Secure design, pen tests, and bug bounties recommended – in that order
Bug bounties should be used more widely in an internet of things (IoT) sector that’s notorious for treating security as an afterthought, a new academic study suggests.
But in a first-of-its-kind paper, researchers from the Delft University of Technology in the Netherlands concluded that crowdsourced methods for finding security vulnerabilities were only cost-effective as part of a multi-layered approach.
Introduced too early in the product development lifecycle, or at the expense of other measures, pay-per-bug programs could become expensive, researchers warn in ‘Ethical Hacking for IoT Security: A First Look into Bug Bounty Programs and Responsible Disclosure’ (PDF).
If IoT product developers don’t first embed secure-by-design principles into their internet-enabled products before conducting penetration tests, the volume and cost of reported bugs might be overwhelming, they concluded.
Cost and adoption phase for IoT bug bounty programs (Image credit: Ding, et al)
During an interview for the study, one IoT security expert told the researchers that “security should be a parallel process” throughout, with any new software releases being validated by pen tests.
A responsible disclosure policy and bug bounty program can then “cover other classes of vulnerabilities that pen testers missed”.
This last-line-of-defense approach avoids a deluge of IoT bug bounty payouts – rewards are now said to average around $8,000 a bug, compared to $2,000 for web app vulnerabilities – but can nevertheless avert eye-watering fines.
Courtesy of a bug bounty program, for instance, some financial institutions patched the same vulnerability in the Apache Struts web framework that four months later hit Equifax to the ultimate tune of $1.4 billion.
However, David Baker, CSO and vice president of operations at bug bounty platform Bugcrowd, told The Daily Swig that “while the study suggests bringing in [bug bounty programs] and [responsible disclosure] only after initial security testing, I’d emphasize the importance of bringing in [bug bounty programs] after R&D but before you release to the general public”.
However, he fully agreed with the researchers’ emphasis on clear, effective procedures for accepting and processing incoming reports.
That IoT bug discoveries attract such high bounties reflects the complexity of securing an ecosystem that’s characterized by a multitude of protocols and devices that control each other autonomously.
Hardware, once delivered to market, is also difficult to harden, the researchers noted.
Live hacking events
The researchers behind the IoT security report suggested that live hacking events were needed, given the impracticality of shipping hardware to hackers.
Smart cars – a case in point – were the focus of a Bugcrowd-organised bug bash last year, with per-bug payouts surpassing $15,000.
Another 2018 Bugcrowd event, an IoT Lab hackathon, focused on Arlo products, while the flagship Pwn2Own competition in Canada earlier this year featured a Model 3 Tesla as both target and top prize.
Race to market
Turbocharged by 5G networks, the number of IoT-connected devices is projected by Gartner to more than triple to 43 billion by 2023.
Bug bounty programs are proliferating accordingly, with HackerOne telling The Daily Swig that it has 38% more IoT programs running than a year ago.
Bugcrowd hosts IoT vulnerability disclosure programs for, among others, HP, Fitbit, Arlo, Tesla, and Cisco Meraki.
The IoT sector still accounted for only 1% of submissions to Bugcrowd in 2018, yet that marked a 384% rise on 2017, compared to a 99% increase for web bugs, 101% for API bugs, and 141% for mobile vulnerabilities.
HackerOne reported a 200% year-on-year jump in IoT submissions.
However, Baker still believes that in a “race to the market” many IoT manufacturers prioritize “making the device easy to use over underlying security protocols of the API, the webhooks, or the actual firmware”.
Researchers said the problem was exacerbated by price-sensitive consumers and a preponderance of start-ups with limited budgets.
In June, the US government completed a consultation on a labelling system that would certify IoT products with, among other things, a vulnerability disclosure policy, echoing a recent UK government code of practice (PDF).
“In a competitive IoT marketplace, where consumers are more aware of cybersecurity risks than ever, this could be game-changing for manufacturers that have de-prioritized security for too long,” Niels Schweisshelm, a technical program manager at HackerOne, told The Daily Swig.