Research Reveals Most Consumer IoT Providers Lack Vulnerability Disclosure Processes

Research Reveals Most Consumer IoT Providers Lack Vulnerability Disclosure Processes

According to a new analysis, most consumer Internet of Things (IoT) providers are still failing to offer precise methods for exposing security issues. As per researchers from UK IoT security firm Copper Horse, only 21.6 percent of firms selling consumer IoT devices seem to have a Vulnerability Disclosure Program (VDP).

A VDP gives researchers instructions on how to report security flaws to a specific business, including “safe harbor” clauses to shield them from legal ramifications. VDPs, unlike bug bounty programs, do not give monetary rewards.

A report issued by the IoT Security Foundation (IoTSF) reveals that because of the “glacial” progress achieved in the IoT sector’s adoption of VDPs – 18.9% last year – nearly four out of five enterprises are still failing to offer the most basic security hygiene mechanism, which allows security flaws to be notified to suppliers and remedied.

It means that numerous vendors may breach IoT legislation and codes of practice in existence or the works in the EU, US, UK, India, Singapore, France, and Australia.

A small group of B2B vendors introduced to the research for the first time fared substantially better, with 71.4 percent of the 49 firms having some type of VDP.

According to the fourth edition of the IoTSF study, just 6.7 percent of the 315 consumer companies studied additionally provide status updates and resolution timetables to security researchers who identify issues. Tech heavyweights including Google, Microsoft, Siemens, LG, and Xiaomi exceeded this “extended threshold” for VDP best practices. CVD, in which researchers are publicly thanked, participating in repair, and allowed to reveal defects after remediation, was featured in nearly two-thirds of VDPs (67.6%).

Another 7.4% retain the procedure in-house, while the ‘other’ 25% comprises companies that advertise an official security contact but no policy. A third-party vendor manages 23.5 percent of VDPs. The most common of which are HackerOne or Bugcrowd, and 30.9 percent are accompanied by a bug bounty program.

The use of two commonly suggested reporting mechanisms, the /security website URL convention and security.txt, was likewise low: 5.4 percent for the /security website URL convention and 2.9 percent for security.txt.

The number of organizations with a formal reporting system that offered a PGP key to encrypt contact with researchers increased from 45 percent to 71.8 percent year over year, indicating a favorable trend.

Researchers discovered that certain firms that had VDPs in 2020, such as Dyson and Tile, had stopped promoting program details on their websites. Only 9% of European vendors have a VDP, compared to 24.3 percent of North American merchants and 29.5 percent of Asian vendors.

There is increasing evidence that the market has failed, which is why regulatory action is required. Non-tech firms that purchase “white-labeled products and rebrand them as their own” raise trust concerns and pose a “significant challenge for regulatory enforcement.”

According to the report, several IoT providers restrict or discourage disassembly and tampering in their devices’ conditions of use, thus dampening good-faith security research.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.