Context: Recently, Telecommunication Engineering Centre (TEC), Ministry of Communications, has released a report “Code of Practice for Securing Consumer Internet of Things (IoT)”.

Key highlights
No universal default passwords

• All IoT device default passwords shall be unique per device.
• The passwords must not be resettable to any universal default value.

Manage reports of vulnerabilities

• IoT device manufacturers, IoT service providers/ System integrators and Mobile application developers should provide a dedicated public point of contact as part of a vulnerability disclosure policy for security researchers and others to report security issues.

Keep software updated

• Software components in IoT devices should be securely updateable.
• Updates shall be timely and should not adversely impact the functioning of the device.
• For constrained devices that cannot physically be updated, the product should be isolatable and replaceable.

Securely store sensitive security parameters

• IoT devices may need to store security parameters such as keys & credentials, certificates, device identity etc. which are critical for the secure operation of the device.
• Credentials (e.g. user names, passwords) should not be hard-coded in the source code as they can be discovered via reverse engineering.

Communicate securely

• Security-sensitive data, including any remote management and control, should be encrypted in transit, appropriate to the properties of the technology.

Ensure software integrity

• Software (including firmware) on IoT devices should be verified using secure boot mechanisms wherever applicable.

Ensure that personal data is secure

• If the device collects or transmits personal data, such data should be securely stored.
• The confidentiality of personal data transiting between a device and a service, especially associated services, should be protected, with best practice cryptography.

Make systems resilient to outages

• Resilience should be built into IoT devices and services where required by their usage or by other relying systems.
• IoT devices should remain operating and locally functional in the case of a loss of network, without compromising security or safety.

Examine system telemetry data

• If telemetry data is collected from IoT devices and services, such as usage and measurement data, it should be monitored for security anomalies.

Make it easy for users to delete user data

• Devices and services should have mechanisms such that personal data can easily be removed when there is a transfer of ownership, when the consumer wishes to delete it.
• A ‘factory reset’ function must fully remove all user data/credentials stored on a device.

Make installation and maintenance of devices easy

• Installation and maintenance of IoT devices should employ minimal steps and should follow security best practice on usability.
• Consumers should also be provided with guidance on how to securely set up their device and also to check whether the device is securely set up.

Validate input data

• The consumer IoT device software shall validate data input via user interfaces or transferred via Application Programming Interfaces (APIs) or between networks in services and devices.

Need for such guidelines

• In view of the anticipated growth of IoT devices, it is important to ensure that the IoT end points comply to the safety and security standards to protect the users and the networks that connect these IoT devices.
• IoT devices, services & software are at risk of attack by a variety of malicious parties, from novice hackers to professional criminals and even state actors.
• The hacking of the devices/networks being used in daily life would harm companies, organisations, nations and more importantly people, therefore securing the IoT eco-system end-to-end is impotant.
• The privacy of the data of the individuals is another very important thing that should be protected.

Internet of Things (IoT)

• The Internet of Things (IoT) describes the network of physical objects “things” that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet.
• These devices range from ordinary household objects to sophisticated industrial tools.
• Key Applications: Smart home; Elder care; Health; Transportation; Communication; Agriculture and Manufacturing etc.