Ditch those default passwords

Experts have reacted positively to the publication of a globally applicable standard for consumer Internet of Things (IoT) security by ETSI.

The group’s Technical Committee on Cybersecurity said that the standard (TS 103 645) provides a security baseline for internet-connected consumer products, as well as the basis for future IoT certification schemes.

There’s been numerous cases where poorly secured IoT products have threatened consumers’ privacy.

Insecure devices such as personal video recorders and routers have not infrequently been exploited to launch large-scale Distributed Denial of Service cyber-attacks, most notably by the Mirai botnet.

TS 103 645 (PDF) requires vendors to avoid using universal default passwords, the source of many security issues.

As many IoT devices and services process and store personal data, this specification can help ensure compliance with the General Data Protection Regulation (GDPR). It also requires implementation of a vulnerability disclosure policy to allow security researchers and others to report bugs.

Ken Munro, an IoT security expert and partner at Pen Test Partners, welcomed the standard as a “great step in the right direction”.

“Nice, simple advice that IoT vendors can’t argue with,” Munro told The Daily Swig. “No excuses left for not getting security right. Regulation next, please.”

IoT products covered by the scheme include connected children’s toys and baby monitors; IoT-enabled smoke detectors and door locks; smart cameras; TVs and speakers; wearable health trackers; connected home automation and alarm systems; connected appliances, such as washing machines and fridges; and smart home assistants.

David Rogers, chief executive of IoT security consultancy and training firm Copper Horse and lecturer in software engineering at the University of Oxford, explained that the “work builds on the UK Code of Practice for IoT Security and has had input from experts around the world”.

Rogers worked with other experts in helping to develop the ETSI standard.

“Whilst we still see this as a high level specification, we’ve also tried to further pin down what we’re trying to say, all whilst trying to ensure that we avoid unintended consequences and companies deliberately trying to avoid putting security into their products via loopholes,” Rogers said, adding that future work could incorporate a Code of Practice on issues such as “coercive or controlling behavior which can be compounded by IoT in the home”.

In response to questions from The Daily Swig, Rogers explained how the standard might be taken forward.

“Expectation is industry take the lead with self-certification initially, but the ambition is that key aspects will be enforceable by regulation,” he explained. “In the UK, a public consultation will take place in spring this year. Future standardization also being considered.”