Only 19% of IoT Firms Have a Security Vulnerability Disclosure Policy

It says a lot about the technology sector that they not only made it normal to sell products which are buggy and need to be fixed later, but they also found ways for vendors to shift the burden of identifying security vulnerabilities to people outside of their business. But expectations surrounding the Internet of Things (IoT) are even lower, with only 18.9 percent of IoT suppliers bothering to tell outsiders how to inform them of security vulnerabilities they have identified. That is the finding of a new study of more than 300 companies by Copper Horse for the IoT Security Foundation.

The proportion of IoT manufacturers, representatives and importers with an evident vulnerability disclosure policy would have been even lower except for the decision to include more mature technologies like wi-fi routers in the study for the first time. Since 2018 there has been a steady improvement in the number of IoT suppliers with websites that explain how security researchers should contact them, but the majority continue to provide no useful advice on the topic. Whilst there are disclosure policies that cover 85 percent of wi-fi routers and 69 percent of laptops, PCs and tablets, there is an equivalent policy for only 15.8 percent of smart home products.

Asian firms lead the way, with 26.5 percent of IoT suppliers headquartered in the region having a public vulnerability disclosure policy. North America comes next, with 20.6 percent of their IoT providers stating a policy on their corporate website. This represents significant improvements in both regions. Only 7.5 percent of Europe’s laggardly IoT suppliers have bothered to communicate a disclosure policy, with just one European company unveiling a new policy since the 2019 study.

The indifferent attitude to IoT security is hardly news. This year we learned that manufacturers of a networked penis clamp did not care that remote hackers could easily and permanently lock every user’s genitals in its metal cage. Students at the University of Oklahoma responded to the introduction of ‘smart’ vehicle clamps by stealing their SIM cards and using them for unlimited data. But nothing compared to German business Osram compromising security for the entire house through their woefully insecure networked light bulbs. Osram still fails to have a vulnerability disclosure policy for its smart light bulbs, though their four years of putting households at risk will finally come to an end because they divested their consumer lamp division and will decommission the light bulb servers.

This IoT Security Foundation report is commendable for transparently showing detailed findings for all the companies researched. Even a skim read of the main conclusions is a worthwhile and eye-opening experience. The report is available for free and can be downloaded without registration from here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.