A consortium of technology vendors, backed by Google, is advocating for enhanced transparency in the realm of consumer Internet of Things (IoT) security. They emphasize the need for providing consumers with real-time, clear, and actionable information about IoT devices both before and after purchase.
With a rising number of IoT devices, reaching an estimated 25 billion by 2030, these transparency measures aim to empower consumers in making informed decisions while also addressing post-purchase security actions. IoT devices are frequently targeted by attackers, given their vulnerabilities, such as default passwords and inadequate protections.
The proposed “Principles for Consumer IoT Security Transparency” include five key measures. These involve using “live” labels on IoT devices, pointing consumers and manufacturers to real-time information, referencing trusted security evaluation programs, adhering to specified security baselines while allowing flexibility for vendors, emphasizing broad-based transparency to compare features, and creating incentives for the adoption of security labeling.
The focus on “live” labels accommodates the evolving threat landscape, where a device that’s secure at purchase may become insecure over time. The proposal also encourages the involvement of independent security researchers and the establishment of bug bounty programs.
Furthermore, the consortium’s proposals align with national initiatives in the United Kingdom and the United States. The UK’s Product Security and Telecommunications Infrastructure Act, effective in 2024, mandates that IoT device manufacturers meet minimum security requirements. The US Federal Communications Commission has proposed a Cyber Trust Mark program to highlight products adhering to higher security standards. These combined efforts aim to provide consumers with tools to select secure IoT devices and encourage manufacturers to meet elevated security standards in an ever-evolving threat landscape.