Poor security practice from producers of connected products

Posted By : Alex Lynn
Poor security practice from producers of connected products

What happens when someone discovers a security issue in a connected product? How do security researchers and others report a security issue? To gain better visibility into the current status of vulnerability disclosure practice in consumer companies providing connected products, the IoT Security Foundation (IoTSF) commissioned a research study.

The study was entitled: ‘Understanding the Contemporary Use of Vulnerability Disclosure in Consumer Internet of Things Product Companies’.

The research answers a fundamental question: how widely practised is vulnerability disclosure in the consumer IoT product domain? As part of this, the study asked at the company scale: Does it have a dedicated channel for vulnerability disclosure. Out of the 331 consumer product companies examined, which was performed during August 2018, only 32 had some form of online vulnerability disclosure scheme available for security researchers. Few of these companies (3) operated with a hard deadline of 90 days for fixes to reported issues.

About the findings, David Rogers, CEO of Copper Horse Solutions and IoTSF Board member, stated: “The data doesn’t lie, connected product companies are woefully bad, when it comes to allowing security researchers to report issues to them. It is further evidence of the poor situation for product security in the Internet of Things. There is no need for this, there are recommendations and an international standard available for companies to adopt. There needs to be a shift of mind-set to take security seriously at the Boardroom level of connected product companies and for them to realise that regulators are starting to take action against the existing lax attitude towards product security.”

Best practice guidance and standards from multiple organisations advise that adopting the processes of Co-ordinated Vulnerability Disclosure should be a priority for all producers of connected products. The UK’s Department for Digital, Culture, Media & Sport (DCMS) Code of Practice for Consumer IoT security puts the implementation of a vulnerability disclosure policy second on its list of thirteen outcome-focused guidelines, which are widely considered good practice in IoT security.

John Moor, Managing Director, IoTSF, added: “We conducted this research to better understand the contemporary status of vulnerability disclosure policy in practice. It’s part of our mission to raise awareness and help improve the situation and we hope that by highlighting this subject area, and identifying companies in the report, we can make positive progress in the future. For any company making connected products, it is fundamental to understand the importance of disclosure policy and leverage the research community to help make safer connected products.”

You must be logged in to comment

Write a comment

No comments

More from The Internet of Things Security Foundation (IoTSF)

Sign up to view our publications

Sign up

Sign up to view our downloads

Sign up

SPS IPC Drives 2019
26th November 2019
Germany Nuremberg Messe
Vietnam International Defense & Security Exhibition 2020
4th March 2020
Vietnam National Convention Center, Hanoi