If you are like me, you will have mixed feelings about the internet of things (IoT). As a child, I imagined waking in a house where the curtains would open automatically, the bath would start filling itself and a serene disembodied voice would ask if I wanted toast or eggs that morning. As an adult, I tend to imagine networked devices are reporting all they have learned about me to some unknown remote master, and only occasionally do the things I want in order to maintain the illusion that they exist to serve me instead of me existing to serve them. That is why it is worth reviewing each annual vulnerability disclosure report from the IoT Security Foundation (IoTSF), to see if the world is trending towards my youthful fantasies or my fully-grown nightmares. This year’s report, which is based on research by Copper Horse and which has been made public today, is their most comprehensive review of the IoT market yet, covering products sold by a wide international range of retailers.
To recap, vulnerability disclosure is important because technology often has bugs and defects, and innovative technology is especially likely to suffer flaws that could put users at risk. If independent security researchers can tell businesses about any vulnerabilities they have discovered then those businesses can take prompt action to remedy the problem. An IoT company that does not share a vulnerability disclosure policy with the security community is guilty of putting its customers at significantly increased risk for the sake of a trivial reduction in the company’s expenditures. Businesses that make internet-connected products have no excuse for failing to communicate any vulnerability disclosure policy they have adopted; policies should be placed on their corporate website so anyone can easily find it.
The good news is that the businesses reviewed in previous years are now slightly better at listening to independent security researchers. This is how it should be, not least because several governments are expected to impose new obligations on IoT manufacturers and the retailers that stock their products. However, the bad news is that the new businesses added to the report since last year have generally not taken security seriously, confirming how much is being risked whenever a networked device is purchased from an untrustworthy supplier.
Security researchers have an identifiable means of communicating vulnerabilities they find to 31 percent of IoT firms that were reviewed in both 2022 and 2023. This is not an impressive statistic, but it is better than the 27 percent who fulfilled this requirement in 2022. The rate of progress for this group of firms has been slow but upward for several years. This contrasts with the 121 additional businesses that were newly covered in this year’s review; their rate of compliance was under 5 percent.
IoT retailers in Europe were significantly more likely to have vulnerability disclosure policies than those in the USA; over half of retailers in the EU and UK were meeting expectations, compared to less than 38 percent in the US. However, there is no room for complacency even in those countries which legislators have taken the risks more seriously. Just 42 of the 446 companies reviewed are currently compliant with the obligations in the UK’s Product Security and Telecommunications Infrastructure Act, which comes into force in April 2024.
Geographical rankings were reversed when analyzing the world according to where manufacturers have based their head offices. 29 percent of IoT manufacturers headquartered in North America have adopted vulnerability disclosure policies, compared to 25 percent headquartered in Asia and 19 percent headquartered in Europe. Only a small number of IoT manufacturers are headquartered in Africa, South America or Oceania, but none of them have a vulnerability disclosure policy.
Security researchers cannot expect to get rich by sharing what they have learned about IoT vulnerabilities. Bug bounties are offered by just 6.5 percent of the manufacturers reviewed for this year’s IoTSF report.
The safest kinds of product to buy are televisions; all the televisions reviewed were made by firms that comply with IoTSF expectations. You take far more risk if purchasing a networked wearable device (16 percent compliance) or any of the devices sold for leisure and hobbies (0 percent compliance).
The report has good practical advice for shoppers. If you like buying gadgets but want the reassurance that the supplier listens to independent security researchers then you are safest when purchasing from the UK’s John Lewis chain; 90 percent of the IoT manufacturers they stock comply with IoTSF expectations. Shoppers in the European Union should prefer the MediaMarkt multinational chain of stores (87.5 percent compliance) whilst Americans are best advised to make their purchases from Target (80 percent compliance).
This is only a very brief summary of the contents of the 36-page report. The full report has an especially intriguing section that details problems with the policies adopted by some of the best-known consumer brands, including AliExpress, Bose, Fitbit, Walmart and Whitings. The State of Vulnerability Disclosure Policy (VDP) Usage in Global Consumer IoT in 2023 can be downloaded without needing to register from the best practices page on the IoTSF website.