Code of Practices for Securing Consumer Internet of Things (IoT)

 

Internet of Things (IoT): Relevance

• GS 3: Awareness in the fields of IT, Space, Computers, robotics, Nano-technology, bio-technology and issues relating to intellectual property rights.

 

Internet of Things (IoT): Context

• Recently, Ministry of Communications has released a report “Code of Practice for Securing Consumer Internet of Things (IoT)” to help in securing consumer IoT devices & ecosystem as well as managing vulnerabilities.

 

Guidelines on Internet of Things (IoT): Key points

• This report is intended for use by IoT device manufacturers, Service providers/ system integrators and application developers etc.
• In view of the anticipated growth of IoT devices, it is important to ensure that the IoT end points comply to the safety and security standards and guidelines in order to protect the users and the networks that connect these IoT devices.

 

 

What is Internet of Things?

• The Internet of Things (IoT) is a concept that describes the network of physical objects— “things”—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet.
• Simply put, IoT is how we describe the digitally connected universe of everyday physical devices.

 

Types of IoT devices

Below are a few of the examples of consumer IoT devices.

• Connected wearable healthcare devices
• Smart cameras, TVs and speakers
• Connected children’s toys and baby monitors
• Connected safety-relevant products such as smoke detectors, and door locks
• Connected home automation and alarm systems
• Connected appliances (e.g., washing machines, fridges)
• Smart home assistants
• IoT gateway for connecting the consumer IoT devices

 

 

Growth of IoT

• Internet of Things (IoT) is one of the fastest emerging technologies across the globe, providing enormous beneficial opportunities for society, industry, and consumers.
• IoT is being used to create smart infrastructure in various verticals such as Power, Automotive, Safety & Surveillance, Remote Health Management, Agriculture, Smart Homes and Smart Cities etc, using connected devices.
• IoT is benefitted by recent advances in several technologies such as sensors, communication technologies (Cellular and non-cellular), AI/ ML, Cloud / Edge computing etc.
• As per the projections, there may be 26.4 billion IoT devices in service globally by 2026. Out of this approximately 20% will be on cellular technologies.
• Ratio of Consumer and Enterprise IoT devices may be 45% : 55%.

 

Internet of Things (IoT): Key guidelines

• No universal default passwords: All IoT device default passwords shall be unique per device. The passwords must not be resettable to any universal default value.
• Keep software updated: Software components in IoT devices should be securely updateable. Updates shall be timely and should not adversely impact the functioning of the device.
• Securely store sensitive security parameters: IoT devices may need to store security parameters such as keys & credentials, certificates, device identity etc. which are critical for the secure operation of the device. Such information should be unique per device and shall be implemented in such a way that it resists tampering by means such as physical, electrical or software. e. Credentials (e.g., user names, passwords) should not be hard-coded in the source code as they can be discovered via reverse engineering.
• Communicate securely: Security-sensitive data, including any remote management and control, should be encrypted in transit, appropriate to the properties of the technology and usage of the device.
• Minimize exposed attack surfaces: Devices and services should operate on the ‘principle of least privilege’. Unused functionality should be disabled; hardware should not unnecessarily expose access (e.g., unrequired ports both network and logical should be closed).
• Ensure that personal data is secure: In case the device collects or transmits personal data, such data should be securely stored. Also, the confidentiality of personal data transiting between a device and a service, especially associated services, should be protected, with best practice cryptography.
• Make it easy for users to delete user data: Devices and services should have mechanisms such that personal data can easily be removed when there is a transfer of ownership, when the consumer wishes to delete it and/or when the consumer wishes to dispose of the device. Consumers should be given clear instructions on how to delete their personal data, including how to reset the device to “factory default” and delete data stored on the device and in associated services including backend/cloud accounts and mobile applications.

 

Also Read:

North Eastern Region Community Resource Management Project (NERCORMP)	One District One Product (ODOP) Scheme	Surety Bonds: IRDAI Issues Guidelines	Central Council for Research in Ayurvedic Sciences (CCRAS) launches eOffice	National Tiger Conservation Authority (NTCA)
Smart cities and Academia towards Action and Research (SAAR)	UNSC Pledges to Stop Nuclear Proliferation	Ganga Sagar Mela	India Israel Relations: India Israel FTA Soon	Malware and its Types
India’s Falling Jobless Rate and Risks to Employment- CMIE Findings	Types of Trade Agreements	Domestic Systematically Important Insurers	Solid State Lithium Metal Battery	Balance of Payment