The Internet of Things Alliance Australia (IoTAA) has restated its call for an Australian security certification program for Internet of Things (IoT) products.
The industry body made the call this week following the Australian Government’s publication of a draft voluntary code of practice for consumer IoT devices. Industry and members of the public have until 1 March 2020 to submit a response about the code, which is called "Securing the Internet of Things for Consumers".
The IoTAA regards the code as “an important step”, but argues that an IoT product security certification program is also needed. This would help consumers and businesses distinguish which IoT devices conform to the Code of Practice, argued Matt Tett, Chair of the IoTAA’s Cyber Security work-stream.
“The draft code is voluntary, and as with anything voluntary, the challenge lies in developing compliance incentives for vendors and manufacturers,” Tett stated.
“The most compelling incentive comes from consumers who insist on compliance with the code; but how will consumers know which devices comply? What criteria can consumers use to ensure that compliance statements are true and accurate?”
While the Government’s draft code concerns consumer devices such as smart TVs and wearables, many of its principles are relevant to business IoT.
The code’s three main principles are (below is a summary):
- No duplicated IoT device default or weak passwords. IoT device (and associated backend/cloud account) passwords should be unique, unpredictable, complex and unfeasible to guess, and not resettable to any factory default value that is common to multiple devices.
- Implement a vulnerability disclosure policy. IoT device manufacturers, IoT service providers and mobile application developers should provide a public point of contact as part of a vulnerability disclosure policy in order for security researchers and others policy to report issues.
- Keep software securely updated. Updates should be timely and not impact the device’s functionality. An end-of-life policy should be clear to the consumer when they purchase the device, which explicitly states the minimum length of time for which a device will receive software updates. The device should verify that updates are from a trusted source.
The code’s other principles include not embedding hard-coded credentials (e.g. usernames and passwords) in device software or hardware.
It also calls for IoT providers to ensure that where devices and/or services process personal data, they must do so in accordance with data protection law – such as the Privacy Act 1988 and is protected Australian Privacy Principles.
And the code calls for software (including firmware) on IoT devices to be verified using secure boot mechanisms.
To comply with the code, IoT providers would also need to monitor telemetry data collected from IoT devices and services for security anomalies.
And they would need to ensure personal data can easily be removed when there is a transfer of ownership, when the consumer wishes to delete it and/or when the consumer wishes to dispose of the device.
The Australian Government also plans to explore “further initiatives for lifting the security of the Internet of Things” through its 2020 Cyber Security Strategy.
