Roughly 41 percent of U.S. homes have one or more connected devices, whether it’s a video doorbell or a smart thermostat. It’s clear that Americans like the convenience and even savings that can come from buying so-called smart devices, but without a way to determine if these products are designed securely, consumers have no way of knowing if their new connected lights or cameras leave them less secure.
But a planned U.S. cyber label recently approved by the Federal Communications Commission (FCC) might help reduce the uncertainty consumers have around the security of their connected devices.
Last month, Consumer Reports, where I am a cybersecurity fellow, shared how video doorbells from a Chinese manufacturer called Eken, which also manufactured products sold by third-party companies under other brand names, were insecure and even illegal to sell in the United States because they were not properly labeled with an FCC ID. (Eken has since stated that they are taking steps to resolve this issue.) Yet these products were purchased thousands of times in January from Amazon, Walmart.com, Temu and other online retailers.
Usually, when consumers purchase products online, they look to reviews to figure out the quality of a potential purchase. But when it comes to cybersecurity, a previous customer's review can't help. Most consumers don't have the expertise to individually assess each product they buy to ensure that it is safe and secure. It's rare that consumers even know what cybersecurity best practices are.
At Consumer Reports, we believe that the retailers have a job to do in this case. They can assess products sold on their platforms for egregious cybersecurity practices, or, thanks to a new program coming out from the FCC, they might be able to just look for a label.
As part of the FCC’s voluntary U.S. cyber labeling program, manufacturers will be able to place a U.S. Cyber Trust Mark on their connected products. To get this mark, manufacturers would have to undergo some type of third-party testing that assesses the security features their products have.
So far, the FCC has said that manufacturers will have to include security features such as how to change the default password, a link to share more information on how to set up the product securely for those with default passwords, information on where to find software updates and how those updates are handled, the minimum support timeframe that the device can expect to receive security updates, and whether or not the manufacturer has a software bill of materials and hardware bill of materials available. The FCC does expect that this list will get additions over time.
This is by no means an exhaustive list of all of the factors that make a connected device more secure, but it is a start. In the case of our video doorbell investigation, we would love to see features such as requiring device traffic to be encrypted and user data secured when it is stored in the cloud, both of which were not done by Eken.
The U.S. Cyber Trust Mark program might still include those requirements, and we certainly hope that it will. However, today U.S. consumers are buying connected devices without any sort of indication of whether or not the product has been designed with security in mind. It's up to retailers to assess the quality of device security today, and stock products that are safe for users, but even they have trouble figuring out whether or not something is and will remain secure over time.
The Cyber Trust Mark will not solve the problem of cheap, insecure video doorbells, but it could give both consumers and retailers a better way to assess the quality of connected goods that they buy online. Consumer Reports urges the FCC to begin implementing the cyber label program as quickly as possible.
We also call on retailers to use the label to decide which products to stock, avoiding those that don’t volunteer to meet the standards set by the program. A robust trust mark, and the commitment by online platforms to restrict the goods on their platforms to those that have garnered the label, would have prevented thousands of consumers from bringing home a video doorbell made by a company that didn’t even adhere to basic cybersecurity standards.
And finally, this label will make products whose manufacturers have invested in security visible to consumers, so when you’re out shopping for connected devices in the future, look for the label.
The label is a great step in raising the bar for cybersecurity. Let’s hope it ushers in an era where manufacturers implement the mark, and retailers and consumers use it to decide which products are worth their digital shelf space and their money.
Stacey Higginbotham is a policy fellow at Consumer Reports.
A smart device seal of trust brings consumer choice to the 21st century
7
8
21.03.2024
Roughly 41 percent of U.S. homes have one or more connected devices, whether it’s a video doorbell or a smart thermostat. It’s clear that Americans like the convenience and even savings that can come from buying so-called smart devices, but without a way to determine if these products are designed securely, consumers have no way of knowing if their new connected lights or cameras leave them less secure.
But a planned U.S. cyber label recently approved by the Federal Communications Commission (FCC) might help reduce the uncertainty consumers have around the security of their connected devices.
Last month, Consumer Reports, where I am a cybersecurity fellow, shared how video doorbells from a Chinese manufacturer called Eken, which also manufactured products sold by third-party companies under other brand names, were insecure and even illegal to sell in the United States because they were not properly labeled with an FCC ID. (Eken has since stated that they are taking steps to resolve this issue.) Yet these products were purchased thousands of times in January from Amazon, Walmart.com, Temu and other online retailers.
Usually, when consumers purchase........
© The Hill
visit website
login
who are we?
contact us
qosheapp
Toi Staff
Gideon Levy
Belen Fernandez
Rami G Khouri
Mort Laitner
Donald Low
Ali Fathollah-Nejad
Nikkei Editorial
