According to the latest annual report from the IoT Security Foundation (IoTSF), only 27.1% of suppliers provide a vulnerability disclosure policy, indicating that IoT companies are making little progress in making it simple for security researchers to disclose security issues. Comparatively, in the 2018 version of the same research, 9.7% of IoT (Internet of Things) companies were found to have a disclosure policy.
Vulnerability management is strongly advised in 30 cybersecurity advice projects, including the IoTSF’s IoT Security Assurance Framework, to be a foundation of connected product security. Straightforward reporting of security flaws is crucial for security lifecycle maintenance, and providers risk violating recently passed UK rules if they fail to follow best practice directives.
IoT manufacturers, importers, and distributors must provide a vulnerability disclosure policy under the UK’s Product Security and Telecoms Infrastructure Act, enacted in early December 2022. Vendors who don’t comply with potential risk sanctions, including fines of up to £20,000 per day in the most severe cases. The most recent report by the IoTSF was based on an analysis of 332 businesses that market IoT devices geared at consumers. The evaluation by mobile and IoT security consultancy Copper Horse examined security procedures related to various goods, including routers, tablets, smart speakers, and smart lighting controls. Asian vendors were often better at creating vulnerability disclosure processes than European suppliers, who lagged far behind (34.7% versus 14.5%).
According to Laurie Mercer, senior manager of security engineering at HackerOne, a Vulnerability Disclosure Policy (VDP) is a crucial tool for identifying and fixing security flaws in goods and services as part of the product security lifecycle. Although the study reveals it is still uncommon, customers are increasingly seeking for their suppliers to embrace this best practice.
Lawmakers around the world are attempting to enact rules to force IoT providers to increase the security of their devices. For instance, lawmakers in the US created the IoT Cybersecurity Improvement Act (2020). Similar topics are included in the draft European Cyber Resilience Act.
Copper Horse’s CEO, David Rogers, said: “The trend is towards mandating it – which makes you wonder again, why aren’t companies realising this? The writing is on the wall!” He added, “Even with the threat of incoming legislation, there is complacency in manufacturers that translates into an unacceptable risk for consumers when it comes to the security of IoT devices.”
Researchers found increases in the use of the “/security” contact page, the use of machine-readable “secuity.txt” files, and a little drop in the use of PGP keys for secure uploads throughout the study. Other developments included an increase in suppliers updating their policies and a rise in businesses hosting and maintaining their policies through a third-party “proxy service.” However, the study also identifies instances of good conduct by certain companies, so it’s not all bad news.
Rogers clarified, “Some companies and industries are starting to act in a much better way – there are some examples in the car industry such as Volkswagen Group where they have completely transformed their approach, in a positive way.” He added: “I think these companies can set a good example to their peers in showing that you can work with the security research community without all the brinksmanship.”
Vendors would be wise to implement a safe harbor policy, a set of rules that protect ethical hackers from being threatened with legal action or facing punishment while searching for holes in systems. For its Internet of Things gadgets, LG, for instance, follows a safe harbor strategy. Looking at the study more widely, 34 suppliers are praised since they “meet or exceed what will be required by legislation,” according to the IoTSF report, after security experts from Copper Horse reviewed their policies. Bosch, BT, Canon, Huawei, LG, Logitech, Microsoft, Peloton, Samsung, and Wink are just a few of the companies mentioned.
