Many consumer IoT companies failing to adopt fundamental security measures despite the threat of legislation and regulation

Latest report finds that providers of consumer IoT are less likely to have a readily detectable vulnerability disclosure policy in place than firms operating in the business-to-business space.

Published today (4 November 2021), the latest IoT Security Foundation (IoTSF) report examining the adoption of vulnerability disclosure in IoT – commissioned by the IoTSF and prepared by Copper Horse – finds little improvement on last year’s figures. The overall trend, while moving in the right direction, remains far short of what’s needed to bolster confidence in the security of IoT products. Given the persistently slow pace of voluntary adoption, regulatory wheels have started turning to force companies to think more seriously about their vulnerability disclosure processes.

Slow progress: 100% adoption is a long way off based on the survey results.

2021 headlines 

  • The adoption of vulnerability disclosure in the IoT sector remains unacceptably low (just 21.6% of firms surveyed had a readily detectable policy in place). Based on these findings, almost 4 out of 5 companies are failing to provide the very basic security hygiene mechanism to allow security vulnerabilities to be reported to vendors so they can be fixed. 
  • The slow pace of vulnerability disclosure adoption by IoT providers continues to put users at risk by failing to maximise the opportunity to close gaps in product security (the percentage of firms surveyed with a readily detectable policy in place is up just 2.7% on findings for 2020). 
  • Anticipating forthcoming legislation, only 21 out of the more than 300 IoT providers surveyed would meet modest regulatory requirements. 
  • Business-to-business IoT providers are much more likely to have a readily detectable policy in place compared with firms operating in the consumer sector. 
  • Lack of information is no longer an excuse for IoT providers as best practice guides have been updated and new tools made available to streamline putting a vulnerability disclosure policy in place.

Security benefits are too good to ignore 

Reporting a product security issue should be made simple so that a vendor can get to work on investigating and developing a fix as soon as possible.  Coordinated Vulnerability Disclosure (CVD) policies cover all stages of the process from advertising the correct point of contact, through to the timescale for fixing any issues and recognition for any bugs discovered. 

Vulnerability disclosure, backed by a Vulnerability Disclosure Programme (VDP), benefits multiple parties – governments, businesses, security researchers and customers – so much so, that the process is well on its way to becoming a mandatory requirement at an international level.

Free guides and online tools 

2021 has seen a jump in the provision of information to help firms, which includes the IoTSF’s updated Best Practice Guide and a time-saving policy-maker tool, developed by disclose.io. More details and links can be found in the report. 

Legislative wheels are turning 

With governments around the world turning to legislative and regulatory means to tackle the lack of improvement in the market, it is surprising to us that there hasn’t been an increase in the rate of adoption of CVD, particularly in the last year. These companies will find it difficult to sell their products if they don’t change their ways, and soon. 

David Rogers, the CEO of Copper Horse said, “The report provides measurable evidence of IoT manufacturer and brands’ lax attitudes towards security in general. There is nowhere to hide for these companies – international standards are there to be used and coordinated vulnerability disclosure is recognised good security practice. The question for consumers globally is: ‘why should I buy products from these companies if they don’t look after security?’”

Investigating the State of Vulnerability Disclosure in Consumer IoT Products

 

In August 2018, we were asked by the IoT Security Foundation to look at companies across the world producing consumer focused Internet of Things products and see what the situation is for security researchers when they try to contact these businesses.

 

Security researchers often have problems when it comes to speaking to companies about their findings, but we wanted to gather some real data about the current market situation because no-one had done this before. In this process, we also tried to record what types of mechanism were in place – i.e. did the company follow best practice for vulnerability disclosure by having a webpage that researchers could report through? Was there an email address to contact the company and was there public key available to use to encrypt submitted reports? Did the company operate any kind of ‘bug bounty’ scheme?

IoT devices in the IoT Security Village at DEF CON#26

The IoT Security Foundation published our findings (pdf) today, including a full list of the companies we looked at. The data is also available on request from the Foundation in a machine-readable format (with some additional fields we didn’t include in the report).

 

Some high-level findings from the report include the following:

  • over 90% of consumer IoT product companies out of 331 companies researched, have no way for a security researcher to be able to contact them easily to report a vulnerability.
  • Of those companies which had a disclosure policy:
    • 41.9% with disclosure policies gave no indication of the expected disclosure timeline.
    • 0.9% of the companies operated with a hard deadline of 90 days for fixes to reported issues.
    • 46.9% of policies also had a bug bounty programme. Two of these programmes were however by invitation only, so were not open for general contribution.
    • 78.1% of companies with policies supplied researchers with a public key for encryption to protect their communications and report details.
    • 18.8% of companies with policies utilised a proxy disclosure service (1.8% of total companies examined).
  • 7.6% of the overall companies publicised a public PGP key for researchers to use to encrypt, protecting their communications and disclosure report details.
  • 0.9% of companies had forms for reporting vulnerabilities or contact points, but no published vulnerability disclosure policy.

 

Our CEO, David Rogers said: “The data doesn’t lie – connected product companies are woefully bad, when it comes to allowing security researchers to report issues to them. It is further evidence of the poor situation for product security in the Internet of Things. There is no need for this, there are recommendations and an international standard available for companies to adopt. There needs to be a shift of mind-set to take security seriously at the Boardroom level of connected product companies and for them to realise that regulators are starting to take action against the existing lax attitude towards product security.”

 

John Moor, the MD of the IoT Security Foundation said: “We conducted this research to better understand the contemporary status of vulnerability disclosure policy in practice,” says John Moor, Managing Director, IoTSF. “It’s part of our mission to raise awareness and help improve the situation and we hope that by highlighting this subject area, and identifying companies in the report, we can make positive progress in the future. For any company making connected products, it is fundamental to understand the importance of disclosure policy and leverage the research community to help make safer connected products.”

 

It is clear that things need to change and fast. Guidance on how to implement Coordinated Vulnerability Disclosure is available from the IoT Security Foundation (pdf).