Vulnerable Things program aims to make it easier for researchers to disclose IoT security flaws
The Internet of Things Security Foundation (IoTSF) has launched a new vulnerability disclosure platform for IoT product vendors and security researchers.
The ‘Vulnerable Things’ program has been launched in partnership with Oxford Information Labs, which worked with government and industry stakeholders.
The platform includes a vulnerability management tool, along with other resources for member manufacturers such as templates and guidelines on issue resolution.
It also features an anonymous IoT vulnerability reporting service and a directory of specialist advisors to help manufacturers and suppliers prepare for emerging regulations and maintain compliance.
“IoT vendors should be aware that vulnerability management is a basic security practice,” John Moor, managing director of the IoT Security Foundation, tells The Daily Swig.
“Indeed, I’m on record as stating that any organisation making connected products without having this process in place cannot claim to take security seriously.”
IoT security: A long way to maturity
Upcoming legislation reflecting the ETSI technical standard on consumer IoT security – ETSI EN 303 645 (PDF) – will make it mandatory for manufacturers and distributors in the consumer smart device market to offer a coordinated vulnerability disclosure process.
They’ll also be required to set up internal procedures for vulnerability management, make contact information for vulnerability reporting publicly available, and continually monitor for and identify security vulnerabilities within their products.
However, few vendors appear to be ready.
Vulnerable Things was set up following a report (PDF) commissioned by the IoTSF in 2018 into the real use of vulnerability disclosure policies among global consumer IoT vendors.
The report found that the vast majority of organizations surveyed were not compliant with the new ETSI standard. For example, only 4% of smart lighting manufacturers had a vulnerability disclosure policy, along with just 8% of home security product vendors.
“Research conducted on behalf of our partners in this project, IoTSF, consistently shows that more than 80% of operators in the consumer smart device market don’t have a vulnerability disclosure process,” Emily Taylor, CEO of Oxford Information Labs, tells The Daily Swig.
“For resource-constrained, small businesses, and start-ups, running a vulnerability disclosure process can be quite daunting – how do you respond to security researchers? How do you manage the whole process within sometimes complex supply chains? How do you manage coordinated vulnerability disclosure in a way that acknowledges the contribution of the security researcher?”
While anybody can report to the service anonymously, registered security researchers are provided with a dashboard that allows them to monitor the progress being made in resolving vulnerabilities that they have reported to different manufacturers.
The platform will accept reports on any IoT vulnerability. If the relevant manufacturer or distributor isn’t already an IoTSF member, Vulnerable Things will attempt to pass on reports using publicly available contact information and invite the company to engage with the coordinated vulnerability disclosure process.
Starting off simple
Moor says the aim has been to make the platform as simple as possible, at least initially.
“We have focused on the minimum viable proposition and concentrated on making it easy to report vulnerabilities and then guide vendors through the necessary stages to resolution, securely,” he says.
“We do not have a bug bounty scheme, and whilst we have lots of ideas of how to add more features and options, we are acutely aware that our target audience may be limited in capacity or resources; hence we’re keen to do the basics well.”
The service is open to any consumer IoT manufacturer, both in the UK and internationally, and access will be free until January 31, 2021.
During this period, says Moor, the IoTSF hopes to work out how the platform can be funded over the long term – a small annual fee looks likely.
“We are hoping that vendors in the market both in the UK and internationally will see the benefits of the service, and sign up for free during this trial period,” says Taylor.
“We are also looking for feedback to help us improve the site, the service, and determine pricing in consultation with our partners.”