The Australian government has officially released the Cybersecurity (Smart Device Security Standards) Rules 2025. This new regulation establishes clear security standards for smart devices, aiming to make our connected homes safer and more secure.
1. Devices Subject to the New Rules-Australia Cybersecurity Rules 2025
1.1 Australia Cybersecurity Rules 2025 Included Devices:
-
Smart devices primarily intended for personal, family, or household use.
-
“Relevant connectable products” that can connect directly or indirectly to the internet.
-
Examples include smart speakers, smart light bulbs, smart appliances, and similar IoT devices.
1.2 Excluded Devices:
-
Desktop computers, laptops, and tablets.
-
Smartphones.
-
Therapeutic goods.
-
Road vehicles and their components.
2. Core Security Requirements- IoT security Australia
2.1 Prohibition of Universal Default Passwords
-
Each device must have a unique password or require users to set their own password during setup.
-
The use of identical, universal default passwords or easily predictable passwords is prohibited.
-
This effectively mitigates the risk of large-scale breaches due to weak credentials.
2.2 Vulnerability Disclosure Mechanism
-
Manufacturers must publicly disclose contact details and processes for reporting vulnerabilities.
-
The reporting mechanism must be publicly available, easily accessible, and free of charge for users.
-
A status tracking function must be provided, allowing reporters to monitor the progress of their submitted vulnerabilities.
2.3 Clear Security Update Support Period
-
The period for which security updates will be provided, including the end date, must be clearly and publicly stated.
-
Once announced, this support period cannot be arbitrarily shortened (it can be extended, but any extension must also be publicly announced).
-
This information must be clear, transparent, and easily accessible.
2.4 Compliance Declaration Requirements
-
A compliance declaration must be prepared for each product model.
-
Both manufacturers and suppliers are responsible for ensuring this declaration is provided with the product.
-
A copy of the declaration must be retained for at least 5 years.
-
The declaration must include detailed information such as product identification, manufacturer details, and the security update support period.