- Industry uptake is “concerning”
- European firms will be the least compliant with emerging standards
- IoT Security Foundation calls for vendors and researchers to collaborate more
17th March 2020 – An analysis of 330 consumer IoT device manufacturers has revealed five of every six companies (86.7%, 286) don’t allow for vulnerability reporting. This would see them fall foul of new international standards and recently announced plans for a British IoT security law; as well as proposed Australian code of practice and recommendations from the US Dept of Homeland Security.
Vulnerability reporting enables vendors to be alerted to, and fix, cyber security weaknesses that could be exploited by hackers. It is widely considered to be a baseline requirement of IoT device security (Scroll down for international regulations and high-profile hacks).
Of the manufacturers that did allow vulnerability reporting, variations exist and many used a weakened policy, with more than a third (38.6%) indicating no timeline of disclosure.
European headquartered firms performed the worst among their cohort. Just 5 of the 82 companies based in the region (6.1%) comply with incoming standards and laws; this compares with 16.0% (23 of 144) of North American firms and 16.3% (16 of 98) of Asian developers.
Slight progress has been seen on 2018’s analysis, when less than 10% (32 of 330) implemented vulnerability reporting. The IoTSF report concludes “the industry must do better… much better”.
The study and analysis has been published by the IoT Security Foundation (IoTSF) and is its second annual report. As part of its remit to drive security best practice, the IoTSF is also calling for more collaboration between manufacturers and cybersecurity researchers.
The report shows that, with few exceptions, only major brands supported vulnerability reporting. Those that did included Amazon, Apple, FitBit, Dyson, Garmin, Google, HP, HTC, Huawei, Lenovo, LG, Motorola, Samsung, Siemens, Signify and Sony. A complete list of companies researched, and the results of the study are included in the report.
Of the 44 enabling vulnerability reporting, 18 (40.9%) also included some form of bug bounty, which gives ethical hackers a financial incentive to alert the company rather than trading on the black market. 32 (72.7%) had a secure communication public PGP encryption key; and an additional 9 (20.5%) used a proxy disclosure service.
Setting a timeline expectation between researchers and vendors is good practice. However 17 firms offered no disclosure timeline. Only 4 included a 90-day deadline for fixing reported issues.
The second report also looked at companies attempts to simplify the reporting process – either via a /security page on their website; or by using the emerging security.txt standard, which formats security contact information in a machine readable way. 14 companies used a /security page and 3 used security.txt.
IoT Security Foundation’s John Moor said: “Vulnerability reporting is an essential element for keeping IoT products and services safe from intruders, and is widely considered to be a top 3 operational security measure. For me, it is the number one essential practice that needs to be adopted due to the impact it can have on managing risk exposure.
The trend for smart connected products continues to grow due to the low cost of the technology and the innovation it unleashes. However, that connectivity brings a risk ‘in the wild’ and it is crucial that security mitigations are managed beyond the design stage and throughout operating life – leveraging the researcher community significantly aids that undertaking.”
John Moor is the managing director of the IoT Security Foundation.
David Rogers MBE, CEO of IoT security specialists Copper Horse which conducted the research on behalf of IoTSF commented,“this is one of a few ways of measuring how proactive IoT product manufacturers are when it comes to security by design. Whether it is a conscious choice, or purely ignorance, it is pretty damning that the majority of these companies have no way for security researchers to be able to contact them. With legislation planned in the UK to mandate that manufacturers support vulnerability disclosure, the clock is ticking for these companies.”
David Rogers is also the author of the UK’s Code of Practice for Consumer IoT Security, an IoTSF Board member and was awarded an MBE in 2019 for services to cyber security.
High Profile Hacks / Warnings
Earlier this month the UK National Cyber Security Centre (NCSC) advised owners of smart cameras and baby monitors to tweak the settings after buying them. This followed a series of well-publicised breaches including:
- The US FDA confirming hackable flaws in an implantable cardiac device
- A fitness-watch API revealing users’ home addresses – including those of spies, military personnel and users who had put the device in private mode
- A hacker talking to a young girl in her bedroom through a Ring video camera saying “It’s Santa. It’s your best friend.”
- Pen testers exploiting flaws to open a smart lock
- Pen testers hacking into the in-built camera of a sex toy
IoT security, including vulnerability reporting, was the focus of a 2019 Five Eyes meeting. Here the US, UK, Canada, Australia and New Zealand governments discussed IoT security challenges, and measures to protect their citizens; agreeing to collaborate and advocating that devices should be secured by design.
The first law to be implemented following this will be in the UK. This is anticipated to come into force this year and specifically require companies to enable vulnerability reporting for products being sold in the region.
Australia’s government has also announced a draft code of practice, which mandates vulnerability disclosure policies be in place.
Its law requires manufacturers selling in California to equip devices with “reasonable” security, and though it’s subject to wide interpretation, vulnerability reporting has been a key recommendation in IoT system protection documentation from the Dept of Homeland Security.
Additionally, existing federal law prevents government suppliers selling vulnerable equipment adding pressure on larger firms.
In Asia, Chinese legislation allows for the state to pen-test IoT devices operating in the country to identify weaknesses. In India, calls have long been made for the government to release public vulnerability reporting guidelines. And while no vulnerability reporting legislation exists in South Korea either, its Personal Information Protection Act is among the world’s strictest data protection regimes.
At an organisational level; vulnerability reporting is also a key requirement for consumer IoT security in documentation from the ETSI, the IEEE and multiple IoT security organisations. These include the IoT Security Foundation, Alliance for Internet of Things Innovation (AIOTI), Broadband Internet Technical Advisory Group (BITAG), CableLabs, the Internet Society’s Online Trust Alliance, Open Web Application Security Project (OWASP) and hacker collective ‘I am the Cavalry’.
About the Internet of Things Security Foundation (IoTSF)
The mission of IoTSF is to help secure the Internet of Things, in order to aid its adoption and maximize its benefits. To do this IoTSF will promote knowledge and clear best practice in appropriate security to those who specify, make and use IoT products and systems.
IoTSF promotes the security values of a security-first approach, fitness for purpose and resilience through operating life. The security values are targeted at key stages of the IoT eco-system – those that build, buy and use products and services: Build Secure. Buy Secure. Be Secure.
IoTSF was formed as a response to existing and emerging threats in the Internet of Things applications.
IoTSF is an international, collaborative and vendor-neutral members’ initiative, driven by the IoT eco-system and inclusive of all parties including technology providers and service beneficiaries.