In a recent post, we noted that the US federal government has become increasingly concerned about the security of Internet of Things (IoT) devices. On November 15, the US Department of Homeland Security (DHS) issued guidance to help stakeholders account for security in the development, manufacturing, implementation, and use of IoT devices.
The set of nonbinding principles and suggested best practices for IoT device security includes the following:
- Provide manufacturer-supplied usernames and passwords that are unique and difficult for botnets to crack (in recognition of the fact that many consumers never reset default usernames and passwords initially provided with their devices).
- Coordinate software updates among third-party vendors to ensure consumer devices have the most updated set of protections.
- Implement an end-of-life strategy and communicate to consumers the risks of using devices beyond their usability dates.
- Apply basic software security and cybersecurity practices while also referring to industry-specific security guidance, if available.
- Perform “red-teaming” exercises—during which developers actively try to bypass the security measures of an IoT device—and use the results to prioritize what and where additional security measures are needed.
- Advise consumers about the intended purpose of any network connections—especially since the critical functions of many IoT devices do not require a connection to the internet.