A new IOT security standard forbids manufacturers from using default, universal passwords to secure connected devices.

The standard is the work of the European Telecommunications Standards Institute (ETSI), which calls the document the first "globally applicable" consumer IOT standard.

It aims to provide a security "baseline" for connected consumer products, such as childrens’ toys, baby monitors, smoke detectors, door locks, smart cameras, TVs, speakers, wearables, home automation and alarm systems, washing machines and fridges.

The new standard also requires a vulnerability disclosure policy, applying to researchers who report security issues.

It will also help ensure devices are compliant with Europe’s General Data Protection Regulation, the ETSI claimed.

The standard’s other provisions include:

  • Keep software updated
  • Securely store credentials and security-sensitive data
  • Communicate securely
  • Minimize exposed attack surfaces
  • Ensure software integrity
  • Ensure that personal data is protected
  • Make systems resilient to outages
  • Examine system telemetry data
  • Make it easy for consumers to delete personal data
  • Make installation and maintenance of devices easy
  • Validate input data

The ETSI cited "growing concern" about IOT security, including the exploitation of connected devices to launch large-scale Distributed Denial of Service attacks.

This month, US company Pepper IOT reported that major US retailers were selling connected devices that leaked sensitive data.