The Department of Telecommunications (DoT) has issued advisory in a bid to secure the internet of things (IoT) ecosystem in the country. The department has advised not to have a universal default password for devices and that the passwords must not be resettable to any universal default value the associated. Meanwhile, web services shall use multi-factor authentication, DoT notified.

Further, as per the recent advisory, any password reset process shall be possible only after appropriate authenticating of the user. Releasing a broad set of guidelines to machine-to-machine (M2M) and IoT stakeholders for securing consumer IoT, the DoT said many M2M/IoT devices are being sold with universal default usernames and passwords (such as admin) and this has been the source of many security issues in these devices which needs to be eliminated.

DoT prescribed following of best practices on passwords and other authentication methods such as the use of the strongest possible password appropriate to the usage context of the device. It also asked stakeholders to provide a dedicated public point of contact as part of a vulnerability disclosure policy for security researchers and others to report security issues and the disclosed vulnerabilities shall be acted on in a timely manner. The software of the device has to be updated in a timely manner and consumers must be kept informed. Further, software components in M2M/IoT devices shall be securely updateable in a timely manner.