The Australian Government has released its final voluntary ‘Code of Practice – Securing the Internet of Things for Consumers’ (Code). The Code, which follows a draft code released for public and industry consultation in November 2019 (Draft Code), is aimed at assisting manufacturers, service providers, mobile application developers and retailers to strengthen the security and integrity of Internet of Things (IoT) devices.
The Code was jointly developed by the Department of Home Affairs, the Australian Signals Directorate and the Australian Cyber Security Centre - who has issued complementary guidance for consumers and manufacturers.
Why the need for a Code?
IoT devices are internet connected devices which facilitate the transfer of data without the need for human interaction, such as health and fitness-based wearables, smart speakers and home automation products. The proliferation of networked technology, the rapidly expanding market for consumer connected devices and the development of applications to productively manage the capture and transfer of data from individuals via these devices has led to the increased exposure of Australians to cyber risks, including data theft and misuse. The Code, which consists of a principles-based framework, is aimed at facilitating industry best practice for the security and integrity of devices and increasing consumer confidence in IoT products.
A principles-based Code
The Code provides a voluntary framework of 13 principles. The principles are categorised into two tiers of importance, reflecting the Government’s recommended prioritisation of the first three principles of the Code (the ‘first tier’), namely:
- No duplicated default or weak passwords
- Implement a vulnerability disclosure policy
- Keep software securely updated
Principles 4 to 13 (the ‘second tier’) concern security, design and monitoring matters directed toward manufacturers and developers, as well as a number of principles aimed at empowering consumers, including:
- (Manufacturers, developers and service providers) the secure storage of credentials, the collection and processing of data in compliance with Australian privacy law, the minimisation of functionality (“surfaces”) that are liable to attack, appropriate encryption and monitoring and the resilience of systems to outages of power or data networks; and
- (Consumers) improving the ability of consumers to install and maintain IoT devices, their ability to delete their personal information from those devices as well as increased transparency in the communication of issues with consumers, e.g. end-of-life policies which detail when a device will no longer be supported by software updates.
Changes from the Draft Code
The Code largely mirrors the Draft Code, with some amendments reflecting submissions received by the Department of Home Affairs during the consultation period. These include:
- Principle 1 – No duplicated default or weak passwords: the Code recommends that web services associated with IoT devices make use of multi-factor authentication and appropriate identity verification for password recovery. This is in addition to the recommendation which existed in the Draft Code that IoT devices themselves and associated back-end accounts require unique and complex passwords.
- Principle 3 – Keep software securely updated: the Code recommends that the user interface of an IoT device clearly display when a device has reached its end-of-life, as well as information relating to the accompanying risks of that obsolescence. This is in addition to the recommendation which existed in the Draft Code that a device’s end-of-life policy be made clear to a consumer at the time of purchase, that devices are capable of being securely updated and that software updates not change user-configured security of privacy preferences.
- Principle 5 – Ensure that personal information is protected: the Code builds on the recommendation under Principle 5 of the Draft Code (that data processing undertaken by a device should comply with Australian privacy law), qualifying that personal information should only be collected by an IoT device where necessary for its operation. In addition, the Code recommends that the settings of a device be ‘privacy protective’ by default and stipulates that consent to process personal information be lawfully obtained from an adult.
- Principle 7 – Ensure communication security: the Code recommends that the date, time and source of all remote access to an IoT device be logged. This is in addition to the recommendation in the Draft Code that confidential information, or information requiring integrity protection, be encrypted in transit with credentials and certificates being managed securely.
- Principle 12 – Make installation and maintenance of devices easy: the Code recommends that accessibility options on a device be enabled by default. Principle 12 of the Code otherwise recommends that installation and maintenance on IoT devices follow the Australian Government best practice on security and usability.
The Code may be insufficient given rising international standards
While the Code is an important first step in increasing IoT device and data security, it remains unclear whether a voluntary code will be sufficient to ‘move the needle’ for security and privacy in a rapidly expanding and diversifying consumer market for IoT devices. The advent of 5G technology presents a further challenge as 5G allows significant increases in the speed and volume of data transfers facilitated by IoT devices.
It is notable that two years following the introduction of a comparable voluntary ‘Code of Practice for Consumer IoT Security’, the United Kingdom Government has signalled a move toward mandating security in consumer smart products. This position aligns with the approach of Californian legislators who passed America’s first IoT security law, SB 327, in 2018 which took effect on 1 January 2020. Given Australia’s Code represents an effort to deliver on a commitment to enhancing IoT security amongst its Five Eye partners, including the US and UK, the Code may already be obsolete relative to the standards of Australia’s intelligence partners.
While consumer expectations of data privacy and security of smart devices may provide an adequate incentive for developers, manufacturers and service providers to adopt the Code, Australia’s need to keep step with our international security and intelligence partners may result in the bar for compliance being raised beyond the voluntary nature of the Code sooner rather than later.