banner

News

Aug 02, 2023

Uncle Sam Has a Plan to Secure Your Smart Home. Here's Why We're Skeptical.

Published August 2, 2023

Rachel Cericola

Share this post

The smart home often gets a bad rap. People worry that their devices are snooping on them or sending personal data to nefarious companies. Or that their every move and purchase is being tracked. Or that some creepy rando can talk to their kids through their own security camera.

And sometimes they’re right. Although some eye-catching headlines that have induced bouts of mass technophobia, the number of incidents has been minuscule compared with the amount of devices that live in all our homes. Nonetheless the threat is real, and industry-wide standards for security measures don’t exist.

That’s changing soon. The Federal Communications Commission recently announced that, in cooperation with the White House and a collective of retailers and device manufacturers, it will launch the U.S. Cyber Trust Mark, a program to certify the privacy and security features of a broad array of smart devices. The big idea is that the program will make it easier for people to make informed, secure choices.

It’s an encouraging move for the federal government to finally give consumer security and privacy the attention it desperately needs. But after digging into the specifics of the program and getting feedback from smart-home companies, we’re tempering our optimism—at least until more concrete information is released.

Collectively, Wirecutter’s smart-home team has several decades of experience researching and testing devices, which includes communicating in depth with companies about the very security and privacy policies and procedures this program will cover (and we do our best to guide our readers on ways you can best protect yourself). We appreciate how complex the problem is, especially since today’s technology intersects with mobile apps and cloud computing and are purpose-built to be updated. A single software change to any one of those things can instantly change a secure device into one with vulnerabilities. In other words, saying a device is safer versus saying it is actually safe are two very different things.

Here’s a look at how the program is expected to work, the facets we applaud, and the areas that still need attention in order for the initiative to be worth endorsing.

The U.S. Cyber Trust Mark program is intended to launch in late 2024. The Trust Mark design isn’t finalized yet but is expected to include a badge as well as a sort of cyber-nutrition label with information about a product’s privacy and security practices and a QR code linking to a database of a device’s security history.

The Cyber Trust Mark is a little like Energy Star. The EPA-led standards and labeling program, which launched in the early ’90s, helped companies produce more eco-friendly devices and assured consumers when buying them. This time, the goal is for all web-connected devices, from security cameras, smart bulbs, and smart thermostats to fitness bands, smart washing machines, and computer routers, to include information about cybersecurity issues that the general public can understand. (See below, where we discuss how Energy Star is notably different.)

To earn a U.S. Cyber Trust Mark for a smart device, companies will need to conform to technical standards based on a set of criteria developed by the National Institute of Standards and Technology. Although final details of the program have yet to be announced, NIST suggests that some standards will include:

Once a device is certified, the U.S. Cyber Trust Mark label can be put on its packaging.

This entire program is voluntary. It’s more of a nudge by the government to get companies to do better, not an industry mandate. Part of that spirit is a presumption by the feds that manufacturers should be responsible for educating their customers about the cybersecurity ramifications of their products. “If a consumer understands how to be more secure, it’s really a win,” said Michael Dolan, senior director and head of Enterprise Privacy & Data Protection at Best Buy in a White House press briefing. “The consumer is more protected. The manufacturers are in a better position. The environment’s in a better position as products are resold versus just recycled. We are very excited to be in support of this.”

It’s about damn time. The term “internet of things” was first coined in 1999. Since then, smart devices have become more advanced and more ubiquitous in people’s lives. With that ubiquity has come risk. In order to enable new functionalities, devices like thermostats, light bulbs, and doorbells have required access to more private information, such as email addresses and location information but also fingerprints, voice profiles, and face scans.

Besides enabling new capabilities, those types of private data that consumers often unwittingly give up have also become a lucrative source of income for companies who learned how to monetize it for targeted advertising and advanced analytics that keep tabs on your habits and spending. Manufacturers often hide their plans in lengthy privacy policies that most consumers could never understand. And many people simply have no idea what their devices are up to—they just click OK so the smart clothes dryer will alert them when their laundry is dry. A universal program that sheds light on all of that in plain language is long overdue. This is a very good thing.

“I think consumers right now feel that there is no such thing as privacy,” said Jan Schakowsky, congresswoman of Illinois, during a White House press event to announce the initiative. “This is a major step forward.”

The device database will be current. Every device with a Cyber Trust Mark label will have a QR code that shoppers can scan to access a database that includes a given device’s current security and privacy policies. That means new features, privacy policy updates, and software updates could all be included. White House officials also said they intend for companies to recertify their devices annually, which theoretically means you won’t have to worry that your new smart thermostat or light bulb will be orphaned with outdated cybersecurity practices.

“We didn’t want to create a stale label that said ‘this product was deemed certified and secure’ and so stayed secure forever,” said Anne Neuberger, US Deputy National Security Advisor. “The QR code will give up-to-date information on the ongoing and adherence to cybersecurity standards.”

A lot of companies are behind the program. Although it’s voluntary, 20 companies were in attendance to make statements backing the initiative, including Amazon, Best Buy, Google, Samsung, LG Electronics, Logitech, and more, as well as Carnegie Mellon University, the Connectivity Standards Alliance, and the Consumer Technology Association. All of them are promising to educate consumers about the U.S Cyber Trust Mark and what it means.

“Historically speaking, labeling programs are effective when consumer awareness of what the mark means is high, and the public has confidence in the results the mark promises,” said Scott Johnstone, senior marketing manager of smart home at Lutron.

There are lots of big unknowns. Although the system will be based on NIST standards, a lot of work has to be done before this program goes live. “There’s just a lot of process we’re going to be working through,” says Neuberger. “Right now, we believe the program is really structured for success, but we’re going to work through it every step of the way.”

Neuberger says that a lot of companies are already making products based on NIST recommendations. Still, the White House expects the U.S. Cyber Trust Mark to be finalized by late 2024, with devices bearing the logo shortly after.

Not everyone agrees on the details. One of facets of the program announced at the White House event is that companies will be able to voluntarily attest to the proposed safety and privacy standards. In other words, it will be an honor system—which is pretty much what the country has now.

Contradicting that assertion, however, Neuberger assured Wirecutter in an interview that the U.S Cyber Trust Mark certification will be based on verified third-party testing, not just a manufacturer’s word. “We don’t believe self-certification is the way we want to go,” she said. “And we want these third parties certified.”

Wirecutter has years of experience with self-certification. In fact, we have long required all of the companies that make our smart-home picks to confirm their security and privacy policies, and we report those in our reviews. In the process, we often discover things manufacturers either didn’t reveal, mischaracterized, or simply didn’t know about (or at least claim they didn’t know about). Even well-intentioned companies get it wrong, and so without formal certification, we’re unsure there’s much benefit having the fox guard the hen house.

It’s unclear how useful it will be to consumers. On the surface, the U.S. Cyber Trust Mark seems to be a lot like Energy Star, which by most measures has been a success. However, they differ in at least one critical way: Energy Star’s standards and requirements are measurable. Transparency gives buyers confidence. If you buy an Energy Star–certified product, you know that it is a specific percentage more efficient than a non-certified model.

The Cyber Trust Mark, as it currently stands, doesn’t provide anywhere near the same level of black-and-white clarity, which might make it less useful. Theoretically, a device could earn a Cyber Trust Mark, then fail to recertify and still be on store shelves bearing the vaunted logo.

It’s a colossal undertaking. Though we won’t say that providing the same sort of highly specific and useful info as Energy Star is impossible, given the proposed measures we’ve seen so far, we struggle to envision how a cybersecurity program of this magnitude is doable. In particular, testing web-connected gear and their associated apps and cloud connections for security vulnerabilities is complicated, time-consuming, and expensive. (In our own research, we’ve found the costs for penetration, or hack testing, can run tens of thousands of dollars—for just a single device.) We aren’t convinced that the government would be able or willing to conjure the funds needed to test thousands of existing and new products—and then retest them annually, perhaps for many years in some cases.

Device usage is a key factor. We’re gratified to learn that automatic unique passwords and encryption are planned, because they provide a baseline of security. That’s key because leaving big security decisions to consumers has proven to be problematic. A big question remains: What happens if you pair a certified secure device with potentially vulnerable uncertified devices?

For example, though most smart-device makers tell Wirecutter they don’t sell or share personal user data, if you integrate those devices with a third-party platform like Amazon Alexa or Google Home, you have opted to share your personal data. It’s unclear if those guarantees apply anymore (unless those products also have the U.S. Cyber Trust Mark, of course).

Manufacturers are cautiously supportive. We reached out to all 30 of the companies behind our current smart-home picks to gauge their support of the program. Only 15 responded to us, and four of those companies stated they had no comment at this time. Others said that although they fully support the initiative, they believe they’re already making products that suit NIST standards.

With so many unknowns, so few partners, and such a long timeline, we’re reluctant to say what, if any, impact this well-intentioned initiative will have. After all, in its current state it’s simply a collection of proposals, and it’s voluntary. And more important, we’re not convinced shoppers will be especially enthusiastic to do shopping-aisle security recon using the proposed QR code scheme. People want answers, not research projects.

For Wirecutter, much of what this initiative hopes to achieve actually duplicates a lot of the work we are already do. As we’ve noted, we ask the makers of all of our smart-home picks to provide detailed information on their security and privacy practices. This is no different, except for the fact that the program has a proposed set of technical specs and potentially mandated testing. If those are achieved, it would be a meaningful step in the right direction—but that’s a big “if.”

This article was edited by Jon Chase and Grant Clauser.

by Rachel Cericola

Put Amazon's Alexa to work for you with these great smart-home devices.

by Grant Clauser

These smart-home devices don’t need permanent installation, so you can take them with you when you move.

by Grant Clauser

If your smart speaker is a Google Home, here are the best devices that work with it.

by Rachel Cericola

The benefits of smart-home devices don't stop at the door. We found great ones for the backyard and garage.

The Cyber Trust Mark is a little like Energy StarThis entire program is voluntary.It’s about damn time.The device database will be current.A lot of companies are behind the program.There are lots of big unknowns.Not everyone agrees on the details.It’s unclear how useful it will be to consumers.It’s a colossal undertaking.Device usage is a key factor.Manufacturers are cautiously supportive.
SHARE