The Commonwealth has unveiled new guidelines for consumer Internet of Things devices that aim to ensure security is baked in by design.
The draft voluntary security guidelines consist of 13 principles for manufacturers of Internet of Things (IoT) devices such as smart TVs, watches and home speakers.
An emphasis on encrypted communications in the guidelines has been branded “ironic” following the passing of encryption-busting laws late last year by the government.
The guidelines are a virtual carbon copy of similar guidelines rolled out in the UK in March, with the principles replicated nearly word-for-word.
It follows a Five Eyes statement of intent on the security of the Internet of Things co-signed by Australia earlier this year, acknowledging that many of these devices “lack basic security features” and agreeing to a global collaborative effort to combat this.
There are expected to be more than 64 billion devices connected to the internet by 2025 globally, but many of the companies making these products aren’t focused enough on security, home affairs minister Peter Dutton said.
“This rapid growth in connectivity brings significant benefits to all Australians. However, many of these devices have poor cybersecurity features, posing risks to Australian families, our economy and national security,” Mr Dutton said.
“The safety of Australians and the security of our economy is paramount. Along with our Five Eyes partners we share the expectation that manufacturers should develop connected devices with security built in by design.”
The first three principles in the guidelines are the highest priority for manufacturers and should be prioritised, the government said.
These are that there should be no duplicated default or weak passwords, for a vulnerability disclosure policy to be implemented and for software to be regularly updated securely.
The guidelines are aimed at raising awareness of the security of IoT devices, building greater consumer confidence and allowing Australia to reap the benefits of greater IoT adoption.
Other principles include ensuring that communication is secure, systems are resilient to outages and for it to be easy for users to delete their own personal data.
One of the guidelines states that communication through the IoT devices should be encrypted in transit, but this clashes with the government’s recently passed encryption laws, which give agencies the power to compel tech companies to provide access to encrypted data, Deakin University senior lecturer Dr Monique Mann said.
“I think it is a bit ironic given corresponding moves to undermine encryption. You can’t have your information security cake and eat it too,” Dr Mann told InnovationAus.com.
All 13 principles are the same as the 13 in the UK government’s own IoT security guidelines, which were unveiled in March. The Australian government said that its own guidelines “align” with the UK’s and are also consistent with other international standards
The federal government is also working with the states and territories to ensure further alignment in the future.
The IoT guidelines are just a “first step” in improving the security of the devices, with further policies to be revealed in the 2020 cyber security strategy.
The guidelines are targeted at an industry audience, and will be voluntary for domestic and international manufacturers offering products in Australia.
Consultation on the draft guidelines will be open until March next year. Once implemented, the guidelines will be regularly reviewed to ensure they remain fit for purpose.
The 13 draft principles:
- No duplicated default or weak passwords
- Implement a vulnerability disclosure policy
- Keep software securely updated
- Securely store credentials and security-sensitive data
- Ensure that personal data is protected
- Minimise exposed attack surfaces
- Ensure communication security
- Ensure software integrity
- Make systems resilient to outages
- Monitoring system telemetry data
- Make it easy for consumers to delete personal data
- Make installation and maintenance of devices easy
- Validate input data