It’s an old joke in the cybersecurity community: the internet of things is not secure–at all. But the U.S. government is making moves to improve consumer awareness around the vulnerabilities of internet-connected home technology. Despite years of warnings in news articles and CISA press releases, the general public remains woefully undereducated about the threat of having so many connected devices in their homes.
A new labeling system similar to the Energy Star program will soon make its debut on refrigerators, baby monitors, fitness trackers, and more. Its goal is twofold. First is to help consumers make more informed choices about the devices they bring into their homes. Second is to encourage device manufacturers to improve their practices and earn the mark of trust.
The Internet of Things is Particularly Vulnerable to Hacking
Security experts understand that attack surface expansion heightens the likelihood that a system will be successfully invaded by malicious actors. The basic role of most security professionals is to minimize attack surface by identifying and removing unnecessarily exposed systems. And also to monitor for and patch vulnerabilities in systems that are necessary for an organization to function.
The internet of things (IoT) refers to all the devices, large and small, that have the capacity to connect to the web and/or one another. In the past decade, internet-connected thermostats, washing machines, baby monitors, cars, lightbulbs, and so much more have appeared on the consumer market and been readily welcomed into many homes.
In 2023, the average American had 21 connected devices in their home. Yet most consumers have not given much thought at all to this vast increase in their attack surface. Unfortunately, all it takes is one insecure device to provide access to an entire home network.
The top IoT device vulnerabilities include:
- weak or limited password options
- insecure networks (see Owlet baby monitors)
- insecure update mechanisms (see the famous hack of a Jeep Cherokee’s firmware)
- insecure default settings (like open ports)
- improper device management by the end user, and much more.
A New Government Program
The U.S. Cyber Trust Mark Initiative is a voluntary program administered by the Federal Communications Commission. Manufacturers of wireless IoT products such as internet-connected home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers, and baby monitors may seek the distinction. At this time, medical devices, cars (which are regulated by NHTSA), wired devices, and personal computers are not included. Of particular note is the fact that routers do not fall under the FCC’s purview. NIST is still working to define security requirements for consumer-grade routers.
Accredited third-party administrators will support the effort by recommending cybersecurity standards, testing procedures, and label design. They will also develop a consumer education campaign, screen applications for the label, and test the products that apply for the distinction.
Consumer Education
Once products are accepted into the program, they will carry both the Cyber Trust Mark label and a QR code. Scanning the code will link consumers to easy-to-understand security information about the product.
The information will include:
- How to change the default device password.
- How to configure the device securely.
- How updates/patches may be accessed (and whether or not they are automatic).
- The product’s minimum support period end date or a clear statement that the device is not supported by the manufacturer.
Bending the Curve on Manufacturer Practices
For many manufacturers, adding a “connectedness feature” to their devices is little more than a gimmick to increase sales. And while they might be a great toaster manufacturer, they don’t know much about more complicated electronics or cybersecurity. In order to wedge that internet connection into their device, they hire out the programing and often release the most minimum of minimum viable products.
Other concerns like interoperability and ease of customer support compel manufacturers to leave devices more vulnerable than many experts would prefer. Consumers want their IoT devices to play nice with their Amazon Alexa or Google Home, so systems are left more open than they should be to encourage the perception of ease among end users.
For customer support, an open system is an easy system–allowing for support tickets to close more quickly and with more customer satisfaction. Consider the consumer who can’t remember the device password and calls in for help–easy! It’s the same for all devices. Or it’s printed on the device itself.
One great hope of the Cyber Trust Mark Initiative is that device manufacturers will improve their own practices to earn the label. A mark of trust means increased sales and, likely, the chance to increase their price point, funding improved manufacturing standards and future patches.
An Industry Short on Trust
The 2025 Consumer Electronics Show recently wrapped up in Las Vegas. As always, the event showcased plenty of gadgets that are hoping to be the next big thing that consumers can’t live without. This year’s show saw a heavy emphasis on AI integration into household products and a low emphasis on both protecting consumer privacy and producing energy-efficient, repairable tech. Once the Cyber Trust Mark Initiative is up and running, it will be interesting to see if AI-powered baby cribs and washing machines with the ability to make phone calls can merit the label.
Want to work with us? Reach out to Asylas at 615-622-4591 or email info@asylas.com. Or complete our contact form.