Government pushes for IoT manufacturers to ditch dodgy password practices

Unveils draft IoT security code

The government has released a draft voluntary code of practice that is intended to help address the parlous state of security among Internet of Things (IoT) devices.

The 13-point draft code outlines recommended security measures for device manufacturers, service providers and mobile application developers. The code was developed by the Australian Cyber Security Centre (ACSC) and is largely derived from the UK Code of Practice for Consumer IoT Security.

“This Code of Practice is a voluntary suite of measures that the Australian Government recommends for industry as the standard for IoT devices,” the draft code states. “The Code of Practice will also help raise awareness of security safeguards associated with IoT devices, build greater consumer confidence in IoT technology and allow Australia to reap the benefits of greater IoT adoption.”

The draft code states that its first three principles are the “highest priority to achieve the greatest security benefit”. Those principles are: No duplicated default or weak passwords, implement a vulnerability disclosure policy, and keep software updated.

“We’re releasing the Code of Practice for public consultation because we want to ensure that the expectations of all Australians are met regarding cyber security," said Home Affairs minister Peter Dutton.

In addition to exposing private data, poorly secured IoT devices have been employed by botnets, notably Mirai.

“Along with our Five Eyes partners we share the expectation that manufacturers should develop connected devices with security built in by design,” Dutton said.

A public consultation on the draft is open until 1 March.

Australia along with the other Five Eyes nations – the US, UK, Canada and New Zealand -- in July 2019 signed a statement of intent on IoT security. That statement said the governments would collaborate with industry and standards body “to provide better protection to users by advocating that devices should be secured by design.”

It also committed them to seeking out “opportunities to enhance trust and raise awareness of security safeguards associated with loT devices in our respective nations”, including through engaging with industry partners and likeminded nations, and sharing information that could have implications for IoT security.

The Australian government is in the process of updating its national cyber security strategy.