Consumer Internet of Things (IoT) devices should not have universal default passwords, and users should find it easy to delete on-device data, a working group under the Department of Telecommunications (DoT) has recommended in a new code of practice for securing IoT devices announced on October 12.
The DoT had recommended in 2017 that IoT devices adopt ‘security by design’ and that such devices be certified by a National Trust Center created especially for certification. The code of practice outlines the requirements for manufacturers to implement these recommendations.
What are the security guidelines outlined in the Code?
The code outlines 13 guidelines that manufacturers of IoT devices should follow to implement security by design:
- Default Passwords: All default passwords on IoT devices should be unique per-device and require users to choose a secure password.
- Vulnerability reports: Manufacturers and app developers need to provide a public point of contact for customers to disclose vulnerabilities.
- Software updates: Updates should not adversely impact device functioning. An end-of-life policy should be published outlining the assured duration until which the device will receive software updates. Devices with a UI should inform users about the risk of no longer receiving updates.
- Data security: Sensitive security data stored on the device must be able to resist physical, electrical or software tampering. Sensitive data, including personal data, should also be encrypted in transit.
- Minimising exposure: Unused functions should be disabled, and web management interfaces should only be available on the local network. Remote access must require proper authentication.
- Resilience to Outages: “As far as reasonably possible, IoT devices should remain operating and locally functional in the case of a loss of network, without compromising security or safety,” the code says.
- Deleting user data: Consumers should be able to easily delete personal data, and be given clear instructions on how to factory reset the device.
- Monitoring for anomalies: Software should be verified using secure boot mechanisms, and consumers alerted in case any unauthorised change is detected. Telemetry data collected should also be monitored for security anomalies.
- Validating Input Data: IoT device software must validate data input since systems can be subverted by malicious code to exploit security gaps, the guidelines mention.
How consumer IoT devices need to handle personal data
Aside from the guidelines, the code of practice also outlines the practices IoT devices manufacturers need to follow while handling personal data:
- Information: Manufacturers need to provide consumers with clear information about what personal data is processed, how it is used, by whom, and for what purposes.
- Consent: Collection of consent needs to be free, obvious, and explicit. Customers must also be able to withdraw consent for processing personal data. Notably, the code does not mandate that IoT devices seek consent before processing personal data.
How big will Internet of Things be in India?
Across the world, IoT devices are gaining popularity amongst consumers. That is why countries like Singapore and the United States governments are rushing to formulate security guidelines to ensure the protection of consumers. Here are some estimations of how big IoT will be in India:
- 3 billion devices in India by 2022: The Department of Telecommunications report expects that “3 billion connected devices may exist in India by 2022.” Globally, it is anticipated that 11.4 billion consumer IoT devices will be operating by 2025.
- Rs. 10,000 crore market: Cellular-based IoT is estimated to be a ₹10,000 crore market by next year, Airtel said in a press release earlier this year. Both Vi and Airtel have recently announced business-oriented IoT solutions.
- Why Airtel And Vi Have Announced IoT Verticals For Businesses
- Singapore Will Label IoT Products With Cybersecurity Ratings
- US Senate Passes Bill Setting Cybersecurity Standards For IoT Devices
Have something to add? Post your comment and gift someone a MediaNama subscription.