Miss a day, miss a lot. Subscribe to The Defender's Top News of the Day. It's free.
The Federal Communications Commission (FCC) this month launched a new voluntary cybersecurity labeling program for “smart” Internet of Things (IoT) products.
According to the FCC, the program will incentivize companies to sell products that meet high cybersecurity standards while helping consumers make informed purchasing decisions.
But according to Odette Wilkens, a technology attorney, the program may give consumers a false sense of cybersecurity. That’s because, according to Wilkens, “the cybersecurity danger may not lurk within the products but within the signal being used by the wireless services that may be hacked.”
Under the FCC program, wireless IoT products — such as home security cameras, voice-activated shopping devices, fitness trackers and baby monitors — will bear a U.S. Cyber Trust Mark logo on their packaging if they meet the FCC’s “robust cybersecurity standards.”
The logo will be accompanied by a QR code that consumers can scan for the product’s security details, such as the support period for the product and whether the product carries automatic security updates.
Wilkens, who also is president and general counsel for the nonprofit Wired Broadband Inc., which advocates for hard-wired, high-speed internet, said the FCC shouldn’t just put a cybersecurity label on products — it should also label the wireless services.
“Otherwise,” Wilkens added, “the consumer will be deceived into thinking that a cybersecurity label on the product means that the wireless services activated through those products carrying their personal data are also safe, when they may not be.”
This is especially true as the rollout of 5G is underway, Wilkens said. She pointed to a 2022 report co-authored by former FCC Chairman Tom Wheeler who coined the term, “the 5G Cyber Paradox” — meaning the more efficient 5G is, the less secure it is.
“5G is more hackable given the thousands of 5G nodes being installed, thereby increasing the surface area for hackers,” Wilkens said, “It’s software-based — a hacker gaining access to one node potentially gains access to the whole system. 4G and 3G are hardware-based systems, making it easier to quarantine a security breach.”
Security and privacy ‘not the same thing’
Miriam Eckenfels-Garcia, director of CHD’s Electromagnetic Radiation (EMR) and Wireless program shared Wilkens’ concern that the program may give people a false sense of security.
“That sense of security will likely lead to people using more wireless products — which means more harmful wireless radiation in our environment and more loss of privacy,” she told The Defender.
“The FCC’s program does very little to protect people’s privacy,” Eckenfels-Garcia said. “It does not prohibit wireless product companies from collecting and sharing consumers’ data widely.”
A data privacy and cybersecurity matter expert who asked to remain anonymous told The Defender something similar.
The expert — who has worked as a consultant to Fortune 500 companies over the last two decades and served on the data privacy work group for the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) — said it’s a “no-brainer” that the FCC needed to establish basic cybersecurity standards for products.
“But the program doesn’t address the crucial matters of data privacy and individuals being exploited through risky IoT devices that have promiscuous data-sharing practices,” the expert said.
While the FCC was clearly aware that consumers are concerned about both, its new program fails to include privacy safeguards, he said. “So your smart speaker is still listening to you, your smart lights know you are coming and going.”
Security and privacy are not the same thing, he said. In a jail, for example, you’ve got security but not privacy. “The bars allow everyone to surveil you.”
‘Consumers will still be subject to surveillance when they use IoT devices’
For the basis of its labeling program, the FCC adopted 10 of NIST’s cybersecurity criteria.
In its 126-page report on the labeling program, the FCC detailed the 10 criteria it will use to assess whether or not a product gets to bear its cybersecurity logo:
(1) Asset Identification: The product can be uniquely identified by the customer and other authorized entities and the product uniquely identifies each IoT product component and maintains an up to date inventory of connected product components …
(2) Product Configuration: The configuration of the IoT product is changeable, with an ability to restore a secure default setting, and changes can only be performed by authorized individuals, services, and other IoT product components. …
(3) Data Protection: The IoT product protects data store across all IoT product components and transmitted both between IoT product components and outside the IoT product from unauthorized access, disclosure, and modification. …
(4) Interface Access Control: The IoT product restricts logical access to local and network interfaces – and to protocols and services used by those interfaces — to only authorized individuals, services, and IoT product components. …
(5) Software Update: The software of all IoT product components can be updated by authorized individuals, services, and other IoT product components only by using a secure and configurable mechanism, as appropriate for each IoT product component. …
(6) Cybersecurity State Awareness: The IoT product supports detection of cybersecurity incidents affecting or affected by IoT product components and the data they store and transmit. …
(7) Documentation: The IoT product developer creates, gathers, and stores information relevant to cybersecurity of the IoT product and its product components prior to customer purchase, and throughout the development of a product and its subsequent lifecycle. …
(8) Information and Query Reception: The IoT product developer has the ability to receive information relevant to cybersecurity and respond to queries from the customer and others about information relevant to cybersecurity. …
(9) Information Dissemination: The IoT product developer broadcasts (e.g., to the public) and distributes (e.g., to the customer or others in the IoT product ecosystem) information relevant to cybersecurity. …
(10) Product Education and Awareness: The IoT product developer creates awareness of and educates customers and others in the IoT product ecosystem about cybersecurity-related information (e.g., considerations, features) related to the IoT product and its product components.
According to Eckenfels-Garcia, “NIST cannot be trusted. They will always ensure that the backdoor links to the intelligence state remain.”
That means consumers will still be subject to surveillance when they use IoT devices, she added.
The FCC doesn’t allow “foreign adversary” countries — defined as China (including Hong Kong), Cuba, Iran, North Korea, Russia and the Maduro Regime — to be involved in the administration or testing of the program.
However, it does not prohibit the Five Eyes intelligence alliance of English-speaking countries — including the U.S., United Kingdom, Canada, Australia and New Zealand — from surveilling data collected via IoT devices, Eckenfels-Garcia noted.
“So whatever gets picked up by your IoT baby monitor could be rerouted to Five Eyes, instead of Beijing’s Ministry of State Security.”
EPIC: Why not limit the amount of data collected?
The FCC did not include a data minimization requirement in the program — despite the Electonic Privacy Information Center’s (EPIC) advice to do so, said the expert who chose to remain anonymous.
Data minimization refers to the practice that data are only “collected, used, or disclosed as reasonably necessary to provide the service requested by a consumer,” according to EPIC.
The research and advocacy nonprofit in November 2023 sent comments to the FCC urging the agency to make such data privacy practices part of its cybersecurity labeling program.
Collecting less data helps maintain cybersecurity, EPIC said. “A company does not need to protect data that it does not collect.”
“Ultimately,” EPIC added, “the consumer is safer if companies do not collect more data than they actually need to make the device work for its stated purposes.”
The FCC decided not to include a data minimization requirement, though. The commission did not immediately respond when asked by The Defender for an explanation.
