20.5k unique visitors in the last 3 days

‘Unacceptably Low’ Number of Firms Have IoT Vulnerability Disclosure Policies

New research from the Internet of Things Security Foundation backs the argument for legislation to hasten the 'glacial' pace of change.

A new report from the Internet of Things Security Foundaton (IoTSF) has slammed the 78 percent of manufacturers who do not support “the very basic security hygiene mechanism to allow security vulnerabilities to be reported to vendors so they can be fixed”. Their publication, entitled The Contemporary Use of Vulnerability Disclosure in IoT, Report 4: November 2021 is the fourth in an annual series reviewing vulnerability disclosure policies and practices for internet of things (IoT) products sold to consumers. According to them:

Reporting a product security issue should be made simple so that a vendor can get to work on applying a fix as soon as possible.

However, of 315 IoT businesses selling consumer IoT products, only 68 (21.6%) have a “readily detectable” vulnerability disclosure policy. IoTSF said this was “unacceptably low” and “should be of significant concern for regulators, consumers, and business users alike”.

This statistic of 21.6% of firms having a detectable disclosure policy is an improvement on previous years. However, the IoTSF described the pace of change as “glacial”. Their argument is that slow voluntary adoption of good security practices means governments and regulators should intervene. The report highlights the positive role of legislation in the European Union, USA and UK.

Some relative good news, depending on your perspective, is that IoT businesses that focus on home security have been closing down because of the lower burglary rates during the pandemic. More generally there appears to be a pattern where frivolous IoT devices – ‘smart’ pet bowls, connected kettles and the like – are no longer being made because there is insufficient demand. Though the IoTSF does not make this observation, I believe cyber privacy and security risks will always be greatest when companies with little or no background in networked technologies treat internet connectivity as a gimmicky way to boost sales. They have neither the expertise to make security central to product design, nor the business model to justify investing in learning how.

The other good news from the report is that providers of IoT devices aimed at the business-to-business market were significantly more likely to have a vulnerability disclosure policy. 49 B2B providers were reviewed, and 35 of them (71.4%) have some form of vulnerability disclosure policy.

The IoTSF report follows good practice by transparently stating the names of all the businesses reviewed and plenty of detail about how the research was conducted. You can obtain the report for free, without needing to register, by clicking here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email