We’ve covered the emerging standards for IoT several times before. It’s a start but needs to be teamed with some elements of regulatory compulsion i.e. you can’t market a device unless it meets or exceeds this standard…:
[…] There are about a dozen essential cyber security provisions the standard defines for consumer IoT that developers should aim to follow. These include:
- No universal default passwords – In any operating state other than factory default, passwords (when used) must either be user-defined or unique to the device.
- Implement a means to manage reports of vulnerabilities – Developers must make a vulnerability disclosure policy publicly available.
- Keep software updated – Developers should plan on providing their devices with timely security updates during their operating lifetime.
- Securely store sensitive security parameters – Security parameters (such as passwords and encryption keys) held in persistent storage must be secure.
- Communicate securely – Best-practice cryptography is essential and should be updatable.
- Minimize exposed attack surfaces – This includes disabling unused network and logical interfaces, concealing debug interfaces where possible, and other such considerations.
- Ensure software integrity – Provide secure boot operations and recognize unauthorized software changes.
- Ensure that personal data is secure – Use cryptography on personal data and advise users of the device’s sensory capabilities.
- Make systems resilient to outages – Accommodate loss of network connectivity and recover cleanly from loss of power.
- Examine system telemetry data – Any telemetry data the device collects, such as usage statistics and measurements, should be examined for security anomalies.
- Make it easy for users to delete user data – This is intended to simplify the removal of a device from operation or transfer of ownership.
- Make installation and maintenance of devices easy – Help users set up their device for secure operation.
- Validate input data – Ensure that the system cannot be subverted by receiving incorrectly formatted data or code.
These guidelines are only a starting point for consumer IoT security and not intended to solve all security challenges, nor will they protect against prolonged or sophisticated attacks. But they do provide a solid base capability that will protect against elementary attacks on fundamental design weaknesses, and that’s more than many current consumer devices can claim.