Australia Introduces Code of Practice for the Manufacture of IoT Devices

The Australian government has published voluntary best practice guidelines to help device manufacturers, IoT service providers and app developers improve the security of Internet of Things (IoT) devices. Developed jointly by the Department of Home Affairs and Australian Cyber Security Center (ACSC), the Code of Practice is described as the “first step in the Australian government’s approach to improve the security of IoT devices in Australia.”

It is expected there will be over 21 billion IoT devices connected to the internet by 2030, and the Australian government believes the new standards are necessary to “help raise awareness of security safeguards associated with IoT devices, build greater consumer confidence in IoT technology and allow Australia to reap the benefits of greater IoT adoption.”

IoT devices encompass an increasing number of everyday home items, such as smart TVs, security cameras and baby monitors. Yet there have been numerous concerns raised over potential security threats to these devices, such as hacking. For example, last month, a team of IBM hackers discovered a vulnerability in a component used in millions of IoT devices and in June an investigation by Which? found that more than 100,000 indoor security cameras across UK homes and businesses may have critical security flaws that make them vulnerable to hacking.

The new code outlines 13 principles for domestic and international IoT manufacturers to follow, with the Australian government recommending that the first three are prioritized. These are to ensure there are no duplicated or weak passwords, implement a vulnerability disclosure policy and keep software securely updated.

It added that the guidance aligns with and is built upon UK government guidance as well as being “consistent with other international standards.”

There have been increasing moves to bring in tighter regulation regarding the manufacturing of IoT devices around the world. Earlier this year, the UK government unveiled a new consumer IoT law designed to prohibit the sale of smart products that fail to meet three strict security requirements: unique device passwords which are not resettable to factor defaults, a public point of contact at the manufacturer to report bugs to and clearly visible information stating the minimum length of time updates will be available for.

Speaking to Infosecurity, Bruce Esposito, global strategist at One Identity, commented: “The Australian government’s new code of practice for IoT devices is a much needed and long overdue focus on securing consumer smart devices. After many years of reporting on high profile hacking, malware and viruses most consumers are aware of security threats to their personal computers. Consumers are more educated about protecting their home networks and computers and are cautious when confronted with requests for personal information. However, the same cannot be said about the ever increasing number of smart devices in the household.”

Although welcoming of the introduction of further new standards for IoT devices, Boris Cipot, senior security engineer at Synopsys, said there may be a need for a more international approach in the future: “While the issuance of governmental standards and/or guidance to manufacturers is a step in the right direction, even if there are general measures in which countries might have the same opinion, there are other measures that might differ.

“Therefore, a globally aligned IoT standard would need to be created which manufacturers around the globe would follow. This would also support the import and export of such devices, as well as the usage of a technology that is by all means a global technology and not limited to a specific country.”

What’s Hot on Infosecurity Magazine?