Everyday Internet of Things devices such as AI-enabled smart speakers and smart TVs will be subject to a new Australian code of practice to better protect against malicious cyber threats.
With concerns over the always-on devices and privacy reaching fever-pitch, the federal government has moved to introduce voluntary national standards for IoT security.
The code, developed by the Department of Home Affairs and Australian Cyber Security Centre, will offer best practice guidance to device manufacturers, IoT service providers and app developers.
Minister for Home Affairs Peter Dutton said that ensuring the security of everyday smart devices, which Gartner estimates will reach more than 64 billion globally by 2025, was “paramount”.
He said that currently “many of these devices have poor cyber security features”, which poses risk to Australians, the economy and national security.
The draft code, which the government is currently seeking community and industry input on, lays down the 13 cyber security principles that industry will be expected to embedded in IoT devices.
“Devices are often developed with functionality as a priority, with security being absent or an afterthought,” the draft code states.
“It is essential that these devices have cyber security provisions to defend against potential threats.”
While the government recommends implementing all 13 principles, the first three are considered the “highest priority to achieve the greatest security benefit”. These principles are:
- No duplicated default or weak passwords: ensure IoT device passwords aren’t week or a factory default common to multiple devices
- Implement a vulnerability disclosure policy: ensure there is a public point of contract for security researchers to report issues and that that any vulnerabilities are acted on quickly
- Keep software securely updated: ensure “timely” updates, which are distributed via secure IT infrastructure, that don’t change user-configured preferences, security or privacy
Other principles include ensuring credentials aren’t stored on a device to avoid that data being discovered through reverse engineering (principle 4), minimising the exposed attack surface (principle 6) and making systems resilient to outages (principle 9).
The government has also recommended “adequate industry-standard encryption ... be applied to personal data in transit and data at rest” in order to ensure that personal data is protected (principle five).
"We're releasing the Code of Practice for public consultation because we want to ensure that the expectations of all Australians are met regarding cyber security," Dutton said.
"Along with our Five Eyes partners we share the expectation that manufacturers should develop connected devices with security built in by design.”
The code aligns with and builds upon similar guidance issued by the UK in its code of practice of consumer IoT security [pdf], which also consists of 13 principles.
Public consultation on the draft code will run until 1 March 2020.