A star rating system for vulnerability to hackers is expected to be included in a new mandatory code for internet-connected devices such as baby monitors and home security cameras being prepared by the Albanese government.
The Internet of Things (IoT) code will require so-called smart consumer devices sold in Australia to meet new minimum safety standards, including the banning of default passwords, software updates and vulnerability disclosures.
Home security cameras, printers and internet-connected phones are the most targeted consumer devices, says cybersecurity firm Forescout, which monitors home data storage devices and applications globally.
The setting of mandatory IoT standards, an associated testing and certification system and a proposed star rating labelling system to inform consumers that devices meet these base standards are to be part of the new cybersecurity strategy.
Cyber Security Minister Clare O’Neil is expected to release the strategy early next week, with a big emphasis on “safe tech”.
She has used baby monitors as an example where parents should be able to see labelling to show a device meets cyber safety standards. This would be similar to how baby safety seats can be easily checked if they comply with modern safety standards.
The new cyber strategy is expected to push major software developers to take responsibility for the safety of their code, following US proposals to make developers liable for vulnerabilities.
Mandatory safety-by-design IoT requirements have long been advocated by industry representatives, after a 2021 government review found the current voluntary code to be ineffective.
“It would be better if everyone moved faster, but we’re moving as fast as makes sense and I think now is a great time to go,” the CEO of the IoT Alliance, Frank Zeichner said.
“Now is the right time because the markets already moving, and we can move without having to bend the market out of shape, and actually be more secure, earlier than many others who will not be there before us.”
The mandatory cyber safety rules and the associated labelling scheme will be developed with industry and consumer groups and will only apply to internet-connected consumer devices.
Internet medical and car devices and applications, which are covered by separate rules, are likely to be excluded. Computers and mobile devices will also be excluded, as will industrial devices such as commercial building heating and cooling systems. Whether Smart TVs are included remains undecided.
The new regime follows similar safe-tech initiatives in the US, Britain, Germany and Singapore.
The code will be based on a new Australian standard released on Friday. This mirrors a European standard and is consistent with US standards to ensure manufacturers do not have to meet a variety of safety requirements to comply with the Australian rules.
“Organisations have anywhere up to a 30 per cent visibility gap on what’s connected to the network and that visibility gap is a huge risk to any organisation,” Forescout ANZ regional director Colin Garro said.
“There’s a thin line between consumer IoT and corporate IoT. All the IoT devices that we have in our homes, ultimately, they’re all connected to the internet. When we work from home, we are connected to our corporate networks via the internet too.”
“So from a Forescout perspective we welcome this tightening up because it just makes the threat landscape a lot safer,” Mr Garro said.
Mr Zeichner said the big retailers will play an important role in educating the market and ensuring only compliant devices are sold.
“Harvey Norman is going to start to ask their suppliers if their devices are secure and if so show me how. That will start to weed out the ones who are not or who refuse to answer.”