The Australian government has released a voluntary Code of Practice called Securing the Internet of Things for Consumers. The security code of practice is aimed at IoT manufacturers and service providers, as well as mobile application developers. The code outlines 13 security principles that represent the minimum standard for IoT devices being sold to Australian consumers.
What is IoT
Basically, Internet of Things (IoT) is the concept of connecting any device with an on-off switch to the internet, as well as each other. Such connected devices are many and varied, with most people having heard of these in connection with smart homes. IoT devices in the home include everything from coffee makers, washing machines, headphones, light fixtures, and wearable devices. They range from everyday devices, such as toys and smartphones, to important security devices, such as smart door locks and home security systems.
The term “Internet of Things” was first coined by Kevin Ashton in 1999. He is a British technology pioneer who cofounded the Auto-ID Center at the Massachusetts Institute of Technology (MIT). Since then the number of IoT devices installed worldwide has increased exponentially. Between 2018 and 2019, the number of active IoT devices increased from 7 billion to 26.66 billion. Statisticians also estimate that today 127 new IoT devices are connected to the web every second. Furthermore, some experts estimate that 31 billion IoT devices will be installed in 2020 alone.
Currently there are five types of IoT devices, namely:
- Consumer IoT—such as light fixtures and home appliances
- Commercial IoT—such as smart pacemakers and monitoring systems
- Industrial Internet of Things (IIoT)—which includes industrial control systems, smart agriculture, and industrial big data.
- Infrastructure IoT— which enables the connectivity of “smart cities”
- Military Things (IoMT)— such as robots for surveillance and wearable biometrics devices used in combat
The IoT Security Code of Practice
Despite the opportunities and benefits that IoT devices provide, some serious concerns have surfaced over the years. These concerns are mainly relating to privacy and security. Consequently, governments have made moves to start addressing these concerns.
In Australia this has taken the form of a voluntary IoT cybersecurity Code of Practice, which was released on 3 September 2020. The development of the code was a joint project undertaken by the Department of Home Affairs and the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC).
The code details a voluntary set of measures for manufacturers aimed at improving the security of IoT devices for Australian consumers. “Manufacturers should be developing these devices with security built in by design,” the Minister for Home Affairs Peter Dutton explained. The code is to apply to all devices that connect to the internet in Australia to send or receive data as “It is essential that these devices in our homes and businesses have cyber security provisions that defend against potential threats and malicious cyber activity.”
The Australian government also hopes that the code will “help raise awareness of security safeguards associated with IoT devices, build greater consumer confidence in IoT technology and allow Australia to reap the benefits of greater IoT adoption.”
The Code’s Principles
The voluntary code of practice is based on 13 principles, with the government asking the industry to prioritize the first three. The first of these being that IoT devices should not duplicate default or weak passwords and should use multi-factor authentication. The other two being that device manufacturers should implement vulnerability disclosure policies and keep software securely updated. The code recommends that these three principles be actioned first as they would “bring the largest security benefits in the short-term.”
Of the rest of the principals, most are aimed at IoT service providers and mobile application developers, as well as device manufacturers. These principles involve:
- Securely storing credentials on IoT devices, including not hard coding credentials onto devices
- Ensuring that personal data is protected in accordance with data protection laws, such as the Australian Privacy Act 1988
- Minimizing exposed attack surfaces, with devices operating on the “principle of least privilege”
- Ensuring communication security for private data or data requiring integrity protection by encrypting it whilst in transit
- Ensuring the integrity of software running on IoT devices
- Making systems resilient to outages
- Monitoring system telemetry data for security anomalies
- Making it easy for consumers to delete personal data off IoT devices
- Making it easy to install and maintain IoT devices
- Validating input data received via user interfaces, Application Programming Interfaces (APIs) and network interfaces