How many “smart” devices are in your home? And how many are vulnerable to hackers?
Those are not questions many consumers ask themselves but should. Thermostats, garage door openers – anything that can be controlled using your smartphone – are connected to the internet.
The Federal Communications Commission (FCC) is creating a voluntary cybersecurity labeling program for Internet of Things (IoT) devices and other consumer-facing products that rely on an internet connection. The idea is to make consumers more aware that these devices are connected to the internet and, just like PCs and tablets, need protection.
Dominic Chorafaklis, a principal at cybersecurity firm Akouto, says the FCC’s move is a step in the right direction but that a lot more needs to be done.
How concerned are manufacturers about security?
“The companies that make consumer IoT devices tend to be more concerned about keeping their products cheap and simple than about making them secure, which does come at a cost,” he told ConsumerAffairs. “Even when security features are built in, they often rely on consumers taking steps to enable them and configure them correctly.”
And many times, consumers don’t. They often keep the default login, which tends to be very simple and very hackable.
Tim Mackey, head of Software Supply Chain Risk Strategy at Synopsys Software Integrity Group, says the U.S. is just catching up with the rest of the developed world by taking this step.
“From a consumer perspective, this new program is completely voluntary,” Mackey said. “That means that we won’t suddenly see an influx of certified devices on store shelves or from online retailers. Instead, consumers should expect to see manufacturers who take cybersecurity seriously aggressively pursuing certification.”
Some will and some won’t. Mackey says consumers should look for the certification label and QR code when shopping for smart devices because their security will be the most robust.
The weakest link
Maria-Kristina Hayden is CEO and founder of OUTFOXM, a cyber hygiene and resiliency company. She comes from a background in U.S. intelligence, where cybersecurity is a top priority. She points out that one weak IoT device in a home can grant an attacker access to all other devices on that home network.
“Consumers must be provided with easy-to-understand instructions about choosing secure IoT devices and how to configure settings,” she told us. “This is where the FCC's proposal should really help.”
The FCC says the smart products covered by its new rule and that meet certain requirements will be able to use the label on packaging and advertising, similar to the ENERGY STAR label that shows that a product is energy efficient. Outside, accredited research labs will perform the testing.