Summary: Code of Practice for consumer IoT devices released by government body

All IoT device default passwords shall be unique per device and users are required to choose a password that follows best practices, read the Code of Practice for Securing Consumer Internet of Things (IoT) released by the Telecommunication Engineering Centre (TEC). The document advised that the passwords must not be resettable to any universal default value.

TEC, which falls under the Ministry of Communications, explained that the document looks to provide baseline requirements as a basis for the implementation of recommendations received from the Telecom Regulatory Authority of India, and National Digital Communication Policy, including the ETSI TS 103 645 which deals with Cyber Security for Consumer Internet of Things.

“There may be 26.4 billion IoT devices by 2026 globally. It has been projected that there would be around 11.4 billion consumer IoT devices and 13.3 billion enterprise IoT devices globally by 2025 i.e. consumer IoT devices would account for nearly 45% of all the IoT devices.” read the document.

TEC also revealed that it has been working on security by design principles and National Trust Centre (NTC) for IoT in a multi-stakeholder group and the draft document is under development. IoT is used to create smart infrastructure in various verticals such as Power Sector, Automotive, Safety & Surveillance, Remote Health Management, Agriculture, Smart Homes, and Smart Cities, etc.

Why this matters: The hacking of the devices/networks can have serious implications as they are used in daily life and would harm individuals, organisations, and countries. IoT cyberattacks more than doubled year-on-year during the first half of 2021, according to Kaspersky which found that some 1.51 billion breaches of IoT devices took place from January to June last year. Thus, it is important to ensure that IoT endpoints comply with the safety and security standards in order to protect users and networks that connect these devices.

Key takeaways from the Code of Practice

Here is a summary of all the recommendations made in the document:

Advertisement. Scroll to continue reading.

Provide regular software updates: “Software components in IoT devices should be securely updateable. Updates shall be timely and should not adversely impact the functioning of the device. An end-of-life policy shall be published for end-point devices which explicitly states the assured duration for which a device will receive software updates,” as suggested in the code. The document considered developing and deploying security updates as one of the most important actions a manufacturer could take to protect its customers and the wider IoT ecosystem.

Store security parameters like credentials securely: “Security parameters such as keys & credentials, certificates, device identity etc., should be unique per device and shall be implemented in such a way that it resists tampering by means such as physical, electrical or software,” recommended the code. The recommendations also included mechanisms provided by a Trusted Execution Environment (TEE), encrypted storage associated with the hardware, Secure Elements (SE), or Dedicated Security Components (DSC), to protect critical sectors.

• Encrypt communications in transit: “Security-sensitive data, including any remote management and control, should be encrypted in transit, appropriate to the properties of the technology and usage of the device,” the document added. These recommendations must be heeded by IoT Device Manufacturers, IoT service providers, and mobile application developers.

Implement a system to manage reports of vulnerabilities: “IoT device manufacturers, IoT service providers / System integrators and Mobile application developers should provide a dedicated public point of contact as part of a vulnerability disclosure policy for security researchers and others to report security issues,” read the document. Moreover, these vulnerabilities should be addressed in a timely fashion.

Minimise exposed attack surfaces: “Devices and services should operate on the ‘principle of least privilege’. Unused functionality should be disabled; hardware should not unnecessarily expose access (e.g. unrequired ports both network and logical should be closed),” the document said. It added that web management interfaces should only be accessible to the local network unless the device needs to be managed remotely via the Internet and only after proper authentication.

Verify software and issue alerts: “Software (including firmware) on IoT devices should be verified using secure boot mechanisms wherever applicable. If an unauthorised change is detected, the device should alert the consumer/administrator to an issue and should not connect to wider networks than those necessary to perform the alerting function.” one of the recommendations said. It is important to preserve software authenticity to avoid the usage of software provided by an unauthorised source.

Users should be able to delete user data: “Devices and services should have mechanisms such that personal data can easily be removed when there is a transfer of ownership, when the consumer wishes to delete it and/or when the consumer wishes to dispose of the device,” the document proposed. They should be provided with clear instructions on how to delete their personal data, including how to reset the device to “factory default” and delete data stored on the device and in associated services including backend/cloud accounts and mobile applications.

Should stay operational despite network outages: “Resilience should be built into IoT devices and services where required by their usage or by other relying systems. As far as reasonably possible, IoT devices should remain operating and locally functional in the case of a loss of network, without compromising security or safety,” the authors submitted. They advised that devices should recover cleanly in the case of restoration of a loss of power or connectivity. It should also be verified that the device has not been tampered with during the period of connectivity disruption.

Advertisement. Scroll to continue reading.

No universal default passwords: “Many IoT devices are being sold with universal default usernames and passwords (such as ‘admin, admin’) which are expected to be changed by the consumer. This has been the source of many security issues in IoT and the practice needs to be eliminated,” the document read. It also suggested that IoT device manufacturers should use Multi-Factor Authentication, and should not expose any unnecessary user information prior to authentication.

Examine system telemetry data: “If telemetry data is collected from IoT devices and services, such as usage and measurement data, it should be monitored for security anomalies. Constant monitoring of the device is necessary to handle operational and security issues in time,” TEC recommended. It also asked for logged data to comply with prevailing data protection regulations.

Simplify installation and maintenance of devices: “Installation and maintenance of IoT devices should employ minimal steps and should follow security best practice on usability. Consumers should also be provided with guidance on how to securely set up their device and also to check whether the device is securely set up,” TEC urged.

Validate input data: The consumer IoT device software shall validate data input via user interfaces or transferred via Application Programming Interfaces (APIs) or between networks in services and devices. Automated tools are often employed by attackers in order to exploit potential gaps and weaknesses that emerge as a result of not validating data,” TEC said.

How should personal data be dealt with under consumer IoT?

It is not difficult to deduce that consumer IoT devices will process personal data. Thus, it is expected that manufacturers provide features within consumer IoT devices that support the protection of such personal data. IoT devices and services processing personal data in India will have to comply with the Data Protection Bill, 2021. Here are some of the features recommended by the code from a strictly technical perspective:

1. The manufacturer must provide consumers with clear and transparent information about what personal data is processed, how it is being used, by whom, and for what purposes, for each device and service. This also applies to third parties that can be involved, including advertisers.
2. Where personal data is processed based on consumers’ consent, this consent shall be obtained in a valid way.
3. Consumers who gave consent for the processing of their personal data may have the option to withdraw it at any time.
4. If telemetry data is collected from consumer IoT devices and services, the processing of personal data should be kept to the minimum necessary for the intended functionality.
5. If telemetry data is collected from consumer IoT devices and services, consumers shall be provided with information on what telemetry data is collected, how it is being used, by whom, and for what purposes.

Advertisement. Scroll to continue reading.

Also read:

• How consumer IoT devices need to handle personal data, security gaps is outlined by DoT
• Why Airtel and Vi have announced IoT verticals for businesses
• US Senate passes bill setting cybersecurity standards for IoT devices

Have something to add? Post your comment and gift someone a MediaNama subscription.