Industry, hackers, and consumers for a global baseline for consumer IoT security

We have joined forces with Consumers International, I Am The Cavalry and the Cybersecurity Tech Accord on a joint Statement through the World Economic Forum’s Council on the Connected World to establish a global consensus on 5 consumer IoT security provisions.

This global consensus is forming around key capabilities that can begin setting a clear baseline for consumer IoT security:

  1. No universal default passwords
  2. Implement a vulnerability disclosure policy
  3. Keep software updated
  4. Secure communications
  5. Ensuring that personal data is secure

Taken together, these five device capabilities are found in over 100 standards, specifications and guidelines across the world and establish a minimum level of security which should form the basis of all consumer IoT cyber security standards, specifications and guidelines.

What do these guidelines cover?

Let’s dig into these best security practices that can directly be covered in the source code and design of an IoT product:

No universal default passwords

Sounds obvious, but there is way more needed to have it in place. Default passwords should ideally be derived from the device itself or injected into the device. A smart thought is to generate a password using a diversification algorithm based on hashing that is unique to the device, where the serial number will not have enough entropy and using a hash-based algorithm like SHA-256.

Implement a vulnerability disclosure policy

In short, this is connected to a corporate disclosure policy, with a responsible executive aside of customer liaison activates and the vulnerability communication.

Keep software updated

As the volume of IoT devices used in organizations increases, keeping devices updated will present a challenge. Teams that develop a strategy for IoT software updates early in their deployment will find themselves in a more manageable situation than those who don't. Updates shall be timely and should not impact on the functioning of the device. The update policy needs to enforce an anti-rollback mechanism so that older versions cannot become a possible attack vector.

Software update practices also cover the end-of-life policy so that updates should be provided to and pushed to devices for a specified period.

Secure communications

IoT devices should follow secure communications using Transport Layer Security (TLS) or Lightweight Cryptography (LWC) and always use the latest versions. This means that security-sensitive data should be encrypted in transit and keys should be managed securely.

Ensuring that personal data is secure

Any credential should be stored securely within services and on devices. In device software, hardcoded credentials like passwords and bank account information are not acceptable. MCU’s device-specific security features and memory management should always be fully enabled for protecting security-sensitive data. The ways that personal data should be managed and protected might change slightly from region to region depending on the local standards and data protection laws. That said, this guideline is very important and companies need to be transparent allowing consumers to withdraw their information at any time.