Govt unveils IoT code of practice to protect devices from hacking

The federal government has released its long-awaited code of practice for everyday Internet of Things devices like smart speakers and doorbells to better protect consumers from cyber threats.

But the national standards will be voluntary for manufacturers, despite comparable nations such as the United Kingdom now moving to mandate similar security features for consumer IoT devices.

The code, released on Thursday, represents the government’s “first step” to improving the security of IoT devices in Australia, and comes after 10 months of consultation.

The Department of Home Affairs and Australian Cyber Security Centre released the draft code, which was built on the UK’s IoT code, for community and industry input last November.

The code contains 13 principles, which the government “recommends for industry as the minimum standard for IoT devices” like smart speakers, televisions, doorbells and cameras.

However, device manufacturers, service providers and app developers have been asked to “prioritise the top three” as these “will bring the largest security benefits in the short term”. 

These principles are:

• No duplicated default or weak passwords: ensure IoT device passwords aren’t week or a factory default common to multiple devices
• Implement a vulnerability disclosure policy: ensure there is a public point of contract for security researchers to report issues and that that any vulnerabilities are acted on quickly
• Keep software securely updated: ensure “timely” updates, which are distributed via secure IT infrastructure, that don’t change user-configured preferences, security or privacy

All three of these principles are also contained in the UK’s code of practice of consumer IoT security, which was released back in 2018 and the government there is now looking to strengthen.

Despite “widespread adoption” of the code, the UK’s Digital Infrastructure Minister Matt Warman in July said “change has not been swift enough”, and the country is planning to introduce legislation.

Other principles in Australia's code include ensuring credentials aren’t stored on a device to avoid discovery through reverse engineering and minimising the exposed attack surface.

Announcing the code on Thursday, Home Affairs Minister Peter Dutton said “manufacturers should be developing these devices with security built in by design”.

“Internet connected devices are increasingly part of Australian homes and businesses and many of these devices have poor security features that expose owners to compromise,” he said.

“Australians should be considering security features when purchasing these devices to protect themselves against unsolicited access by cyber criminals.” 

ACSC has also released advice for consumers to protect themselves when buying and using IoT devices, as well as guidance for manufacturers on how to implement the code.

By the end of the decade, IoT devices globally are expected to number anywhere between 21 billion and 64 billion.