Despite small year-on-year improvements, progress on vulnerability disclosure for consumer IoT security is unacceptably low according to the IoT Security Foundation.
A new report from the IoT Security Foundation has highlighted that nearly 80% of consumer internet of things (IoT) companies are not using vulnerability disclosure for reporting security issues. This measure is seen as proxy for how seriously a vendor takes security, clearly suggesting that there’s still a long way to go when it comes to helping consumers stay secure when their devices connect to the internet.
The report is the fourth in a series which began in 2018, examining the practice of vulnerability disclosure in consumer IoT – with an extension into enterprise and the B2B model. It is seen as a cybersecurity progress barometer of the sector in general, as vulnerability disclosure – or advertising a public channel where security flaws can be reported and then fixed – is a considered a basic hygiene mechanism for any firm selling into a connected market.
However, despite small year-on-year improvements, progress remains glacial, according to the report. Out of 315 companies surveyed only 21 companies would be able to meet anticipated regulatory requirements such as ETSI European Standard (EN) 303 645 and ISO/ IEC 29147:2018 vulnerability disclosure, as well as the USA Internet of Things Cybersecurity Improvement Act of 2020.
John Moor, managing director of the IoT Security Foundation, said, “Our common goal is to have 100% of connected-product (IoT) vendors practicing good security hygiene – achieving a mere 21.6% in the age of digital transformation simply supports the call for market regulation.”
He said that the small number that do pass the test is unacceptably low. “Almost 4 out of 5 companies are still failing to provide the very basic security hygiene mechanism to allow security vulnerabilities to be reported to vendors so they can be fixed.”
Moor added, “It’s difficult to overstate the importance of having a vulnerability disclosure program to all IoT vendors – it really is an essential mechanism to keep users safe and protects connected products and services. We also published our revised best practice guide recently, alongside this report and both are free from the IoTSF website. There really is no excuse for ignorance – especially as regulatory demands around the world are looking to mandate this very soon.”
David Rogers, CEO of Copper Horse, the company behind the research, said, “The report provides measurable evidence of IoT manufacturer and brands’ lax attitudes towards security in general. There is nowhere to hide for these companies – international standards are there to be used and coordinated vulnerability disclosure is recognized good security practice. The question for consumers globally is: ‘why should I buy products from these companies if they don’t look after security?’”
Reporting a product security issue should be made simple so that a vendor can get to work on applying a fix as soon as possible. Coordinated vulnerability disclosure policies cover all stages of the process from advertising the correct point of contact, through to the timescale for fixing any issues and recognition for any bugs discovered. Hence a vulnerability disclosure policy is a publicly available document, typically accessed via the vendor’s reporting web page, as a statement indicating how they would handle any vulnerability report passed to the vendor.
Many firms in the survey with a vulnerability disclosure policy appear to follow Coordinated Vulnerability Disclosure (CVD) – communicating with, and keeping the security researchers in the loop, and allowing the findings to be made public (for example, at a conference) once a fix has been applied. This last step – disclosing the vulnerability – is considered important as it allows security researchers to receive recognition for their efforts and can play an important role in furthering their careers, whilst protecting the public from malicious exploitation of the vulnerability.
However, despite the benefits and positive publicity, some 7.4% of the companies with a public policy (5 out of 68) elect to keep their own security efforts and those of the security researcher reporting the vulnerability, out of the public eye by insisting on ‘non-disclosure’. When managed correctly, public disclosure is generally seen as good practice and private handling – whilst acceptable – misses the opportunity to build market awareness and trust.
Throughout the lifespan of this report, the researchers observed that companies which tend to have effective CVD programs are often large, well established tech companies. Outside of this group, however, the policy coverage is much less extensive.
When adding categories such as wearables, the report says it saw companies that traditionally are not tech-focused, like fashion companies producing smart watches (such as Fossil and Armani), are suddenly confronted with all the security expectations and challenges of releasing an IoT product. As in 2020, the sectors that fare better in terms of vulnerability disclosure are TV, Wi-Fi and networking, mobile, hub and laptops, PCs and tablets. These are all categories that feature large, well known tech firms such as Sony, Panasonic, Samsung, LG, Google, Microsoft, Dell, Lenovo, Amazon, Logitech, Apple and other global brands.
Categories such as lighting, security, smart home and wearables – which include a much more diverse range of companies – continue to perform poorly in providing policy details. Similarly, the report also found low levels of adoption in sectors such as pet care, maintenance, safety, leisure and hobbies – which, in these cases, could suggest that the message is not reaching firms on the fringes of IT. Interestingly, the workplace category also shows low levels of accessible vulnerability disclosure policy information. Products here included printers and relatively new devices to the market such as smart pens. And while some security details were available, they often described how the IoT provider would notify the customer of any issues rather than addressing communication in the other direction.
The full report, The Contemporary Use of Vulnerability Disclosure in IoT, which lists all the companies in the survey including the 247 companies on the red list, can be downloaded free, and without registration from on the IoTSF website.
This article was originally published on Embedded.
Nitin Dahad is a correspondent for EE Times, EE Times Europe and also Editor-in-Chief of embedded.com. With 35 years in the electronics industry, he’s had many different roles: from engineer to journalist, and from entrepreneur to startup mentor and government advisor. He was part of the startup team that launched 32-bit microprocessor company ARC International in the US in the late 1990s and took it public, and co-founder of The Chilli, which influenced much of the tech startup scene in the early 2000s. He’s also worked with many of the big names—including National Semiconductor, GEC Plessey Semiconductors, Dialog Semiconductor and Marconi Instruments.