IoT Security Assessment: Compliance Testing for Cyber Trust Mark and Beyond

Internet of Things, or Internet of Threats?

In today’s world, Internet of Things (IoT) devices are everywhere. From widespread personal use to automotive, medical, and industrial deployments, connected devices are now a ubiquitous fixture of modern life. These devices protect households, operate critical infrastructure, administer medication, provide home automation, and transport us safely across cities.

Unfortunately, technological advancement in IoT applications has outpaced the techniques manufacturers use to secure devices, users, and critical data. Unlike traditional computing tools, connected devices have several traits that make it difficult to secure them against cyberattacks.

• Multiple communication interfaces, including Bluetooth®, Bluetooth® Low Energy (BLE), cellular, and Wi-Fi — expanding a device’s attack surface.

• Onboard components like Systems on Chip (SoC) can harbor vulnerabilities that are hidden from third-party manufacturers. This makes them impossible to patch, and leaves entire production runs susceptible to attack. 

• Anonymous operating systems with unknown libraries and revisions also make it difficult for users to understand the true risk devices present.

Time and time again, attackers have exploited the inherent weaknesses of insecure devices to compromise their security in several ways.  

• Crashing the device: a potentially dangerous line of attack for medical devices, household security cameras, connected doorbells, or smart locks.

• Accessing sensitive data: certain devices carry personal information and records of users.

• Deploying as part of a botnet: large fleets of hacked devices can be used as part of massive-scale DDoS attacks — most notably the Mirai Botnet in 2016.

• Using the device for lateral movement: cybercriminals can use connected devices as footholds to gain increasing levels of access within the network the device is connected to. 

With so many well-known risks, governments, standards bodies, and regulators have reached a near-universal conclusion: connected devices must be managed and secured in the same way as traditional IT devices such as workstations or servers. 

What is the Cyber Trust Mark?

The US Cyber Trust Mark labeling program establishes crucial standards around data privacy and cybersecurity for IoT devices. Building on the pioneering work of the National Institute of Standards and Technology (NIST) and the Federal Communications Commission (FCC), the program aims to help consumers make more informed choices about the connected devices they purchase, including those that monitor their households and health.

The full specifics of the Cyber Trust Mark won’t be finalized until late 2024. However, the final standard will likely be based on existing IoT security standards, such as ETSI EN 303 645 and ANSI / CTA-2088-A. Keysight is working with industry leaders and the government to ensure that the standard is rigorous and testable for automated certification. Key areas for certification will include strong and unique default passwords, data security, secure update mechanisms, and incident detection pathways. In addition to passing a battery of security tests, the Cyber Trust Mark program may also require manufacturers to disclose the data their device collects and how it will be used.

Based on initial guidance from the FCC, external lab testing will be a requirement for Cyber Trust Mark certification. This helps maintain a high quality of independent testing while incentivizing manufacturers to pass certification on the first try. Otherwise, they’ll incur additional costs and time-to-market delays.