Laying down the law on security for consumer IoT

The IoT Alliance Australia (IoTAA) is against mandating security for consumer IoT devices. The UK plans to do just that, with good reason.
In November I reported that Australia’s Home Affairs minister, Peter Dutton, had released a for-comment draft of a code of practice that closely follows a voluntary code introduced by the UK Government in October 2018. The draft also aligned with ETSI TS 103 645 – Cyber Security for Consumer Internet of Things , which underpins the UK code.
Submissions to the Australian draft code Securing the Internet of Things for Consumers closed on 1 March. They have not been made public. However development of the code is closely tied to the development of the 2020 Cyber Security Strategy , for which the Government says: “We would now like to hear your views on the Internet-of-Things (IoT) Code of Practice.”
Public submissions for that project are available.
Separately IoTAA has published its submission to the draft consumer IoT code in which it cautions against mandating security requirements for consumer IoT devices.
Meanwhile the UK is looking to move beyond its voluntary code and mandate security requirements for consumer IoT devices.
Decisive action needed
Last year the UK Government initiated a consultation on regulatory proposals for consumer IoT security , which concluded on 5 June 2019. Its response to that consultation was submitted to Parliament in January. In it the Minister for Digital and Broadband, Matt Warman, said:
“Whilst the UK Government has previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cyber security is built into these products by design. Citizens’ privacy and safety must not be put at risk because some manufacturers will not take responsibility for ensuring that security is built into their products before they reach UK consumers.”
In short,  the voluntary code of conduct is not working.
Warman said the regulatory proposals set out in the consultation advocated mandating the most important security requirements in the guidelines and the ETSI Technical Specification (TS) 103 645 . He listed these as:
– IoT device passwords must be unique and not resettable to any universal factory setting;
– Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy;
– Manufacturers of IoT products explicitly state the minimum length of time for which the device will receive security updates.
These requirements are mirrored in the proposed, voluntary Australian guidelines.

IoT device (and associated backend/cloud account) passwords should be unique, unpredictable, complex and unfeasible to guess, and not resettable to any factory default value that is common to multiple devices.
IoT device manufacturers, IoT service...