Investigating the State of Vulnerability Disclosure in Consumer IoT Products


In August 2018, we were asked by the IoT Security Foundation to look at companies across the world producing consumer focused Internet of Things products and see what the situation is for security researchers when they try to contact these businesses.


Security researchers often have problems when it comes to speaking to companies about their findings, but we wanted to gather some real data about the current market situation because no-one had done this before. In this process, we also tried to record what types of mechanism were in place – i.e. did the company follow best practice for vulnerability disclosure by having a webpage that researchers could report through? Was there an email address to contact the company and was there public key available to use to encrypt submitted reports? Did the company operate any kind of ‘bug bounty’ scheme?

IoT devices in the IoT Security Village at DEF CON#26

The IoT Security Foundation published our findings (pdf) today, including a full list of the companies we looked at. The data is also available on request from the Foundation in a machine-readable format (with some additional fields we didn’t include in the report).


Some high-level findings from the report include the following:

  • over 90% of consumer IoT product companies out of 331 companies researched, have no way for a security researcher to be able to contact them easily to report a vulnerability.
  • Of those companies which had a disclosure policy:
    • 41.9% with disclosure policies gave no indication of the expected disclosure timeline.
    • 0.9% of the companies operated with a hard deadline of 90 days for fixes to reported issues.
    • 46.9% of policies also had a bug bounty programme. Two of these programmes were however by invitation only, so were not open for general contribution.
    • 78.1% of companies with policies supplied researchers with a public key for encryption to protect their communications and report details.
    • 18.8% of companies with policies utilised a proxy disclosure service (1.8% of total companies examined).
  • 7.6% of the overall companies publicised a public PGP key for researchers to use to encrypt, protecting their communications and disclosure report details.
  • 0.9% of companies had forms for reporting vulnerabilities or contact points, but no published vulnerability disclosure policy.


Our CEO, David Rogers said: “The data doesn’t lie – connected product companies are woefully bad, when it comes to allowing security researchers to report issues to them. It is further evidence of the poor situation for product security in the Internet of Things. There is no need for this, there are recommendations and an international standard available for companies to adopt. There needs to be a shift of mind-set to take security seriously at the Boardroom level of connected product companies and for them to realise that regulators are starting to take action against the existing lax attitude towards product security.”


John Moor, the MD of the IoT Security Foundation said: “We conducted this research to better understand the contemporary status of vulnerability disclosure policy in practice,” says John Moor, Managing Director, IoTSF. “It’s part of our mission to raise awareness and help improve the situation and we hope that by highlighting this subject area, and identifying companies in the report, we can make positive progress in the future. For any company making connected products, it is fundamental to understand the importance of disclosure policy and leverage the research community to help make safer connected products.”


It is clear that things need to change and fast. Guidance on how to implement Coordinated Vulnerability Disclosure is available from the IoT Security Foundation (pdf).


Mapping IoT Security and Privacy Recommendations and Guidance


The UK’s work on consumer IoT security and privacy, led by the Department for Digital, Culture, Media & Sport (DCMS) has been continuing since the publication of its work on Secure by Design and the Code of Practice for Consumer IoT Security went out for public comment in March 2018. Our team has been working on mapping IoT security and privacy guidance to the Code of Practice and we’re now launching to support the initiative, including hosting open data files with all the various mappings contained within.



We believe this is going to be really helpful for so many companies and organisations involved in IoT. It will help to defragment the standards space and it will help companies to understand how to improve security by telling them which recommendations facilitate implementation of the UK’s Code of Practice.


You can read our CEO’s blog on this topic here.

Discussing the UK government’s Code of Practice for IoT Security and the Future


Copper Horse’s CEO, David Rogers had a chat with Rocco’s Jason Bryan for the Rocco Radio Newsdesk about the launch of the UK government’s Secure by Design report and the Code of Practice on IoT security. The government’s Secure by Design report is available here.


To listen, click the player below:

The podcast covers a range of topics including:

  • the UK government’s work to protect UK consumers:
    • how work from the mobile industry can be carried over into the IoT world.
    • what circumstances and threats led to the work being created?
    • the thinking behind the work
    • what other standards bodies and organisations are doing in the IoT security space
    • discussing the details of the Code of Practice including vulnerability disclosure, software updates and eliminating default passwords.
  • the implications of security attacks on network operators
  • machine-to-machine and IoT concerns
  • identifying insecure products and what “insecurity canaries” are
  • product labelling and future smart approaches to digital labelling
  • the use of digital certificates and the challenges of counterfeiting
  • certification of devices including those with embedded SIMs and how that might work
  • regulation and what might happen in the future
  • design approaches
  • safety in IoT and the future risks of death
  • signalling storms, resilience and future attacks on network operators
  • SLAs in business relationships between network operators to guarantee safety in IoT
  • Why smaller network operators need to pay attention to IoT security

If you’re interested in learning more about IoT security, we run an IoT security training programme which is led by David. Click on the link below for more details:




How the UK’s Code of Practice on IoT security would have prevented Mirai


The UK’s report on Secure by Design was released today after a significant amount of work from some of the best minds in government, academia and industry. This is one of the first major steps in the world by a government towards eliminating some of the bad practices that have plagued connected devices and services for many years.




Copper Horse’s CEO, David Rogers was the author of the UK’s Code of Practice for Security in Consumer IoT and services as part of its report on Secure by Design, in collaboration with DCMS, the NCSC, industry and academia. Here, David discusses how one of the major attacks on IoT, a botnet called Mirai, would have been prevented and its successors neutralised.


Security of devices and services is never just about one single measure. By building strength-in-depth, an attacker will find it extremely difficult to execute a successful, persistent attack that can affect millions of IoT devices.


Taking the infamous IoT botnet Mirai as an example, the Code of Practice provides multiple layers of protection against this attack, including the following:


1. Elimination of default passwords (guideline number 1) – Mirai used a list of 61 known default username and password combinations, encompassing millions of devices. Had these passwords been unique Mirai could not have worked.
2. Software updates (guideline number 3) – Many of the Mirai devices either were out-of-date with their patching or simply couldn’t be patched at all. This means that the spread of Mirai could not easily be halted. Had software patching been in place, devices could both be immunised and fixed. Most importantly, regular patching also protects against future variants of attack that exploit other vulnerabilities, neutralising their effect.
3. By following guideline number 6 in the Code of Practice on “Minimising exposed attack surfaces”, vendors would have prevented Mirai because the port it used to attack the devices would have been closed and therefore inaccessible. This is a good demonstration of the principle of “secure by design”.
4. Ensuring software integrity (guideline number 7) would have prevented arbitrary, remote code execution and support preventing things like authentication bypass issues. With no access to run code even if Mirai could have accessed a device, it couldn’t have done anything.
5. Designing a system to be resilient to outages (guideline number 9) means that if it is the victim of an attack like Mirai, key services will continue to operate, severely limiting the effect of the attack until it is dealt with.
6. Having a vulnerability disclosure policy (guideline number 2) allows these types of issues to be reported to vendors by security researchers and then subsequently addressed, prior to malicious exploitation. We want to ensure that vendors get the information about vulnerabilities from the good guys first.


You can see that design measures, if implemented can create the foundations that will reduce exposure to such attacks, allow pre-emptive protection for products once an attack is out in the wild and allow a response to an attack that is ongoing, whilst keeping users secure.


Security is a very difficult subject and there is no panacea to the security of devices, given that you are almost always dealing with an active adversary (sometimes clever automation in the form of AI and machine learning). This is why like many, I believe that the topic of security is more art than science.


In approaching this piece of work, we never set out to achieve a remedy for all ills because it simply isn’t possible. What we did do was take a long hard look at what the real problems are and what solutions need to be in place. Industry has already come a long way; a lot of vendors and service providers are doing a huge amount to make things more secure. Just look at the work of GSMA’s IoT guidelines which is now being adopted across the world, or the work of the IoT Security Foundation, or any of the following.


There are still a lot of vendors and startups who need a guiding hand or who wilfully ignore security for various reasons. This includes mobile applications controlling IoT devices which are often over-permissioned or which don’t implement internet encryption correctly. We looked at measurable outcomes. How would a retailer be able to check whether something was insecure? What things are easily testable by a consumer group? If someone tries to put something into a major retail outlet that is insecure, could it be caught before it was sold? In the future, would an organisation like Trading Standards be able to identify insecure devices easily? My own view is that we should be able to flush out the bad stuff from the system whilst encouraging innovation and enabling businesses to make IoT that is secure, privacy respecting and convenient for users.


Additional thoughts are on David’s blog: A Code of Practice for Security in Consumer IoT Products and Services



Why you and your staff need to skill up on IoT security

David Rogers with training delegates on the Introduction to IoT Security course

There have been a lot of problems with IoT from the outset. A marketing catch-all term, the truth about IoT is that many of these devices have been connected for years and it’s only now that attention is being paid to them by both security researchers and the bad guys. There are whole set of new devices coming to market which incredibly harbour some of the same issues as very old devices, making them very dangerous from a security perspective. Attack techniques have moved on significantly meaning that leaving old vulnerabilities around can be catastrophic. We’ve devised a training course dedicated to helping you understand these risks.


IoT is unique in that it is being adopted by nearly every different product and service sector, right across the world. The fast-paced implementation of these solutions is leading to some pretty bad decisions across the technology ecosystem. From internet-connected toys to connected fish tanks, bad configuration, insecure hardware and basic software design errors have created a toxic view of the security of IoT and the products on sale. The scary thing is that in fact we do know how to fix these problems and in a lot of cases the technology and methodologies are out there to address them, we just need to actually do it and do it properly – a secure by default approach to IoT security.


Do something now

The ship has already sailed on whether it’s appropriate or not to put security in a product – you have to do it or your product and company will ultimately fail. The time to act is now – get you and your staff skilled up and ensure that your company and products are actually fit for purpose in the IoT age. We’ve teamed up with the IoT Security Foundation to provide an Introduction to IoT Security, with no pre-requisites. Suitable for all levels, sign-up here and help make the world a bit more secure!


So what are the benefits of coming on the Introduction to IoT Security course?

You’ll understand the basics of what you need to do about your devices – right from the hardware up the technology stack to ensuring that you’re communicating securely and that the other components such as mobile applications and cloud services are being secured properly too.


We’ll share with you cutting edge knowledge from the frontline of IoT developments and we have our own first-hand experience to impart. As well as teaching you how best to secure your products and services, you’ll get some hands-on exposure to well-known IoT hacking techniques, giving you an experience of the attacker’s point of view. We’ll also show you how to implement a vulnerability disclosure policy, monitor your product security and how to get your products and services ready for certification through the IoT Security Foundation.


For more: Introduction to IoT Security Training course details.

IoT Security Foundation partners with Copper Horse for IoT Security Training


It’s an exciting day. We’re pleased to announce that we’ll be providing training on security for the Internet of Things in conjunction with the IoT Security Foundation. Our first course will be run on the 4th and 5th of July in the home town of Copper Horse Solutions, Windsor in the UK. We firmly believe that things are not going to get better in the IoT space unless positive action is taken on a number of fronts. It is no use just breaking into a product and making a lot of noise about it in the press. That serves one purpose of course and there is a great market for companies to provide those sorts of testing services, but it is not generally constructive.


To properly secure internet of things products and services however, there must be security designed in by default. There must be a culture of security within the organisation and there must be a clear understanding of the threat landscape, security usability and what bad and good look like. It is not good enough to pass this off to an external company or a single security engineer – all people involved in creating a product should have security in mind.


We’re hoping to play a small part in helping to put companies on the right track when it comes to thinking about security. We have many years experience in dealing with security in the mobile industry from device hardware upwards through the software stack to the network side. We’re looking forward to creating an alumni of pioneers who will make the Internet of Things a more secure and safe place.


More details can be found on our training page and also directly on the IoT Security Foundation site.


Windsor Castle

The Internet of $1600 Mousetraps…


Has it really got this bad? We were a bit surprised as many were to see the “connected mouse trap” retailing at $1600 the other day. It seems that internet of things solutions are just going a bit crazy. I can’t see many companies being duped into purchasing such a system when the value proposition is so low.

Image from Media Post.


The system requires a hub which needs to be connected to somebody’s network – I guess either the company or mobile network and at the end of the day somebody will physically have to go and remove the dead mouse.

Copper Horse has been developing motion sensing over the past couple of years and we’re now well down the road with our second prototype. The product is called Extrasensory and we’re pretty pleased with it. We’re showing this off to various people at Mobile World Congress 2017. We have a number of our prototypes out there being tested. We have created a versatile product that can be used to detect different forms of motion on everything from doors to drawers, jewellery boxes to stairs and sheds – and yes even sat next to a mousetrap in a garage, to monitor when the trap is set off!


No subscription, your notifications service and a reasonable price

It is unacceptable to us that companies choose to rip off businesses and consumers with expensive products that don’t deliver. We are designing our product with a “no subscription” model in mind – you just buy it and use it. In the same way, you can connect to whatever service you choose, you’re not forced into someone else’s cloud service or app. If you want tweets or to use services like IFTTT, fine – you own it so why not?


We’re also trying to get the price to a reasonable point – we can’t make promises but we’d like to be around the £100 mark.


We do not want your data

The product works either outdoors or indoors and specifically respects user privacy. We firmly believe there are better ways to create IoT products than following the existing crowd of a hub / cloud / analytics solution. OK we’re making our life more difficult in the process, but what is important is that we’re not sacrificing the user. We’re not selling anyone’s data or tracking what people are doing. We’re the anti-pattern to companies that do that sort of thing.



We demoed Extrasensory to a great audience at the Innovation on the Fringe event in Barcelona this afternoon. To prove our point about mousetraps, unfortunately our valued team member Roland needed to demonstrate this in person!


So if you want to use our product for monitoring things outside like farm gates or something inside like the drawer you keep your passports in, then have a look at and sign up for updates on what’s coming. Feel free to get in touch if you want a conversation with us and we’ll be at Mobile World Congress all week if you want to meet in person – just tweet @copperhorseuk.



How do you standardise the Internet of Tigers?


Copper Horse CEO, David Rogers discusses some of the challenges for development of the Internet of Things and how to enable participation in standardisation from all across the world. 


A couple of months ago, I was present at a meeting in Geneva where the “Internet of Tigers” was discussed. The topic was raised by an African country – tigers are of course resident in Asia, although some do live on reserves in Africa, such as at Tiger Canyons in the Karoo, South Africa. Tracking of endangered species is a critical need for the world and a number of those animals live in Africa including the Mountain Gorilla, the Black Rhino and lesser known but endangered animals such as the Ethiopian Wolf.



Image: J. Patrick Fischer


Real-time tracking of wildlife is a use case that is great to describe the benefits of the future in terms of the Internet of Things (IoT) and also future networks. Wouldn’t it be great if instead of only being able to use a few people to keep tabs on endangered species, we could crowd-source twenty four hour monitoring from people across the continent and the world? Not just from tags on animals, but perhaps even from live streaming video services right across national parks, even from above? Advances in technology in the past twenty years have been such that this is a realistically achievable objective within the next ten. Such technologies could also detect and deter poachers and hunters from destroying the last of a dwindling number of “trophy creatures” on the African continent.


Tiger Canyons currently track their tigers using satellite technology but with more advanced network technology, the sensors could be richer, send much more data, have hugely better battery life and be less burdensome for the animal. All of this would be much cheaper for them too, provided that the network infrastructure is deployed to give the right coverage.


So how do we get there?

The context of the “Internet of Tigers” comment was an ITU-T meeting. The International Telecoms Union is a specialised agency of the United Nations and the T sector looks after Telecommunications standardisation. As a UN agency it also gives a relatively level playing field in terms of every country in the world being able to attend, some of whom are sponsored, developing countries. Part of the ITU’s work is to develop technical standards in order to protect and support everyone’s fundamental right to communicate. The problem is they’re not very good at it. The intent and mission are absolutely admirable but while ITU-T certainly produces a lot of documentation, the truth about ITU is that quantity does not equal quality. This is represented by the lack of implementation of many of the standards in the majority of the connected products on the market – the main reason for this that I hear from manufacturers is that the standards are often simply so bad that they cannot be implemented. The same can be said for testing against those standards.



Counterfeit Devices

Taking the problem of counterfeit, you wouldn’t think this would link to Tigers, but bear with me.


Counterfeit mobile devices are a big problem for African countries. The market penetration is very high relative to other markets around the world. The reasons are relatively straightforward – the basic economics of smartphones means they are very expensive for people living in some of the poorer countries, but they’re still desirable. If someone offers you a cheap, but very similarly functioning phone that broadly works and looks the same, you’re probably going to have it. You’re never going to be able to afford an iPhone so why not? Ordinary people can’t and won’t pay more. The same logic applies across the world when it comes to consumer demand for counterfeit products.


A number of countries including Kenya, Tanzania and Uganda have switched off these devices because they can cause havoc with network management; the radios are not calibrated properly and they simply can’t be identified – the counterfeiters don’t care as long as someone buys them. The components being used often contain harmful substances because they’re being manufactured and sold illicitly. There is however a real dilemma here. A friend from Ghana told me that the challenge for regulators is that counterfeit products still help to connect people and that improves their lives. On the flip side, the phones have avoided (high) import taxation and have security and quality risks. If those phones are turned off, where does that leave the user?


Solutions that won’t work for Africa

One particular work item in ITU-T looks at tackling the problem of counterfeit by attaching an IoT-enabled chip on every product, actually increasing the price of an authentic product. This shows how far detached these people are from reality and appears to be from authors who clearly couldn’t care less about what the situation is like on the ground in many African countries.


The proposed work item was thrown out of Study Group 11 of ITU-T only to reappear in Study Group 20. The exact same proposal was then accepted. The implications are massive: an increase in e-waste of 100% on all products (not just electronic) shipped worldwide. The increased cost to manufacturers will of course be passed down the supply chain, ultimately inflated at the point of sale to the consumer. The ultimate cost to the environment and to our world in consumption is absolutely not worth the limited gain. There are most certainly better ways. The worst part of all is that the proposed solution would not impact the supply of counterfeit products. The criminals who run such operations do not stand still. They utilise and challenge new technologies in a constant arms race. What is needed is pressure to deal with the source of these problems and prevent the export of counterfeits to African countries. Some of these issues suffer from the country-driven approach at the ITU – it is not acceptable to say that China is the source of over 60% of counterfeits (which is from an OECD report). It is deemed more appropriate to say that “there are a lot of counterfeits in the world”. This kind of diplomatic get-out does not actually help to fix the problem.


So going back to our Tigers, the authentic IoT tracking device would itself be required to have another IoT module to track the tracker, probably doubling its price! It is difficult to think of anything more half-baked or ludicrous. The proposed system also attempts to use a proprietary solution called the Handle System instead of the internet, thus potentially increasing the implementation cost by many times. How does this help developing countries tackle the problem of counterfeit exactly? The answer is it doesn’t and that the counterfeit problem appears to be a convenient excuse for a pet project that just won’t work. Ultimately, it seems that African countries are being failed by the UN when it comes to ITU standards that should help them.


Digging into the problems at ITU

At the end of October, the World Telecommunications Standardization Assembly (WTSA-16) takes place in Hammamet, Tunisia. The Resolutions agreed at that meeting will lay out the activities of the ITU-T for the next four years. It is important, because strategically, this is what the working groups of that organisation will be working on, nominally to produce standards that achieve some useful objectives.


The problem is in the production of those standards. In some of the working group meetings, there are less than five people, sometimes from the same country. There are lots of mailing lists with no discussions on, just communiques from the secretariat. There are few technical experts, but lots of people from government institutions with policy backgrounds. If it sounds dystopian, imagine being stuck there, wondering what to do in the two hour long lunch break, or having to wait in Geneva from Friday morning until the following Monday for your next meeting. There are gross inefficiencies in the way that the meetings are structured in comparison to other standards bodies.


The lack of openness at ITU means a severe shortage of peer-review from experts who could usefully contribute their knowledge. In the age of the internet, experts from all over the world should, and could, be able to read and contribute to developing standards. Why should a UN agency close its doors to the people of the world in this way? What is there to hide? Why is it that standards-making for developing countries is a privileged activity for the few who can gain fellowships from the UN to attend these meetings? Couldn’t all or at least most of the standards making be done by conference call and on mailing lists? Other bodies succeed very well in attracting members and giving value to them whilst still being open and transparent about their activities – from open mailing lists to allowing external contribution for free, with no barrier to entry.


So not only do I think that in particular African countries are unfairly penalised by such archaic practices, I think they are led down a path where they are constrained by those fellowships to the point where they could be potentially held hostage by the ITU secretariat to decisions that benefit the institution or particular directions of travel which may not be ultimately beneficial to that country or its people.


So if not ITU-T, then where?

Well here’s a thing – other standards bodies were working on IoT standards long before the Study Group  on the topic at ITU ever existed (it’s called Study Group 20 if you’re interested and was started in 2015). There are few gaps to fill that haven’t already been addressed or where work is already scoped and underway.

Because the Internet of Things is not one “thing”, it is impossible for any one standards body to declare ownership. To do so is arrogant and misses the point about IoT – it encompasses so many types of things and network types that it is not monolithic. The ZigBee Alliance and ZWave do their bit, the Industrial IoT Consortium are doing their bit, the IoT Security Foundation are working on their bit. There are emerging radio technologies that will be longer range but low in data transmission capability. The list is very long and like the IETF, many of them have been building towards an Internet of Things for many years.


This is also tied to the long-term vision of 5G; IoT is linked in the sense that network segmentation can allow for different types of equipment, connected heterogeneously via multiple types of radio bearer. 5G means that for example, a personal health monitor could communicate along with a high speed streaming video – the two have very different resilience and data usage requirements. They almost certainly have very different physical and radio properties. New technologies such as Mobile Edge Computing (MEC) and Network Function Virtualization (NFV) will all help to facilitate this new world.


Not surprisingly, many standardisation bodies have been working towards 5G for a long time now, so the ITU-T’s IMT2020 project is not contributing much in this regard either. Don’t get me wrong – I do think the ITU could have a role to play, I just think to do it, wholesale reform is necessary.


A shorter version of this article was published in Souhern African Wireless Communications’ September/October 2016 edition, downloadable from:

Copper Horse CEO Appointed Visiting Professor

View from York St John University
View from York St John University

David Rogers, the Copper Horse CEO has been appointed a Visiting Professor in Cyber Security and Digital Forensics at York St John University. The full text of the university’s press release is below. David intends to work with the university on security aspects of the Internet of Things as well as to encourage social inclusion within technology and cyber security:

York St John University appoints security expert as Visiting Professor in Cyber Security and Digital Forensics

The Computer Science department is delighted to announce the appointment of David Rogers, CEO of Copper Horse Ltd, as visiting Professor in Cyber Security and Digital Forensics.

Professor Rogers is a world-leading mobile security expert and is an adviser to the Department of Culture, Media & Sport on issues of Cyber Security. David chairs the Device Security Group at the GSM Association and sits on the Executive Board of the Internet of Things Security Foundation. He also teaches Mobile Systems Security at the University of Oxford.

Justin McKeown, Head of Computer Science, said: “David has worked in the mobile industry in both security and engineering roles for more than 17 years. It’s fantastic to have someone of his professional calibre working with our students.

“Much of our research activity within the department focuses on the Internet of Things. David’s knowledge in this field is highly valuable and his input will bolster and enhance our activities in this area.”

Professor Rogers said: “I am honoured to be given the title of Visiting Professor at York St John. In the technology world we face many challenges in the future – these can only be addressed by trained individuals who will fill the national skills gap in cyber security and perform cutting edge research for the Internet of Things.

“York St John University is uniquely placed to take a leading role with their students because they put ethics and social inclusion at the heart of their work. I am proud to play a small part and to give something back to my native county, North Yorkshire.”

Computer Science is one of a series of new science subjects introduced at York St John University within the past four years. Since its introduction it has gone from strength to strength. In September this year new BSc programmes in Software Engineering and Games Development will be introduced.

Copper Horse wins Most Innovative Startup Award


We’re extremely pleased that Copper Horse was given the “Most Innovative Startup” Award at Smart IoT London event for the Motion Project (now called Extrasensory). The project is aimed at increasing situational awareness by detecting and alerting to motion where that data would normally be lost. This could be doors, drawers – pretty much anything that can move. We’re still in the early phases but we have functioning prototypes and are dealing with a huge amount of interest from potential investors.


We also plan to change the way that people think about IoT and to show that there is another way of doing things that doesn’t involved grabbing lots of user data and breaching privacy on a wholesale basis.


More details on the award and an interview with David Rogers are here.


David Rogers receiving the Most Innovative Startup Award for Extrasensory
David Rogers receiving the Most Innovative Startup Award for Extrasensory