17th March 2020 – An analysis of 330 consumer IoT device manufacturers has revealed five of every six companies (86.7%, 286) don’t allow for vulnerability reporting. This would see them fall foul of new international standards and recently announced plans for a British IoT security law; as well as proposed Australian code of practice and recommendations from the US Dept of Homeland Security.
Vulnerability reporting enables vendors to be alerted to, and fix, cyber security weaknesses that could be exploited by hackers. It is widely considered to be a baseline requirement of IoT device security (Scroll down for international regulations and high-profile hacks).
Of the manufacturers that did allow vulnerability reporting, variations exist and many used a weakened policy, with more than a third (38.6%) indicating no timeline of disclosure.
European headquartered firms performed the worst among their cohort. Just 5 of the 82 companies based in the region (6.1%) comply with incoming standards and laws; this compares with 16.0% (23 of 144) of North American firms and 16.3% (16 of 98) of Asian developers.
Slight progress has been seen on 2018’s analysis, when less than 10% (32 of 330) implemented vulnerability reporting. The IoTSF report concludes “the industry must do better… much better”.
The study and analysis has been published by the IoT Security Foundation (IoTSF) and is its second annual report. As part of its remit to drive security best practice, the IoTSF is also calling for more collaboration between manufacturers and cybersecurity researchers.
The report shows that, with few exceptions, only major brands supported vulnerability reporting. Those that did included Amazon, Apple, FitBit, Dyson, Garmin, Google, HP, HTC, Huawei, Lenovo, LG, Motorola, Samsung, Siemens, Signify and Sony. A complete list of companies researched, and the results of the study are included in the report.
Of the 44 enabling vulnerability reporting, 18 (40.9%) also included some form of bug bounty, which gives ethical hackers a financial incentive to alert the company rather than trading on the black market. 32 (72.7%) had a secure communication public PGP encryption key; and an additional 9 (20.5%) used a proxy disclosure service.
Setting a timeline expectation between researchers and vendors is good practice. However 17 firms offered no disclosure timeline. Only 4 included a 90-day deadline for fixing reported issues.
The second report also looked at companies attempts to simplify the reporting process – either via a /security page on their website; or by using the emerging security.txt standard, which formats security contact information in a machine readable way. 14 companies used a /security page and 3 used security.txt.
IoT Security Foundation’s John Moor said: “Vulnerability reporting is an essential element for keeping IoT products and services safe from intruders, and is widely considered to be a top 3 operational security measure. For me, it is the number one essential practice that needs to be adopted due to the impact it can have on managing risk exposure.
The trend for smart connected products continues to grow due to the low cost of the technology and the innovation it unleashes. However, that connectivity brings a risk ‘in the wild’ and it is crucial that security mitigations are managed beyond the design stage and throughout operating life – leveraging the researcher community significantly aids that undertaking.”
John Moor is the managing director of the IoT Security Foundation.
David Rogers MBE, CEO of IoT security specialists Copper Horse which conducted the research on behalf of IoTSF commented “this is one of a few ways of measuring how proactive IoT product manufacturers are when it comes to security by design. Whether it is a conscious choice, or purely ignorance, it is pretty damning that the majority of these companies have no way for security researchers to be able to contact them. With legislation planned in the UK to mandate that manufacturers support vulnerability disclosure, the clock is ticking for these companies.”
David Rogers is also the author of the UK’s Code of Practice for Consumer IoT Security, an IoTSF Board member and was awarded an MBE in 2019 for services to cyber security.
High Profile Hacks / Warnings
Earlier this month the UK National Cyber Security Centre (NCSC) advised owners of smart cameras and baby monitors to tweak the settings after buying them. This followed a series of well-publicised breaches including:
IoT security, including vulnerability reporting, was the focus of a 2019 Five Eyes meeting. Here the US, UK, Canada, Australia and New Zealand governments discussed IoT security challenges, and measures to protect their citizens; agreeing to collaborate and advocating that devices should be secured by design.
The first law to be implemented following this will be in the UK. This is anticipated to come into force this year and specifically require companies to enable vulnerability reporting for products being sold in the region.
Australia’s government has also announced a draft code of practice, which mandates vulnerability disclosure policies be in place.
In the US, while calls have been made for federal law to mimic the UK’s new laws, legislation has been focussed at the state level, with California being the first to legislate.
Its law requires manufacturers selling in California to equip devices with “reasonable” security, and though it’s subject to wide interpretation, vulnerability reporting has been a key recommendation in IoT system protection documentation from the Dept of Homeland Security.
Additionally, existing federal law prevents government suppliers selling vulnerable equipment adding pressure on larger firms.
In Asia, Chinese legislation allows for the state to pen-test IoT devices operating in the country to identify weaknesses. In India, calls have long been made for the government to release public vulnerability reporting guidelines. And while no vulnerability reporting legislation exists in South Korea either, its Personal Information Protection Act is among the world’s strictest data protection regimes.
At an organisational level; vulnerability reporting is also a key requirement for consumer IoT security in documentation from the ETSI, the IEEE and multiple IoT security organisations. These include the IoT Security Foundation, Alliance for Internet of Things Innovation (AIOTI), Broadband Internet Technical Advisory Group (BITAG), CableLabs, the Internet Society’s Online Trust Alliance, Open Web Application Security Project (OWASP) and hacker collective ‘I am the Cavalry’.