November 7th, 2023 LONDON

As New Government Legislation on Consumer IoT devices is set to be implemented in Early 2024, Our Latest Report Highlights that 76% of Manufacturers do not Comply with These Requirements.

The State of Vulnerability Disclosure Policy (VDP) Usage in Global Consumer IoT Report 2023 was launched at the IoTSF Annual Conference in London on November 7th. It highlights that the vast majority (76.01%) of Consumer IoT device manufacturers and retailers do not currently comply with new government legislation that is set to be enforced in April 2024.

This report marks the sixth in a series of annual reports that has been following the adoption of vulnerability disclosure and associated practices, among manufacturers of popular internet connected devices. Since 2018 Copper Horse researchers, in association with the IoT Security Foundation, have been studying popular IoT device manufacturers and tracking whether these companies have a point of contact for researchers to report security concerns.

The research in this year’s report added 121 new popular device manufacturers, over 95% of which do not have a vulnerability disclosure policy. Overall, the percentage of this widened dataset with a policy has slightly decreased on the 2022 figure of 27.11% to 23.99% in 2023. This means that 76.01% of IoT manufacturers in the 2023 dataset do not have a way for security researchers to contact them and the minimal decrease in 12 months is hugely concerning given the imminent new legislation.

The process is called vulnerability disclosure and the adoption of a policy can be seen as a basic indicator of an organisation’s security posture. Governments have become increasingly aware of the importance of vulnerability disclosure, particularly Coordinated Vulnerability Disclosure (CVD) and have endorsed and recommended it across the world.

The UK’s Product Security and Telecommunications Infrastructure (PSTI) which focuses on consumer IoT product security, has mandated the use of Coordinated Vulnerability Disclosure and this regulation comes into effect on April 29th, 2024. The IoT Security Foundation is offering advice and guides to help manufacturers of these devices understand and help them comply with this legislation before the fast approaching deadline.

In the EU, the Cyber Resilience Act (CRA) is progressing into its final stages in the EU Parliament and various cyber security recommendations in the USA recommend or mandate CVD, with NIST having produced standards for policy usage. The focus of regulators and governments in the next year will switch towards those retailers that choose to stock insecure products.

The findings of the report were announced at this year’s Annual IoT Security Foundation Conference, the world’s longest-running conference dedicated to IoT cybersecurity. The conference has built a loyal global following from the IoT stakeholder community and is renowned for delivering high-quality conference programmes.

John Moor, Co-Founder and Managing Director of the IoT Security Foundation said, “when the notion of this research was first conceived, we had a very clear objective in mind; we wanted to understand the status of IoT security in the marketplace. No one on the expert team would feel comfortable buying or using an IoT product that was sourced from a company that does not maintain its security. We therefore selected the presence (or absence) of a vulnerability disclosure policy as our litmus test.

This year is especially notable as the much-anticipated legislation is now imminent with the UK’s PSTI Act taking full force from April 2024 and several prominent others following in quick succession. What has caught my attention – specifically in relation to the UK legislation – are the requirements for non-manufacturers who are responsible for introducing products into the (UK) market; importers and distributors. This report has therefore paid special attention to some of the more prominent retailers (Best Buy, Currys, John Lewis, Jumia, Media Markt, and Walmart) in key regions as they need to take heed.

As always, ‘the report’ draws out important and interesting nuances to complement the key findings. I encourage the reader to contrast the findings (performance) between mature product categories and new products, the consumer and B2B markets and the effect of white-label goods. And of course, take a look at those companies that fail to meet the regulatory ‘threshold test’ as they will soon be in the sights of enforcement.

As the home of IoT security, IoTSF is here to help – wherever you are on your journey – I hope you find this report as useful as it is insightful.”

The latest report is supported by HackerOne and can be downloaded for FREE from the Publications Page on the IoTSF website.