The US government recently announced its Cyber Trust Mark program, a certification and labelling initiative to help citizens identify IoT devices with strong cybersecurity protections. The program is scheduled to launch in 2024 and will be a welcome addition to the IoT ecosystem.
The seamless, connected experience offered by IoT devices is increasingly attractive to consumers – the IoT market is expected to grow to $3353 billion by 2030. Yet it is no secret that IoT devices are also increasingly attractive to bad actors. In 2022, the number of cyberattacks on IoT devices was estimated to be over 122 million, more than double the year before.
So, while the US Cyber Trust Mark signifies a positive step in ensuring the security of the IoT, what challenges does it currently face and what challenges will emerge once the program has been introduced?
All carrot, no stick
The first challenge facing the U.S Cyber Trust Mark is that the program will be entirely voluntary. While it will be in the interest of manufacturers to sign up and demonstrate their device’s security to consumers, there are no repercussions for those that don’t. Some believe that without repercussions, there isn’t sufficient motivation for manufacturers to abide by the security guidelines.
Securing resource-constrained devices
There are an inconceivable number of different IoT devices and services performing a huge variety of tasks. It would be an almost impossible challenge to hold all devices to the same security standards. Does a light bulb need the same protection as a smart speaker? Probably not. Many such IoT devices are resource-constrained and do not have the capacity to execute complex cryptographic operations. As a result, the level of risk exposed by a cyberattack will be different.
Many resource-constrained device manufacturers are considering supporting data protection with secure enclave technology. Manufacturers can link devices to the cloud and securely execute cryptographic operations in a protected environment. This brings higher levels of security assurance into reach for most IoT device manufacturers.
Building trust in IoT
IoT devices integrate technologies that connect and exchange data over communications networks, such as the Internet or other IP-based networks. While this means they can offer new and exciting functionalities, it also means that bad actors have a significantly larger attack area to target in comparison to an offline/non-connected device.
This, combined with high profile IoT cyberattack cases, has contributed to low consumer trust in IoT security. A study by the University of Warwick echoed this and demonstrated that UK consumers are not convinced that they can trust the privacy and security of IoT devices.
For industry players already adhering to good security practices, this can be frustrating. There has been no clear, consistent way to communicate the level of security within products/services to consumers. I hope the US Cyber Trust Mark program will change this.
As IoT devices continue to become smarter, more data will need storing on the devices. In addition, this data will become more personal to enable a more tailored and connected IoT experience. This means data protection will be become even more important.
To combat this, secure procedures and processes must be established as early as the manufacturing stage. Enabling the secure storage and handling of cryptographic keys and certificates within the devices is critical. But there is not a ‘one size fits all’ solution.
Smaller, less complex IoT devices may be able to leverage Elliptic Curve Cryptography (ECC), which provides high levels of security but with smaller cryptographic key sizes. Resource constrained device manufacturers can also seek enclave solutions or use alternative cryptographic algorithms. Just a few months ago, NIST concluded its “lightweight cryptography” selection process and chose the Ascon family of algorithms as a future standard data encryption method within the Internet of Things. Though it is worth noting that Ascon’s lightweight algorithms are symmetric and do not address the issue of IoT device certificates.
Securing software updates
The US Cyber Trust Mark program highlights the need for enhanced security to enable secure software updates. Due to the always-connected nature of IoT devices, the security of a product is not ‘complete’ at purchase but rather must be maintained throughout the product’s lifecycle. This fact becomes more disconcerting when you consider the lifespan of some IoT devices. Those who buy a smart car today may still be using it in 10-15 years’ time. Software updates will be essential to enable the security of devices to evolve after purchase.
For manufacturers looking to be proactive in addressing this issue, there are ways they can prepare ahead of the program’s projected launch. By leveraging the latest data protection technology for the cloud, software updates can be remotely installed in a secure manner. And as the IoT continues its upwards trajectory, user experience must not come at the expense of security. Manufacturers must stay ahead of their criminal counterparts to ensure that all IoT devices protect data and can be updated securely as required.
Currently, the US Cyber Trust Mark program does not attempt to address post-quantum security. The longevity of many IoT devices means that a large number will still be in use when quantum computers likely become a reality. The program should make device manufacturers aware of the risks and encourage proactive action. There are several ways organisations can begin preparing for post-quantum now. The road to cryptographic agility beings with a thorough analysis of your organisation’s environment.
As post-quantum cryptography certificates will be even more complex than current certificates, the IoT industry will face additional challenges. For instance, if IoT device data that is currently encrypted by methods based on classical cryptography is accessed and stored by bad actors until they obtain quantum technology, they could use it much later down the line in what’s known as a “Store now, decrypt later” (SNDL) attack. This means that IoT manufacturers whose devices/services store data with a long shelf life, such as smart home systems, must be particularly aware of this threat, and make plans that prioritise valuable data with a long shelf life.
As the US Cyber Trust Mark program is being created in cooperation with NIST, I expect that the finalised program will help the IoT world prepare for post-quantum cryptography. Nevertheless, to prepare now, determine exactly what you’re working with, where the gaps are, and what needs to be done next.
While convenience remains priority-number-one in the IoT industry, stakeholders should remain aware that there is nothing more distressing for users, nor damaging for brands, than avoidable cyberattacks.
Johannes Lintzen is Managing Director at Cryptomathic. He is fascinated by the impact of “Software is eating the world” and “IP on everything”. Working together with some of the smartest minds providing solutions to some of the underlying technological and organisational challenges (data security, privacy, key management) is a daily motivator and has influenced my professional and personal growth for the past 20+ years.