The Australian government has drafted a code of practice in a bid to improve the IoT’s well-publicised lack of security.
While the huge Mirai botnet attack on DNS provider Dyn in 2016 was devastating, one positive thing it achieved was to increase awareness about the poor security of IoT devices.
Ever since that high profile incident, governments have doubled their efforts in coming up with ideas to prevent IoT devices from being compromised. For Australia, that’s resulted in today’s publishing of Code of Practice: Securing the Internet of Things for Consumers.
One of the main reasons Mirai, and indeed other botnets, are able to easily hijack such a large number of IoT devices is their use of default passwords.
No duplicated default or weak passwords is among the three highest priority suggestions. The remaining two are:
Implementing a vulnerability disclosure policy with device manufacturers, app developers, and service providers.
Keeping software, including firmware, updated with security patches.
While the initial three suggestions may seem obvious, too often they’re overlooked.
The next three are seen to be a high priority, but not to the extent of the first trio:
Store credentials and security-sensitive data securely.
Ensure personal data is protected and that “adequate industry-standard” encryption is applied to data in transit and at rest.
Validate input data so that it’s “authorised and conforms to expectations”.
There are 13 principles in total which span three pages of the paper. Other notable suggestions include:
Minimising potential attack surfaces.
Software should be verified with secure boot mechanisms.
Ensure systems are resilient to an outage.
Provide clear instructions to users with regards to personal data.
Monitor telemetry data for anomalies.
Make device installation and maintenance simple.
“We’re releasing the Code of Practice for public consultation because we want to ensure that the expectations of all Australians are met regarding cybersecurity,” said the Minister for Home Affairs, Peter Dutton.
“Along with our Five Eyes partners, we share the expectation that manufacturers should develop connected devices with security built-in by design.”
Five Eyes is the intelligence-sharing relationship between Australia, New Zealand, the UK, Canada, and the US.
In July, Australia co-signed a Statement of Intent regarding IoT security with the other Five Eyes nations in London. The draft code “aligns with and builds upon” guidance provided by the UK earlier in the year.
You can submit your thoughts on the Code of Practice: Securing the Internet of Things for Consumers until March 1 2020.
Interested in hearing industry leaders discuss subjects like this? Attend the co-located 5G Expo, IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.
