Dismal findings appear to vindicate global efforts to regulate the sector
Most consumer Internet of Things (IoT) vendors are still failing to provide clear mechanisms for disclosing security vulnerabilities, a damning new report has revealed.
Researchers from UK IoT security firm Copper Horse found that only 21.6% of companies marketing consumer IoT devices appear to have a vulnerability disclosure program (VDP) in place.
A VDP provides researchers with guidelines on how to submit security vulnerabilities to a given organization, sometimes including ‘safe harbor’ statements to protect them from legal repercussions. Unlike bug bounty programs, VDPs offer no financial incentives.
This “glacial” progress made in the IoT sector’s adoption of VDPs – last year the figure was 18.9% – means that nearly four out of five companies “are still failing to provide the very basic security hygiene mechanism to allow security vulnerabilities to be reported to vendors so they can be fixed,” according to the report (PDF), published today (November 4) by the IoT Security Foundation (IoTSF).
This means many product vendors are potentially in violation of IoT regulations and codes of practice in place or in the pipeline in the EU, UK, US, France, Singapore, India, and Australia.
Introduced to the study for the first time, a small number of B2B vendors performed much better, with 71.4% of the 49 organizations having a VDP of some sort.
Tech giants excel (comparatively)
Just 6.7% of 315 consumer vendors analysed also give security researchers who report bugs status updates and resolution timelines, the IoTSF report’s fourth edition found.
This ‘extended threshold’ for VDP best practices was mostly exceeded by tech giants, such as Google, Microsoft, Siemens, LG, and Xiaomi.
Two thirds of VDPs (67.6%) included coordinated vulnerability disclosure (CVD), where researchers are publicly credited, involved in remediation, and permitted to disclose flaws post-remediation.
Another 7.4% keep the process in-house, while the ‘other’ 25% include those advertising a formal security contact but no actual policy.
Some 23.5% of VDPs are operated by a third-party provider, most frequently HackerOne or Bugcrowd, and 30.9% are accompanied by a bug bounty program.
Adoption of two widely recommended reporting mechanisms was also low: 5.4% for the /security website URL convention and 2.9% for security.txt.
An isolated positive trend was the year-on-year rise in the proportion of firms with a formal reporting system that provided a PGP key to encrypt communication with researchers – up to 71.8% from 45%.
Researchers observed that some companies with VDPs in 2020 had since ceased advertising program details on their website, including Dyson and Tile.
Smart TVs, networking devices, and smart hubs and were the most likely to have VDPs; smart lighting, environmental control, and health and fitness device vendors were the worst offenders.
Only 9% of European vendors have a VDP in place, compared to 24.3% of their North American counterparts and 29.5% in Asia.
“Considering IoT standards and regulatory aspects have been discussed in Europe for a while you would expect there to be a greater degree of awareness,” David Rogers, Copper Horse CEO and a researcher on the study, told The Daily Swig.
“To me, it is more evidence that the market has failed and this is why there is a need for regulatory intervention.”
Non-tech companies that buy “white-labelled products and brand them as their own” raise questions about trust and pose “a big challenge for regulatory enforcement”, he added.
“It’s difficult to overstate the importance of having a vulnerability disclosure program to all IoT vendors,” said John Moor, IoTSF’s managing director. “There really is no excuse for ignorance – especially as regulatory demands around the world are looking to mandate this very soon.”