Security standard for consumer IoT emerges

We’ve covered the emerging standards for IoT several times before. It’s a start but needs to be teamed with some elements of regulatory compulsion i.e. you can’t market a device unless it meets or exceeds this standard…:

[…] There are about a dozen essential cyber security provisions the standard defines for consumer IoT that developers should aim to follow. These include:

  • No universal default passwords – In any operating state other than factory default, passwords (when used) must either be user-defined or unique to the device.
  • Implement a means to manage reports of vulnerabilities – Developers must make a vulnerability disclosure policy publicly available.
  • Keep software updated – Developers should plan on providing their devices with timely security updates during their operating lifetime.
  • Securely store sensitive security parameters – Security parameters (such as passwords and encryption keys) held in persistent storage must be secure.
  • Communicate securely – Best-practice cryptography is essential and should be updatable.
  • Minimize exposed attack surfaces – This includes disabling unused network and logical interfaces, concealing debug interfaces where possible, and other such considerations.
  • Ensure software integrity – Provide secure boot operations and recognize unauthorized software changes.
  • Ensure that personal data is secure – Use cryptography on personal data and advise users of the device’s sensory capabilities.
  • Make systems resilient to outages – Accommodate loss of network connectivity and recover cleanly from loss of power.
  • Examine system telemetry data – Any telemetry data the device collects, such as usage statistics and measurements, should be examined for security anomalies.
  • Make it easy for users to delete user data – This is intended to simplify the removal of a device from operation or transfer of ownership.
  • Make installation and maintenance of devices easy – Help users set up their device for secure operation.
  • Validate input data – Ensure that the system cannot be subverted by receiving incorrectly formatted data or code.

These guidelines are only a starting point for consumer IoT security and not intended to solve all security challenges, nor will they protect against prolonged or sophisticated attacks. But they do provide a solid base capability that will protect against elementary attacks on fundamental design weaknesses, and that’s more than many current consumer devices can claim.


Original article here