Today Consumers International, the Internet Society and the Mozilla Foundation have launched a short set of guidelines setting out a minimum set of requirements that industry should apply to keep connected consumer devices in the Internet of Things secure.
The “Minimum standards for tackling IoT security” guidelines have been created in response to the growing number of insecure connected consumer devices on the market and the absence of consistent, global standards. These guidelines are not intended to replace mandatory or voluntary standards that are in development. Instead, we hope they will be a useful tool that retailers and manufacturers of connected products, apps and cloud services can directly integrate, and start to phase out practices that lead to the most egregious security failings in connected devices.
Key points from the five privacy and security guidelines:
1) Encrypted communications: products must use encryption for all of their local and network communications functions and capabilities.
2) Security updates: products must have the ability to accept automatic updates, and have that ability enabled by default.
3) Strong passwords: any non-unique default passwords must also be reset as part of the device’s initial setup.
4) Vulnerability management: vendors must have a system in place to manage vulnerabilities in the product.
Safe, secure and fair internet of things for consumers
Consumers International wants to see a safe, secure and fair IoT system and we are involved in a number of other initiatives to make this happen. The joint Consumers International/Mozilla/ISOC guidelines will sit alongside Consumer International’s own Children’s Connected Product Privacy and Security Retailer Checklist created specifically to help retailers of children’s connected products vet potential suppliers against a set of simple criteria to ensure that the toys they stock meet a basic standard of safety.
Later this month we will also release a short buyer’s guide for people shopping for connected products.
Consumers International will use the “Minimum standards for tackling IOT security” guidelines to engage directly with retailers of connected products.