A new report from the Internet of Things Security Foundaton (IoTSF) has slammed the 78 percent of manufacturers who do not support “the very basic security hygiene mechanism to allow security vulnerabilities to be reported to vendors so they can be fixed”. Their publication, entitled The Contemporary Use of Vulnerability Disclosure in IoT, Report 4: November 2021 is the fourth in an annual series reviewing vulnerability disclosure policies and practices for internet of things (IoT) products sold to consumers. According to them:
Reporting a product security issue should be made simple so that a vendor can get to work on applying a fix as soon as possible.
However, of 315 IoT businesses selling consumer IoT products, only 68 (21.6%) have a “readily detectable” vulnerability disclosure policy. IoTSF said this was “unacceptably low” and “should be of significant concern for regulators, consumers, and business users alike”.
This statistic of 21.6% of firms having a detectable disclosure policy is an improvement on previous years. However, the IoTSF described the pace of change as “glacial”. Their argument is that slow voluntary adoption of good security practices means governments and regulators should intervene. The report highlights the positive role of legislation in the European Union, USA and UK.
Some relative good news, depending on your perspective, is that IoT businesses that focus on home security have been closing down because of the lower burglary rates during the pandemic. More generally there appears to be a pattern where frivolous IoT devices – ‘smart’ pet bowls, connected kettles and the like – are no longer being made because there is insufficient demand. Though the IoTSF does not make this observation, I believe cyber privacy and security risks will always be greatest when companies with little or no background in networked technologies treat internet connectivity as a gimmicky way to boost sales. They have neither the expertise to make security central to product design, nor the business model to justify investing in learning how.
The other good news from the report is that providers of IoT devices aimed at the business-to-business market were significantly more likely to have a vulnerability disclosure policy. 49 B2B providers were reviewed, and 35 of them (71.4%) have some form of vulnerability disclosure policy.
The IoTSF report follows good practice by transparently stating the names of all the businesses reviewed and plenty of detail about how the research was conducted. You can obtain the report for free, without needing to register, by clicking here.