New IoTSF research identifies poor security practice of producers of connected products. What happens when someone discovers a security issue in a connected product? Whether it is a fitness tracker, WiFi speaker, pet monitor, home robot or even a fridge-freezer, how do security researchers and others report a security issue? To gain better visibility into the current status of vulnerability disclosure practice in consumer companies providing connected products, the IoT Security Foundation (IoTSF) commissioned a research study entitled: Understanding the Contemporary Use of Vulnerability Disclosure in Consumer Internet of Things Product Companies.
The research answers a fundamental question: how widely practiced is vulnerability disclosure in the consumer IoT product domain? As part of this, the study asked at the company scale: Does it have a dedicated channel for vulnerability disclosure. Out of the 331 consumer product companies examined, which was performed during August 2018, only 32 had some form of online vulnerability disclosure scheme available for security researchers. Few of these companies (3) operated with a hard deadline of 90 days for fixes to reported issues.
About the findings, David Rogers, CEO of Copper Horse Solutions and IoTSF Board member says: “The data doesn’t lie – connected product companies are woefully bad, when it comes to allowing security researchers to report issues to them. It is further evidence of the poor situation for product security in the Internet of Things. There is no need for this, there are recommendations and an international standard available for companies to adopt. There needs to be a shift of mind-set to take security seriously at the Boardroom level of connected product companies and for them to realise that regulators are starting to take action against the existing lax attitude towards product security.”
Best practice guidance and standards from multiple organisations advise that adopting the processes of Co-ordinated Vulnerability Disclosure should be a priority for all producers of connected products. The UK’s Department for Digital, Culture, Media & Sport (DCMS) Code of Practice for Consumer IoT security puts the implementation of a vulnerability disclosure policy second on its list of thirteen outcome-focused guidelines, which are widely considered good practice in IoT security.
“We conducted this research to better understand the contemporary status of vulnerability disclosure policy in practice,” says John Moor, Managing Director, IoTSF. “It’s part of our mission to raise awareness and help improve the situation and we hope that by highlighting this subject area, and identifying companies in the report, we can make positive progress in the future. For any company making connected products, it is fundamental to understand the importance of disclosure policy and leverage the research community to help make safer connected products.”
To read the report in full, please visit: www.iotsecurityfoundation.org/best-practice-guidelines
About the Internet of Things Security Foundation (IoTSF)
The mission of IoTSF is to help secure the Internet of Things, in order to aid its adoption and maximize its benefits. To do this IoTSF will promote knowledge and clear best practice in appropriate security to those who specify, make and use IoT products and systems.
IoTSF promotes the security values of a security-first approach, fitness for purpose and resilience through operating life. The security values are targeted at key stages of the IoT eco-system – those that build, buy and use products and services: Build Secure. Buy Secure. Be Secure.
IoTSF was formed as a response to existing and emerging threats in the Internet of Things applications.
IoTSF is an international, collaborative and vendor-neutral members’ initiative, driven by the IoT eco-system and inclusive of all parties including technology providers and service beneficiaries. For more information, news and further announcements, please visit the official website at www.iotsecurityfoundation.org