The IoT Security Foundation says vulnerability reporting is essential to keep consumer IoT products and services safe from intruders, and finds it to be woefully lacking.
It has just released the results of a survey of vendors’ vulnerability reporting and disclosure practices saying: “An analysis of 330 consumer IoT device manufacturers has revealed five of every six companies (86.7 percent) don’t allow for vulnerability reporting.”
Vulnerability reporting enables vendors to be alerted to, and fix, cyber security weaknesses that could be exploited by hackers. According to IoTSF, “It is widely considered to be a baseline requirement of IoT device security,” and “It is crucial that security mitigations are managed beyond the design stage and throughout operating life – leveraging the researcher community significantly aids that undertaking.”
IoTSF found facilities for reporting vulnerabilities to only marginally better than 2018 when the same 330 companies were surveyed: then then 90.3 percent did not allow for vulnerability reporting.
However the 2019 figures are worse than the raw numbers suggest. IoTSF found that of the 86.7 percent of manufacturers that did allow vulnerability reporting there were many policy variations and 36.8 percent provided no timeframe within which they would disclose a reported vulnerability.
Of the 44 companies found to have some form of public vulnerability disclosure policy 18 also had a bug bounty programme. Two of these programmes were by invitation only, so not open for general contribution. Nine of the companies with policies used a proxy disclosure service.
The two biggest product categories surveyed were ‘smart home, lighting’ and ‘smart home security’. Both scored poorly for having an associated vulnerability disclosure policy. Only three of 37 smart home security products and only two of 46 smart lighting products had visible policies in place. Hardly smart. Hardly secure.
Vulnerability reporting “essential”
IoTSF managing director John Moor said: “Vulnerability reporting is an essential element for keeping IoT products and services safe from intruders, and is widely considered to be a top three operational security measure. For me, it is the number one essential practice that needs to be adopted due to the impact it can have on managing risk exposure.”
The researcher who undertook the study for IoTSF, David Rogers, CEO of IoT security specialists Copper Horse, said: “Whether it is a conscious choice, or purely ignorance, it is pretty damning that the majority of these companies have no way for security researchers to be able to contact them.”
IoTSF notes that non-compliant companies would be in breach of new international standards [ETSI EN 303 645 Cyber Security for Consumer Internet of Things] and recently announced plans for a British IoT security law, as well as Australia’s proposed code for practice.
It then goes on to say: “Australia’s government has also announced a draft code of practice, which mandates vulnerability disclosure policies be in place.”
That of course is wishful thinking: a voluntary code does not mandate anything, it merely recommends. However as I observed in my last blog, there is a strong case for Australia to follow the UK and move to mandating security for consumer IoT devices.
Mandatory reporting inevitable
The IoTSF report — Consumer IoT: Understanding the Contemporary Use of Vulnerability Disclosure – 2020 Progress Report — makes a powerful case for doing just that. And it concludes that mandated provision of vulnerability reporting channels is only a matter of time.
“The drive towards normalisation, standardisation and ultimately regulation of vulnerability disclosure is therefore, a natural course as the market and industry mature. The only open question now is ‘when will it be legally mandated?’. … Delaying adoption exposes consumers to harm, not only slowing market uptake but also risks frustrating the security research community which may revert to alternative, less managed methods of public disclosure.”