Draft Code of Practice: securing the Internet of Things for consumers

By Alexandra Wedutenko, Mathew Baldwin
28 Nov 2019
Although expressed as a voluntary code, it's also possible that regulators such as the ACCC could rely on the international norms reflected in the finalised Internet of Things Code to argue that industry compliance is required.

The Australian Government Department of Home Affairs has released a draft code of practice, setting out best practice guidance to secure consumer Internet of Things (IoT) devices (the draft IoT Code). The draft IoT Code:

  • provides voluntary guidance for businesses on securing consumer IoT devices; and
  • reflects developing international expectations for industry, aligning with the equivalent guidance provided by the UK Government and ETSI (the relevant European Standards Organisation).

While expressed as voluntary, aspects of the draft IoT Code may also reflect legal obligations under Australian consumer law.

IoT generally refers to devices that connect to and send and receive data over the internet such as wearable technologies and smart appliances like televisions and refrigerators. The number of these devices is growing rapidly, with the Australian Government reporting an estimate of 64 billion devices to be connected globally by 2025, bringing with them additional risks for the cyber security of consumers.

The draft IoT Code has been released for comment by the Australian Government Department of Home Affairs until 1 March 2020, with the intention of providing voluntary guidance to industry on the basic cyber security features that are expected to be incorporated into consumer IoT devices.

The draft IoT Code is made up of 13 principles. These are targeted (as applicable) at device manufacturers, IoT service providers, mobile application developers and retailers. A key feature of the 13 principles is that they align very closely with the 13 principles set out in the UK Government's Code of Practice for Consumer IoT Security and also the relevant technical specification from ETSI, a European Standards Organisation.

The draft IoT Code identifies that the following three principles have the highest priority to achieve the greatest security benefit:

1. No duplicated default or weak passwords
This has been an area of criticism for device manufacturers for some time, with clear recommendations in the draft IoT Code to avoid factory default passwords that are common to multiple devices or are predictable. A key risk of such default passwords is that often consumers do not change them when setting up the device (and may not even know how to), or the passwords can be easily reset to the default. This exposes the device and other devices on the network to potential cyber attack.

2. Implement a vulnerability disclosure policy
The ability to report vulnerabilities is key in preventing cyber attacks as often researchers or third parties who purchase the devices will discover a potential vulnerability and there should be clear processes in place for them to be reported and actioned. The approach to implementing this recommendation will vary depending on circumstances and needs to be considered by manufacturers, service providers and mobile application developers.

3. Keep software securely updated
This follows on from the principle to establish vulnerability disclosure policy, also ensuring that the software (including firmware) on IoT devices (including that provided by third parties) is updated to remain secure. The updates should be timely and not impact functionality. This will usually require the user to agree to the update, but it should be a process that is easy to understand and implement. A key recommendation is to inform users about end of life constraints and when devices are no longer fit for their purpose.

The remaining principles in the draft IoT Code are:

4. Securely store credentials and security sensitive data where they are stored within devices.

5. Ensure that personal data is protected. This principle notes that adequate industry-standard encryption is set out in the Australian Government Information Security Manual, and should be applied to personal data both in transit and at rest.

6. Minimise exposed attack surfaces. This includes minimising functionality not used in the device that could be exploited, and also encourages secure software development processes and penetration testing.

7. Ensure communications security, including encryption in transit of security sensitive data.

8. Ensure software integrity, verifying for unauthorised changes.

9. Make systems resilient to outages, for example of data networks and power, without compromising security or safety.

10. Monitor system telemetry data for anomalies.

11. Make it easy for consumers to delete personal date, for example if the device is on-sold.

12. Make installation and maintenance of devices easy with clear and straightforward guidance.

13. Validated input data to ensure it is authorised and conforms to expectations.

Although the principles have been released as a draft, it is likely that the final version will seek to maintain a high degree of alignment with the similar principles internationally. One area where the principles reflect Australian-specific requirements is in the reference to the Australian Privacy Act. While this is a departure, it's likely that devices designed for compliance with the European Union General Data Protection Regulation will also include sufficient protections to comply with Australian laws.

Although expressed as a voluntary code, it's also possible that regulators such as the Australian Competition and Consumer Commission could rely on the international norms reflected in the IoT Code to argue that industry compliance with aspects of the IoT Code is required under Australian consumer protection laws. This is particularly the case where the IoT Code could be regarded as implementing reasonable or expected security practices to protect consumers.

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.