‘Unacceptably Low’ Number of Firms Have IoT Vulnerability Disclosure Policies

A new report from the Internet of Things Security Foundaton (IoTSF) has slammed the 78 percent of manufacturers who do not support “the very basic security hygiene mechanism to allow security vulnerabilities to be reported to vendors so they can be fixed”. Their publication, entitled The Contemporary Use of Vulnerability Disclosure in IoT, Report 4: November 2021 is the fourth in an annual series reviewing vulnerability disclosure policies and practices for internet of things (IoT) products sold to consumers. According to them:

Reporting a product security issue should be made simple so that a vendor can get to work on applying a fix as soon as possible.

However, of 315 IoT businesses selling consumer IoT products, only 68 (21.6%) have a “readily detectable” vulnerability disclosure policy. IoTSF said this was “unacceptably low” and “should be of significant concern for regulators, consumers, and business users alike”.

This statistic of 21.6% of firms having a detectable disclosure policy is an improvement on previous years. However, the IoTSF described the pace of change as “glacial”. Their argument is that slow voluntary adoption of good security practices means governments and regulators should intervene. The report highlights the positive role of legislation in the European Union, USA and UK.

Some relative good news, depending on your perspective, is that IoT businesses that focus on home security have been closing down because of the lower burglary rates during the pandemic. More generally there appears to be a pattern where frivolous IoT devices – ‘smart’ pet bowls, connected kettles and the like – are no longer being made because there is insufficient demand. Though the IoTSF does not make this observation, I believe cyber privacy and security risks will always be greatest when companies with little or no background in networked technologies treat internet connectivity as a gimmicky way to boost sales. They have neither the expertise to make security central to product design, nor the business model to justify investing in learning how.

The other good news from the report is that providers of IoT devices aimed at the business-to-business market were significantly more likely to have a vulnerability disclosure policy. 49 B2B providers were reviewed, and 35 of them (71.4%) have some form of vulnerability disclosure policy.

The IoTSF report follows good practice by transparently stating the names of all the businesses reviewed and plenty of detail about how the research was conducted. You can obtain the report for free, without needing to register, by clicking here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.