16-09-2020 | | By Robin Mitchell
With the growing importance of IoT security and the lack of push from the industry to update systems, countries around the world are introducing a code of practices for IoT devices. What is Australia doing, what is its code of practices, and why are they important?
With the number of IoT devices estimated to be over 20 billion globally, it can be difficult to track what they are doing, what applications they are involved in, and their capabilities. While any device with internet capabilities can be classified as an IoT, it is generally reserved for those devices that are small and basic in nature. Some common examples of IoT devices include temperature loggers, smart doorbells, internet security cameras, and the Amazon Echo. The first IoT devices were very basic and capable of reporting very trivial data, such as the current temperature of humidity. Now that technology has significantly improved, IoT devices can have cameras and microphones making them a point of concern. But even if an IoT device lacks monitoring equipment, they can still be used to perform internet attacks such as DDoS (as they can contain significant amounts of processing power). This is why security is increasingly becoming important in IoT devices.
As the first IoT devices produced benign data, designers of IoT devices would see their designs as also benign, thus not presenting a security threat. While this may have been true for the first devices, the increasing capabilities of IoT devices now put consumers at risk. However, since technology gradually changes, and there have been no legal obligations to improve security, many products on the market lack basic security measures providing hackers with a whole industry to exploit. The DDoS capabilities of a single IoT device are non-existent, but if 100,000 identical devices are in the open market, all with the same exploits, then an attacker has the power of 100,000 simultaneous connections. Thus, manufacturers have been slow to react due to a lack of legislation, rapidly improving technologies, and the ease of production of unsecured devices.
To try to prevent the further production of insecure IoT devices, the Australian government has released a code of practice that manufacturers should consider following. These practices aim to address common security flaws found in IoT devices and provide alternatives that will help to prevent the vast majority of attackers from gaining control of IoT devices.
No duplicated default or weak passwords
Implement a vulnerability disclosure policy (i.e. a point of contact for reporting bugs)
Ensure software is always updated and done securely
Credentials and sensitive information must be in secure storage
Personal data must be protected on both ends, both device and server
Minimise exposed areas (i.e. ensure that unused hardware and capabilities are disabled)
All communication must be encrypted
Onboard software should be verified on boot
Resilient to outages (i.e. unavailable services and networks)
Telemetry data should be monitored for anomalies
The ability for consumers to easily delete data
Easy installation of devices
Validate all input data
Australia is not the only country that has taken a step towards IoT security; the UK and US have also begun to introduce their own code of ethics. The UK’s code of ethics is also currently voluntary, but there are plans that the suggestions should be put into law to ensure that future devices follow basic security. In the US, however, such a decision is made state by state, and California has been the first to introduce their own code of ethics. The UK and California rules are less strict than those released by the Australian government, but it can be clearly seen that those outlined by the Australians leave far less room for attackers.
World governments are hesitant to force companies to follow security laws as it can stifle market growth as well as push out smaller businesses. However, most of the security suggestions provided by the Australian government are far from unreasonable, and most can easily be implemented in software. Features such as secure boot are only possible with microcontrollers that support it, but features such as genuinely unique passwords and telemetry anomalies are rather easy to implement. If IoT designers want to avoid red tape and legal requirements, then they need to start taking security seriously and focus on making devices more secure.