National Highway Traffic Safety Administration and have raised data privacy concerns.

The program will be based on public-private collaboration, with the FTC providing oversight and enforcement and approved third-party label administrators managing activities such as product evaluation, label authorization, and consumer education. Compliance testing will be performed by accredited laboratories.

Products that meet the criteria will be packaged with a U.S. Cyber Trust Mark shield logo and a QR code that consumers can scan with a smartphone to obtain detailed, up-to-date security information about that specific device. “Just like the Energy Star logo helps consumers know what devices are energy efficient, the Cyber Trust Mark will help consumers make more informed purchasing decisions about device privacy and security,” Jessica Rosenworcel, chair of the Federal Communications Commission, said.

To date, Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech, and Samsung Electronics have all committed to the program, though none of them have used the symbol.

Labeling for the holiday season is a goal, but it seems unlikely.
The FCC voted in March to approve the program, which is set to launch later this year. During a cybersecurity panel discussion in May at Auburn University’s McCrary Institute in Washington, Nicholas Leiserson, the White House’s assistant national cyber director for cyber policy and programs, said, “You should hopefully, by the holiday season, start to see devices that have this [Cyber Trust Mark] on it.”

Despite the administration’s best intentions, consumers should not expect to see products with the symbol until early next year, at the latest. In response to an email inquiry about the launch timeline, an FCC spokesperson provided no specific dates.

“We are now in the process of standing up this comprehensive program as quickly as possible,” said a spokesperson. “It is currently going through the standard intergovernmental review process that is required for new rules of this nature. Once that process is completed, we will inform the public about the next steps.”

Meanwhile, manufacturers are waiting for definitive rules, according to David Grossman, vice president of policy and regulatory affairs at the Consumer Technology Association, which represents over 1,000 technology companies. “Once a manufacturer receives certification for the Trust Mark, they will need additional time to retool their packaging, as well as shipping updated products from the manufacturer to retailers,” he stated.

70 million US homes actively use smart devices.
While the program’s specifics are being worked out, it’s worth considering why consumers require the protection it will offer. According to Statista, nearly 70 million homes in the United States will be actively using smart devices by 2024, an increase of more than 10% from the previous year. By 2028, the number of homes is expected to reach 100 million. Furthermore, the average US household contains approximately 25 connected devices.

Many of these devices, as well as the Wi-Fi networks and routers that connect them, do not have adequate security features. A 2023 study by research firm Park Associates discovered that nearly 75% of U.S. households with internet service were concerned about the security of their personal data, while 54% reported experiencing a data privacy or security issue in the previous 12 months, a 50% increase over five years.

Consumer Reports staffers attended a White House meeting where the Cyber Trust Mark program was announced. The organization then conducted an American Experiences Survey, which included questions about the program and the types of data-protection information consumers want before purchasing a smart device.

Approximately two-thirds of those polled (69%) said it is very important to know who the collected data is shared with or sold to, with 92% saying it is either very or somewhat important. Three out of four respondents said it is the responsibility of the device’s manufacturers to provide consumers with privacy and security information, while only 8% said the government is responsible.

“It is incredibly important to create a consumer-friendly standard for IoT devices because it is currently completely unregulated,” said Stacey Higginbotham, a cybersecurity expert and Consumer Reports writer. “Consumers really care about having this kind of information, so that’s why we need the program.”

Higginbotham cited the proposed program’s breadth as a reason for requiring more stringent cybersecurity standards, not only for devices themselves, but also for the internet services that connect them and cloud networks where personal data is stored. She was also pleased that it includes a guaranteed support timeframe, which specifies how many years a product manufacturer will continue to provide software security updates and patches.

Voluntary programs are business realities.
One criticism is that the program is optional for manufacturers. “I would love to see this as a mandatory program,” Higginbotham said, “but the reality in the U.S. is that it will have to be a voluntary program,” she added, referring to the business community’s frequent opposition to government-mandated regulations.

“If you want to participate, you’ll need to meet the FCC’s requirements. Grossman stated that device manufacturers do not want the agency to dictate the size or location of the Cyber Trust Mark on packaging. “You want something that’s easily recognizable to consumers, but you also want to ensure manufacturers have flexibility.”

According to Grossman, if the final proposal is overly prescriptive, companies may be hesitant to make the commitment. “If the requirements are too burdensome, I don’t think that companies are going to be as eager to step up to the plate and participate,” he stated.

Barry Mainz, CEO of Forescout Technologies, a cybersecurity provider, praises the Cyber Trust Mark. “It’s a good step in the right direction to making it a little bit more complicated to get into these devices,” he stated. Nonetheless, he is concerned about the millions of IoT devices in people’s homes today that are vulnerable to cyberattacks and cannot be retroactively labeled. “What responsibility do the companies creating these devices have?” he asked. Some of the most popular products, such as smart TVs and door locks, could be voluntarily upgraded by their manufacturers to prevent hacking as a goodwill gesture, according to Mainz, “so that people who couldn’t afford to go out and buy new things could ensure that they were safe.”

Steps to take now to protect your home’s internet
Consumers can strengthen their cybersecurity right now, before the Cyber Trust Mark program goes into effect. Perhaps the most important component to consider are routers, which wirelessly connect devices. They come with a default password that a hacker could change to spy on you or gain access to files on a network-attached hard drive. Create a strong and unique password for the router and all connected devices, and use two-factor authentication if available. Set up a separate password for any guest networks on your router.

Also, make sure the router’s software is up to date, usually by using the automatic update feature, though you can check the manufacturer’s website for patches that can be downloaded and installed.

Of course, you could go the Luddite route and avoid all of the IoT technology and devices. However, for the millions of consumers who embrace the smart home, the Cyber Trust Mark — once implemented — should provide an increased measure of cybersecurity and keep them one step ahead, or at least in the race, with the bad guys.