The Department of Telecom (DoT), Government of India has issued new guidelines on the Internet of Things (IoT).
It says on its website: In view of the anticipated growth of M2M/IoT devices, it is important to ensure
that the M2M/IoT end-points comply with the safety and security standards and guidelines in order to protect the users and the networks that connect these devices. Hacking of the devices/networks being used in daily life would cause significant harm. Therefore, securing the M2M/IoT eco-system end-to end i.e. from devices to the applications is very important.
Based on the TEC Technical Report “Code of Practice for securing Internet of Things (IoT)”, the following broad guidelines are hereby issued to all M2M/IoT stakeholders :
A. No universal default passwords
i. Many M2M/IoT devices are being sold with universal default usernames and passwords (such as ‘admin, admin’) and this has been the source of many security issues in these devices which needs to be eliminated. Thus, all such device default passwords shall be unique per device and/or require the user
to choose a password that follows best practices, during device provisioning. The passwords must not be resettable to any universal default value.
ii. Best practices on passwords and other authentication methods shall be followed such as the use of the strongest possible password appropriate to the usage context of the device.
iii. Associated web services shall use Multi-Factor Authentication and shall not expose any unnecessary user information prior to authentication.
iv. Any password reset process shall be possible only after appropriate authentication with the user.
For more on the new guidelines, click here.