New research published today highlights the ongoing security failings of the majority of companies that make products powered by the Internet of Things (IoT). A key requirement is that independent security researchers know how to safely communicate vulnerabilities they have identified by following a business’ vulnerability disclosure policy (VDP). However, a new report from the IoT Security Foundation confirms that only a minority of IoT manufacturers have bothered to state what their VDP is.
The fifth annual report on “The State of Vulnerability Disclosure Policy (VDP) Usage in Global Consumer IoT” concluded that the proportion of firms with a VDP is only slightly improved since the end of 2021, when 21.6 percent of firms had a “readily detectable” VDP. The situation at the end of 2022 is that still only 27.1 percent of firms satisfy this requirement, despite the UK government passing new legislation which will lead to fines for companies that have no VDP.
Financial penalties for non-compliance with Britain’s IoT product security requirements could range as high as GBP20,000 (USD24,800) for every day that a business fails to meet its obligations. The new rules are derived from standards that have been agreed at an international level and it is widely expected that the European Union and other countries will follow the UK’s lead by also enforcing similar rules in the near future.
The IoTSF report is based upon research conducted by Copper Horse Ltd, experts in mobile and IoT security. Copper Horse reviewed a total of 332 companies that sell IoT devices. Casio, Dyson, Fitbit, Hoover, Nespresso and Osram are just some of the well-known consumer brands that have no VDP for their IoT products. David Rogers, CEO of Copper Horse, gave a damning assessment of the state of the industry.
The overall picture remains shocking. If the adoption of vulnerability disclosure policies continues at the current rate, IoT manufacturers won’t be fully compliant until 2039! Even with the threat of incoming legislation, there is complacency in manufacturers that translates into an unacceptable risk for consumers when it comes to the security of IoT devices.
John Moor, Managing Director of IoTSF, had no sympathy for the businesses that fail to prioritize the safety of consumers.
There is no excuse – good design and simple hygiene practices mean manufacturers can protect their customers cost-effectively.
The authorities in Britain and the EU are driving improvements to IoT security but European manufacturers lag behind. Per the research, just 14.5 percent of European IoT manufacturers have a VDP. Asian and North American vendors do much better, achieving compliance rates of 34.7 percent and 32.6 percent respectively. The degree of compliance varies greatly depending on the type of networked device that the supplier manufacturers. TV manufacturers all have a VDP without a single exception. In contrast, the companies which make fashionable health and fitness monitors seem to care little about securing the sensitive information gathered about users, with just 4 of the 38 firms surveyed having a VDP.
One significant challenge for the researchers was determining which VDPs were genuinely in effect and which were merely redundant policies that are no longer maintained in practice. For example, satnav and mapping device business TomTom has a ‘Hall of Fame’ webpage that praises security researchers who communicated vulnerabilities in 2019, but that list has not been updated since and no VDP can now be found on their website.
The research performed for this study is authoritative and the 22-page report includes many other findings. You can freely download the report without needing to register from the best practices page on the IoTSF website.
David Rogers will be one of the expert guests appearing on The Communications Risk Show, a new interview series that will be livestreamed to the web every Wednesday from March 15. Stay tuned for more details.