New IoT Security Initiative Raises Questions

image provided by pixabay

This post is also available in: עברית (Hebrew)

The Federal Communications Commission (FCC) has proposed a cybersecurity labeling program to better protect users of smart devices, with the new initiative covering any internet-connected appliances, also known as the Internet of Things (IoT).

“Smart devices or products bearing the commission’s proposed IoT cybersecurity label would be recognized as adhering to certain cybersecurity practices for their devices,” the FCC promised in a press release, adding that it hopes the program will be similar to the Energy Star program (which helps consumers to identify energy-efficient appliances) and promote more cybersecure smart devices.

The enormously growing numbers of smart products already connected to networks bring enormous security challenges. According to Cybernews, IoT devices are susceptible to a wide range of vulnerabilities, such as default passwords, a lack of regular security updates, weak encryption, and insecure authentication. Furthermore, since IoT devices are often installed in public spaces or remote locations, their physical security may also be compromised, vulnerable to theft, tampering, vandalism, or unauthorized access.

FCC Chairwoman Jessica Rosenworcel argues that while beneficial, increased interconnection also brings increased security risk, saying: “After all, every device connected to the internet is a point of entry for the kind of cyberattacks that can take our personal data and compromise our safety.”

The new proposed label will supposedly assure users that the manufacturers adhere to widely accepted cybersecurity standards.

However, there was a proposed requirement that manufacturers disclose the length of time they’ll provide security updates for their devices and whether they’ll fix known security vulnerabilities, which raises issues. FCC Commissioner Nathan Simington states “It’s too early to declare victory. Many manufacturers oppose making any commitments about security updates, even voluntary ones.”

According to Cybernews, the main issues with the initiative are lack of enforcement, consumer confusion due to a lack of understanding, security labels being overly complex and technical, and users falling victim to a false sense of security. Another possible risk is increased manufacturing costs are also a risk, which might make devices more expensive.

Many agree that the FCC’s proposal is a step in the right direction, but some are still hoping for further and mandatory security requirements.