20.5k unique visitors in the last 3 days

Only 19% of IoT Firms Have a Security Vulnerability Disclosure Policy

A new report from the IoT Security Foundation reveals the complacency of many suppliers of networked devices.

It says a lot about the technology sector that they not only made it normal to sell products which are buggy and need to be fixed later, but they also found ways for vendors to shift the burden of identifying security vulnerabilities to people outside of their business. But expectations surrounding the Internet of Things (IoT) are even lower, with only 18.9 percent of IoT suppliers bothering to tell outsiders how to inform them of security vulnerabilities they have identified. That is the finding of a new study of more than 300 companies by Copper Horse for the IoT Security Foundation.

The proportion of IoT manufacturers, representatives and importers with an evident vulnerability disclosure policy would have been even lower except for the decision to include more mature technologies like wi-fi routers in the study for the first time. Since 2018 there has been a steady improvement in the number of IoT suppliers with websites that explain how security researchers should contact them, but the majority continue to provide no useful advice on the topic. Whilst there are disclosure policies that cover 85 percent of wi-fi routers and 69 percent of laptops, PCs and tablets, there is an equivalent policy for only 15.8 percent of smart home products.

Asian firms lead the way, with 26.5 percent of IoT suppliers headquartered in the region having a public vulnerability disclosure policy. North America comes next, with 20.6 percent of their IoT providers stating a policy on their corporate website. This represents significant improvements in both regions. Only 7.5 percent of Europe’s laggardly IoT suppliers have bothered to communicate a disclosure policy, with just one European company unveiling a new policy since the 2019 study.

The indifferent attitude to IoT security is hardly news. This year we learned that manufacturers of a networked penis clamp did not care that remote hackers could easily and permanently lock every user’s genitals in its metal cage. Students at the University of Oklahoma responded to the introduction of ‘smart’ vehicle clamps by stealing their SIM cards and using them for unlimited data. But nothing compared to German business Osram compromising security for the entire house through their woefully insecure networked light bulbs. Osram still fails to have a vulnerability disclosure policy for its smart light bulbs, though their four years of putting households at risk will finally come to an end because they divested their consumer lamp division and will decommission the light bulb servers.

This IoT Security Foundation report is commendable for transparently showing detailed findings for all the companies researched. Even a skim read of the main conclusions is a worthwhile and eye-opening experience. The report is available for free and can be downloaded without registration from here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email