The draft code is often expressed as a voluntary code, and it is able for regulations like the ACCC to depend on the typical international rule considered in the completed Internet of Things Code to prove that the industry agreement is necessary.
A draft code of practice was released by the Australian Government Department of Home Affairs, setting out excellent practice guidance to protect the consumer Internet of Things (IoT) devices.
The draft IoT includes The provision of voluntary guidelines for companies and businesses to secure IoT devices. Also, to consider creating international expectations for the industry, fall in line with the similar guidance that is being offered by the UK Government and the ETSI (the relevant European Standards Organisation).
Although it is being expressed as voluntary, some parts of the draft IoT Code may also consider legal obligations under Australian consumer law.
Popularly, IoT refers to the devices that connect to and send and accept data over the internet like the wearable technologies and smart appliances such as televisions and refrigerators. The number of these devices is increasing with speed. Alongside with the report of the Australian Government reporting that by 2025, an estimate of 64 billion devices to be connected globally, coupled with the increased risks for the cybersecurity of consumers.
The draft IoT Code comprises of 13 IoT principles. These are aimed at device manufacturers, retailers, mobile application developers, and IoT service providers. An essential characteristic of the 13 IoT principles is that they work strictly in line with the 13 IoT principles that are set out in the UK Government’s Code of Practice for Consumer IoT Security. And also the essential technical features from ETSI, a European Standards Organization.
Written below are the 13 IoT principles, and the first three IoT principles have superior relevance to accomplished an extraordinary security benefit:
- No duplicated default or weak passwords. It has been an aspect of evaluation for device manufacturers for a while, with an easy recommendation in the draft IoT Code to prevent factory default passwords that are common to multiple devices or are predictable.
A significant risk of such default passwords is that most consumers do not change them while setting up the device or that the passwords can be reset to the default without difficulty. This act makes the equipment and other devices on the network vulnerable to potential cyber-attack.
- Implement a vulnerability disclosure policy: The ability to report vulnerabilities is one of the significant ways in preventing cyber attacks as most researchers or third parties who buy the devices will uncover a potential vulnerability. And there should be transparent processes in place for them to be reported and actioned rapidly. The approach to put into practice this recommendation differs based on circumstances and requirements to be considered by the device manufacturers, mobile application developer, and service providers
- Keep software securely updated. It goes on from the principle of developing a vulnerability disclosure policy. And also, ensuring that the software (including firmware) on IoT devices is updated to remain safe and secure. The updates should be well-timed and not influence functionality. It will frequently require the user consent and agreement to the update, but it must be a process that will be easy to understand and carry out without any difficulty.
- Safely keep credentials and security-sensitive data where they are held within devices.
- Ascertain that personal data is protected. This principle connotes that sufficient industry-standard encryption is set out in the Australian Government Information Security Manual. It should be applied to personal data both in transit and at rest.
- Reduce exposed attack surfaces. It includes reducing the functionality not utilized in the device that could be exploited, and also support secure software development processes and penetration testing.
- Assuring communications security, which includes the encryption in transit of security-sensitive data.
- Be sure of the software integrity and confirmation of unauthorized changes.
- Make systems flexible to outages, such as data networks and power, without compromising security or safety.
- Track system telemetry data for any strange things.
- Make it less complicated for consumers to delete personal data. Such as if the device is on-sold.
- Make proper installation and maintenance of methods secure with clear and direct guidance.
- Verify input data to ensure that it is authorized and complies with expectations.
Even though these IoT principles have been released as a draft, the final version may strive to maintain a high degree of alignment with similar IoT principles internationally. One aspect where the IoT principles reflect Australian-specific requirements is about the Australian Privacy Act. While this is a departure, devices developed for compliance with the European Union General Data Protection Regulation may also include adequate protections to comply with Australian laws.
It is precisely the case where the IoT Code could be regarded as putting into practice reasonable or expected security practices to secure consumers.