In response to the threat of insecure IoT devices, the Australian Government has released a draft code of practice for “Securing the Internet of Things for Consumers”. This guide is a positive step, because of the extensive damage that insecure IoT devices can wreak on our connected world.
The code is voluntary, aiming to “help raise awareness of security safeguards associated with IoT devices, build greater consumer confidence in IoT technology and allow Australia to reap the benefits of greater IoT adoption”.
It contains 13 principles and was written for an industry audience under the advice of the Australian Cyber Security Centre (ACSC) and the United Kingdom, which has also created a similar code.
The draft document states that the first three principles are the most important:
- No duplicated, default or weak passwords – IoT devices need to have strong and unique passwords.
- Implement a vulnerability disclosure policy – Manufacturers, providers and developers should establish a point of contact where vulnerabilities can be disclosed.
- Keep software securely updated – Manufacturers, providers and developers should make it easy for users to update their devices. The process should be clear and security updates should be issued in a prompt manner.
These are absolute security basics, and should be adhered to in all situations to provide a solid base. The subsequent principles include guidelines that direct tech companies to store credentials securely, protect personal data, minimise exposed attack surfaces and ensure software integrity.
The document was published as a collaboration between the Department of Home Affairs, the Australian Signals Directorate and the ACSC. It was unveiled at the 2019 Home Affairs Industry Summit in Melbourne. The Minister for Home Affairs, Peter Dutton, elaborated on why the code of practice was developed:
“This rapid growth in connectivity brings significant benefits to all Australians,” he said, “However, many of these devices have poor cyber security features, posing risks to Australian families, our economy and national security.
“The safety of Australians and the security of our economy is paramount. That’s why the Morrison Government has developed a voluntary Code of Practice to inform industry about the cyber security features expected of these devices in Australia.”
The code of practice was published as a draft, with a public consultation period running until March. While the consultation period should allow the industry and consumers to have their voices heard, we need to consider it in the context of the last major data legislation.
When the draft of the Assistance and Access Bill (Australia’s anti-encryption laws) was published, it was met with heavy criticism from the industry and other parties. Several Atlassian employees summarised the comments, showing that nearly all of them were against the legislation in some way. Despite this condemnation, the bill still passed with minimal changes.
While the threat from poor IoT security makes this code of practice like a commendable move by the government, one has to question why such a code is voluntary. Surely strict regulation would be more effective than guidelines that organisations may possibly ignore.