Home
Blog
IoT security: How much will the US Cyber Trust Mark help?

IoT security: How much will the US Cyber Trust Mark help?

Paul Ducklin
Paul Ducklin
01/15/2025
Share this article:

Things that scare us

Computing equipment is not only many thousands of times faster than it was 50 years ago, but also has millions of times more storage crammed into less than one millionth of the space, at a tiny fraction of the cost.

As a result, consumer devices including video cameras, baby monitors, home thermostats, doorbells, voice assistants and even wirelessly programmable color-changing light bulbs have become cheap, internet-connectable computers in their own right.

These devices are collectively known by the innocent-sounding buzzphrase Internet of Things, or IoT for short, even though they may be capable of gathering and uploading intimate personal data automatically and autonomously.

Indeed, some of them could just as reasonably be referred to as IoS products, short for Internet of Surveillance.

Ironically, perhaps, IoT devices surged in popularity in the cost-conscious consumer marketplace at about the same time that computer security become a globally serious issue for the makers of mainstream operating systems and browsers.

Cybersecurity becomes important

Cybercrime in the form of malware that deliberately damaged data and disrupted online business was already a huge problem in the 1990s and the early 2000s, thanks to computer viruses such as Melissa and the notorious Love Bug spreading globally by email, and to computer worms such as Code Red and SQL Slammer replicating invisibly across the internet from PC to PC.

Back then, many operating systems, notably including Microsoft Windows, had few of the programmatic defences against remote exploitation that are considered essential today, such as:

  • Data Execution Prevention (DEP). Windows made no effort to differentiate between executable code (software) and program data, even though the computer hardware of the day allowed operating systems to treat them separately. As a result, almost any memory mismanagement, such as a tiny buffer overflow in a block of data, could be exploited for remote code execution. By sending more bytes than a program had allocated space for, attackers could surprisingly easily inject unauthorised software commands disguised as innocent input.
  • Buffer overflow detection. Early compiler tools for building Windows software in languages such as C and C++ tended not to add automatic controls to watch out for memory mismanagement, because these tools typically inserted additional program instructions that made software slightly bigger and slower. Size and speed were favored over safety and security.
  • Memory-safe programming. The popularity of languages such as C and C++, where programmers are largely responsible for acquiring and using system memory themselves, increased the chance of programs misusing memory and introducing exploitable bugs. Poor memory mismanagement still causes a huge number of bugs, but modern programmers are more likely to use tools and languages that enforce better control over memory usage, albeit at the cost of slower execution and larger size.
  • Address space layout randomization (ASLR). Until comparatively recently, Windows programs always loaded up and allocated memory at the same location every time, following a predictable pattern. In theory, this makes program testing more reliable, because the run-time behavior of the code is similar every time; in practice, it make memory bugs much easier to predict and exploit. Cybercriminals could figure out an attack on their own computer, and be almost certain that it would work on everyone else’s computer, too.

From about 2001 onwards, cybercriminals and their malicious code moved away from cyber-vandalism and digital boasting, and deliberately began to find ways to make money illegally.

Malware writers started to focus on software-based cybercrime tools such such as banking Trojans that aimed to steal money from online bank accounts, and keyloggers that recorded passwords as they were typed in.

Email spammers learned to craft phishing emails that actively suckered people into money-making scams, and lured them onto bogus websites complete with fake login forms.

Cybercriminals went out of their way to turn software vulnerabilities into exploitable security holes that would make their malware and phishing attacks easier to launch, and harder to stop.

Security by design

By the mid-2000s, DEP, ASLR and other proactive cybersecurity measures had made their way into all mainstream operating systems, and were steadily, if slowly, adopted and enabled by default, rather than offered as optional security add-ons.

Programming teams committed themselves to “secure by design” and to a “security development lifecycle,” with the aim of hardening everything from the operating systems themselves, through the browsers we used, to the websites we visited.

Mobile phones from Apple and Google followed suit during the 2010s, building in additional layers of security even more restrictive than we’d typically tolerate on our laptops, such as running every app as if it were a separate user in order to limit the amount of damage or snooping that a malicious app could do.

Despite all these changes, however, exploitable vulnerabilities and malware infections remain a clear and present danger.

We’re reminded of this every time major vendors push out security patches, which happens at least once month for Microsoft (on the second Tuesday of every calendar month, dubbed Patch Tuesday); every fourth Tuesday for Mozilla; and at the start of each month for Google Android.

Apple doesn’t follow a pre-determined schedule like the others, but typically delivers major security fixes for its phones and laptops every four to eight weeks.

But even with all the proactive protections mentioned above, bugs known as zero-days, which are security holes that cybercriminals figure out and actively exploit before any patches are available, still make the news numerous times a year, showing up in popular operating systems, browsers, apps and online services.

What could go wrong?

Simply put, we’re still troubled by critical cybersecurity bugs even though the world’s biggest, richest, and most experienced software vendors now invest huge amounts of time and effort to avoid the sort of easily-exploited security mistakes that were common in the 1990s.

So, stop for a moment and ask yourself, “In the budget-conscious world of IoT devices, where vendors compete to sell complete, miniature computers such as webcams, weather stations, or digital doorbells for a few tens of dollars at full retail price, just how much of their design and development budget gets spent on security?”

Equally importantly, how much of the revenue taken in by the vendors of super-cheap IoT devices is spent on fixing and patching any bugs that are discovered in their products after they’re released?

Even worse, if unpatched and potentially dangerous IoT bugs do get reported, how can you be sure whether those bugs affect any devices you own?

Hundreds of apparently independent “vendors” often end up selling identical devices, based on identical hardware and supplied with identical built-in software, complete with identical bugs.

Yet the product names, branding, packaging, and appearance may seem completely different at first glance.

As a result of this cut-throat, low-margin marketplace, the theory and practice of cybersecurity at the bottom end of the IoT market has lagged very many years behind the still-not-yet-perfect world of higher-value products such as high-end mobile phones, laptops, and so on.

Indeed, there’s a widely-repeated and cynical joke in cybersecurity circles that says, “The S in IoT stands for security.”

In the automotive industry, identical core vehicles sold under different brands are usually known as badge engineered, given that it’s mostly the badges glued onto the bodywork that vary between the models. In the pile-them-high-and-sell-them-cheap world of IoT products, this is often referred to as whiteboxing. Each “brand” gets to choose not only its own product name, logo, color and packaging, but also to vary the entire look-and-feel of the product by using visually different external plastic mouldings to make the device look different from the sea of otherwise identical products in the market.

A sometimes bitter pill

Cheap IoT devices often end up:

  • Running undisclosed operating system and software versions that were deliberately shipped with any number of long-known security holes, just to get to market more quickly and cheaply.
  • Supplied by a vendor who rarely or never provides firmware updates, or who simply closes down and opens up under a new company name with a different-looking “whiteboxed” product in order to sidestep any bug reports.
  • Unpatchable even by well-informed users who have the knowledge to repair them or to remediate their bugs, because the manufacturer shaved a few cents off the production cost by making the device un-upgradable.
  • Dependent on being given access to the internet in order to interact with a cloud-based service of unknown quality under poorly-disclosed terms and conditions.
  • Configured with your home wireless password to ensure they can get online and “call home” to upload unknown chunks of data on an unspecified schedule.
  • Requiring you to install and use a companion app of unknown quality on your laptop or your phone in order to control and configure the device.

The irony and the dangers are glaringly obvious when a low-cost, low-security device, shipped full of bugs that can never be patched or updated, nevertheless requires direct access to your home network and the internet before it will function at all.

Will the Trust Mark help?

Finally, after many years of dancing around the problems of allowing cheap IoT devices to flood the market, often with little or no regard for security, the US government has announced the official launch of a service dubbed US Cyber Trust Mark for what it refers to as consumer connected devices.

Devices that pass a series of basic tests led by a chosen third-party cybersecurity label administrator (CLA), named as UL Solutions (formerly Underwriters Laboratories), will be entitled to tag their products with a Cyber Trust Mark logo.

Products with the logo will be required to put a web link, including a QR code, onto their product packaging, linking to online documentation that describes the steps that users must follow to set the device up as securely as possible.

The goal, according to the US Federal Communications Commission (FCC), is to balance the popularity and convenience of connected devices with the online safety and cybersecurity that users should reasonably expect:

Consumers rely increasingly on the convenience of wireless interconnected smart products, also known as the Internet of Things or IoT. You can link your garage door opener, your front door lock, your house alarm, and your lights so everything opens, unlocks, and turns on when you get home. Once inside, you can keep an eye on your baby from the living room, where you can shop using a voice-activated device — to name just a few examples. But with this convenience comes risk. IoT products can be susceptible to a range of security vulnerabilities.

To help address this, the FCC is creating a voluntary cybersecurity labeling program for wireless consumer IoT products. The program builds on significant public and private sector work on IoT cybersecurity. And it will rely on public-private collaboration going forward.

What to do?

Although announced with some fanfare in January 2025, the Cyber Trust Mark system is still a long way short of where we really need to be, not least because:

  • The minimum set of tests that vendors will need to pass still haven’t been decided, let alone described.
  • The suggested minimum standards don’t yet get into what we referred to above as “security by design,” where compliant IoT devices are delivered so that they are difficult to deploy insecurely. Instead, vendors will be required to provide online advice that explains how to secure their devices as soon as possible after they’re installed.

Unfortunately, it seems that vendors will still be able to ship products that don’t take security into account at all, although they will at least be compelled to own up to their casual attitude to cybersecurity before you buy their devices.

Notably, Cyber Trust Mark products will apparently need to admit up front:

  • If the device is insecure by default and will therefore need reconfiguring immediately after it’s installed.
  • If security updates will be provided at all, and if so for how long they will be available and how they can be obtained.

In conclusion, the Trust Mark is a welcome start (or it will be when it finally reaches products in the US market), but it’s unlikely to be enough on its own to force the consumer end of the IoT market into taking cybersecurity as seriously as it should.

As consumers, the real power lies with us: If in doubt, don’t roll it out!

Don’t rely on online reviews or social media writeups to judge the security of an IoT product.

Find a technical friend whom you know, and like, and trust, and invite their opinion instead.

And don’t be afraid to listen to them if they advise you against using a product that you already paid for – permanently removing an insecure device from your network is a valid and effective cybersecurity precaution, even if it condemns that $19.99 baby monitor to a disconnected life on the shelf!


Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

IoT security: How much will the US Cyber Trust Mark help? - SolCyber


More About Duck


Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

Featured image of circuitry by Gavin Allanwood via Unsplash.

Paul Ducklin
Paul Ducklin
01/15/2025
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

Businesses don’t need more security tools; they need transparent, human-managed cybersecurity and a trusted partner who ensures nothing is hidden.

It’s time to move beyond the inadequacies of current managed services and experience true security management.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more dealing with poor automated services.
No more services that only detect but don’t respond.
No more breaches caused by all of the above.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

CONTACT
©
2025
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

10388