Consumer IoT companies aren’t meeting ’˜Vulnerability Disclosure’ guidelines

The IoTSF (IoT Security Foundation) has just published a report following a survey of 331 producers of connected consumer devices (i.e. ‘smart’ LED lighting, speaker or home appliance) and surprisingly, companies aren’t meeting basic security practice.

Less than 10% of surveyed companies are currently meeting ‘Vulnerability Disclosure’ guidelines according to new research from the IoT Security Foundation.

By this, essentially it means when a security issue is discovered with a connected product best practice is not being met by having a co-ordinated vulnerability disclosure policy in place (i.e. security researchers cannot go onto the manufacturer’s website to report it and are informed that the issue will be fixed in a given timeline).

Although naturally many of the ‘big’ names in the industry had a procedure in place, only 3 companies of the 331 promise to fix the reported issue within 90 days.

“The data doesn’t lie – connected product companies are woefully bad, when it comes to allowing security researchers to report issues to them. It is further evidence of the poor situation for product security in the Internet of Things,” commented David Rogers, CEO of Copper Horse Solutions and IoTSF board member.

He added: “There is no need for this, there are recommendations and an international standard available for companies to adopt. There needs to be a shift of mind-set to take security seriously at the Boardroom level of connected product companies and for them to realise that regulators are starting to take action against the existing lax attitude towards product security.”

As study, entitled ‘Understanding the Contemporary Use of Vulnerability Disclosure in Consumer Internet of Things Product Companies,’ sought to answer question: how widely practiced is vulnerability disclosure in the consumer IoT product domain? As part of this, the study asked at the company scale: Does it have a dedicated channel for vulnerability disclosure. Out of the 331 consumer product companies examined, which was performed during August 2018, only 32 had some form of online vulnerability disclosure scheme available for security researchers. Few of these companies operated with a hard deadline of 90 days for fixes to reported issues.

IoTSF was founded to help secure the Internet of Things in order to aid its adoption and maximise its benefits. It aims to promote knowledge and clear best practice in appropriate security to those who specify, make and use IoT products and systems.