Nexus Podcast: Lorrie Cranor on IoT Security and Privacy Labels

It’s no secret that IoT devices—both commercial and consumer—have been accused of encroaching on users’ privacy, and of lax cybersecurity practices. Attackers have been able to corral thousands of routers, smart devices, and other connected things into botnets, while some have gone further to exploit weaknesses in devices to spy on users. 

A group based at Carnegie Mellon University’s CyLab is listening to concerns about the security and privacy of home IoT devices and are designing security and privacy labels to not only help consumers make informed buying decisions, but also to nudge vendors and manufacturers closer toward delivering secure products to market. 

In this episode of the Nexus podcast, Lorrie Cranor, the Director and Bosch Distinguished Professor in Security and Privacy Technologies at CyLab, explains the program’s origins, goals, and challenges. 

Subscribe and listen to the Nexus podcast on your favorite platform.

“How would I characterize consumer awareness of security and privacy (on smart devices)? Consumers are getting no information about security and privacy,” she said. “If you look at the packaging of devices, there’s no information.”

CyLab’s IoT Security and Privacy Label is available under a Creative Commons CC0 license, and Cranor hopes that a combination of regulatory and market pressure moves device makers to adopt the label. Admittedly, it’s an uphill climb, but one that was eased somewhat by the May 2021 White House executive order on cybersecurity that directed NIST to initiate such a labeling program. Cranor said that the Cylab initiative sent comments to NIST, and recently presented at a White House summit on IoT labels, the only organization with a thought-out labeling proposal on the agenda, Cranor said. 

“We are working with industry groups trying to standardize a proposal for labels that hopefully will get adopted,” Cranor said. “We are on our way.”

IoT security and privacy labels do face challenges from businesses who don’t want it to compete for precious packaging space. To counter those concerns, Cylab’s label is layered: A high-level consumer-oriented label would be on the package, along with a scannable QR code that would present the consumer with a detailed label, below, spelling out the smart device’s security update details, access controls, data collection practices, and links to more information. 

“We have what we call a Level 0 label, very abbreviated,” she said. “The QR code can be used  to pull up a consumer-facing label, that way much less space is needed. Other manufacturers do this as well.” 

From Cylab’s research interviewing and surveying consumers, Cranor believes that access to security and privacy information would influence buying decisions and demonstrate to vendors that security and privacy could be a differentiating factor. 

“We think people would pay more even with better privacy and security,” Cranor said, adding that vendors are hesitant about this type of disclosure for a number of reasons. 

We’ve gotten pushback on a variety of things,” Cranor said. “There’s a hesitancy about having to disclose everything you do; some are very reluctant to do that. Also, you would have to keep it up to date as products are updated. You have to change the labels or they will be inconsistent. There are also concerns about whether other vendors would do it, or would one vendor be the only one.”