WIXLIB

Code of PracticeSecuring theInternet of Thingsfor Consumers

Commonwealth of Australia 2020With the exception of the Commonwealth Coat of Arms, all material presentedin this publication is provided under a Creative Commons Attribution 4.0International license at ode.This means this license only applies to material as set out in this document.The details of the relevant license conditions are available on theCreative Commons website at https://creativecommons.org/ as is the full legal codefor the CC BY 4.0 license at ode.Use of the Coat of ArmsThe terms under which the Coat of Arms can be used aredetailed at the Department of the Prime Minister and Cabinet wealth-coat-arms.Contact usEnquiries regarding the licence and any use of this document are welcome at:Department of Home AffairsPO Box 25BELCONNEN ACT 2616P - 20-02351

IntroductionThe Internet of Things (IoT), which includeseveryday smart devices that connect tothe internet – such as smart TVs and homeassistants – provides significant benefitsto Australians; enhancing our convenience,comfort and efficiency. Many of these devicesare developed with functionality as a priority,and security features are often absent or anafterthought. By 2030, it is estimated thatthere will be more than 21 billion IoT devicesconnected to the internet globally, with thehighest estimations predicting over 64 billiondevices. It is essential that these devices in ourhomes and businesses have cyber securityprovisions that defend against potential threatsand malicious cyber activity.The Code of Practice: Securing the Internetof Things for Consumers (Code of Practice)represents a first step in the AustralianGovernment’s approach to improve the securityof IoT devices in Australia. This Code of Practiceis a voluntary set of measures the AustralianGovernment recommends for industry as theminimum standard for IoT devices. The Code ofPractice will also help raise awareness of securitysafeguards associated with IoT devices, buildgreater consumer confidence in IoT technologyand allow Australia to reap the benefits ofgreater IoT adoption.The Code of Practice was developed by theDepartment of Home Affairs, in partnership withSecuring the Internet of Things for Consumersthe Australian Signals Directorate’s AustralianCyber Security Centre, and follows nation-wideengagement with industry and the Australianpublic. The Code of Practice was recognisedas a necessary step to lifting the cyber securityof internet-connected devices domestically.The Code of Practice is designed for an industryaudience and comprises 13 principles. TheAustralian Government recommends industryprioritise the top three principles because actionon default passwords, vulnerability disclosureand security updates will bring the largestsecurity benefits in the short term.In acknowledgement of the global natureof this issue, the Code of Practice aligns withand builds upon guidance provided by theUnited Kingdom and is consistent with otherinternational standards. The principles will helpinform domestic and international manufacturersabout the security features expected of devicesavailable in Australia.Ensuring the security and integrity of IoTdevices will enhance the way we live andwork. By improving the overall cyber securityof these devices, we also deter the risks theypose to Australian families, our economy andnational security.This Code of Practice will be reviewed on aregular basis to ensure it remains fit for purpose.1

ApplicationThis Code of Practice constitutes a voluntary set of principles, and compliance with these principlesis encouraged but optional. Any entity choosing to comply with the Code of Practice may doso in accordance with all or some of the principles contained in the Code of Practice. Where theCode of Practice has been partially complied with, the entity should state the specific principlethat is in compliance. For example, by stating, “Our organisation has complied withprinciples 1, 2 and 3 of the Code of Practice: Securing the Internet of Things for Consumers”.2Code of Practice

PrinciplesPrincipleDescription1.IoT device (and associated backend/cloud account) passwords shouldbe unique, unpredictable, complex and unfeasible to guess, and notresettable to any factory default value that is common to multiple devices.Associated web services should use Multi-Factor Authentication, notprovide any unnecessary user information prior to authentication, andany password reset process should appropriately authenticate the user.No duplicateddefault or weakpasswordsPrimarily applies to Device Manufacturers.2. Implement avulnerabilitydisclosurepolicyIoT device manufacturers, IoT service providers and mobile applicationdevelopers should provide a public point of contact as part of avulnerability disclosure policy in order for security researchers and othersto report issues. Disclosed vulnerabilities should be acted on in a timelymanner. Implementing a bug bounty program encourages and rewardsthe cyber security community for identifying and reporting vulnerabilities,thereby facilitating the responsible and coordinated disclosure andremediation of vulnerabilities.Primarily applies to Device Manufacturers, IoT Service Providersand Mobile Application Developers.Securing the Internet of Things for Consumers3

PrincipleDescription3. Keep softwaresecurelyupdatedSoftware (including firmware) on IoT devices, including third party and opensource software, as well as associated web services, should be securelyupdateable. Updates should be timely and not impact the device’sfunctionality. Updates should also not change user-configured preferences,security or privacy settings without prior approval from the user. The needfor each update should be made clear to consumers, and updates shouldbe easy to implement and applied automatically by default. The deviceshould verify that updates are from a trusted source e.g. via use of a trusteddigital signature. Updates should be distributed via secure IT infrastructureto mitigate the trusted source being compromised. For constrained devicesthat cannot physically be updated, the product should be isolatable andreplaceable. Where possible, vendors should inform the user when theirconstrained device is no longer fit for purpose.An end-of-life policy should be clear to the consumer including when theyacquire the device, which explicitly states the minimum length of time forwhich a device will receive software updates, the reasons for this timeframeand a commitment and method to warn consumers when the product willno longer receive updates. If a user interface is available it should clearlydisplay when a device has reached its end-of-life, inform the user of therisk of security updates no longer being available and provide suggestionsfor mitigating this risk.Primarily applies to Device Manufacturers, IoT Service Providersand Mobile Application Developers.4. Securely storecredentialsAny credentials should be stored securely within devices and on services.Hard-coded credentials (e.g. usernames and passwords) should not beembedded in device software or hardware since they can be discoveredvia reverse engineering.Primarily applies to Device Manufacturers, IoT Service Providersand Mobile Application Developers.4Code of Practice

PrincipleDescription5. Ensure thatpersonal datais protectedWhere devices and/or services process personal data, they must do soin accordance with data protection law e.g. the Privacy Act 1988 andAustralian Privacy Principles. Personal data should only be collected ifnecessary for the operation of the device, and privacy settings on a deviceshould be set to privacy protective by default. Adequate industry-standardencryption, as articulated in the Australian Government InformationSecurity Manual, should be applied to personal data in transit and data atrest. Consumers should be provided with clear and transparent informationabout what data is being used and how, by whom, and for what purposes,for each device and service. This also applies to any third parties thatmay be involved (including advertisers). Where personal data is processedon the basis of consumers’ consent, this should be validly and lawfullyobtained from an adult, with those consumers being given the opportunityto withdraw it at any time.Several other principles in this document are related to protecting personaldata, such as installing and securely configuring devices, as well asdeleting personal data.Primarily applies to Device Manufacturers, IoT Service Providers,Mobile Application Developers and Retailers.6. Minimiseexposed attacksurfacesDevices and services should operate on the ‘principle of least privilege’.Unused functionality should be disabled; hardware should notunnecessarily expose access (e.g. unrequired ports should be closed,the web management interface should only be accessible to the localnetwork unless the device needs to be managed remotely via theInternet); functionality should not be available if they are not used; andcode should be minimised to the functionality necessary for devices andservices to operate. Software should run with appropriate privileges, takingaccount of both security and functionality. To further reduce the numberof vulnerabilities, use a secure software development process and performpenetration testing.Primarily applies to Device Manufacturers and IoT Service Providers.7.EnsurecommunicationsecurityData requiring confidentiality or integrity protection, or associatedwith remote management and control, should be encrypted in transit,appropriate to the properties of the technology and usage. All credentialsand certificates should be managed securely. All remote access shouldbe logged, with logs including the date, time and source of access ata minimum.Primarily applies to Device Manufacturers, IoT Service Providersand Mobile Application Developers.Securing the Internet of Things for Consumers5