IoT Vendors- I can exclusively reveal that research to be published today paints a scandalous picture of how many of the most popular consumer Internet of Things (IoT) brands are failing to protect their customers from being spied upon, having their data stolen or unwittingly helping criminal endeavors to spread malware or take down online services. The report, commissioned by the IoT Security Foundation (IoTSF), found that nine out of ten (90.3%) of the global consumer IoT brands researchers looked at simply do not allow security researchers to properly report the vulnerabilities that they find.
The Understanding the Contemporary Use of Vulnerability Disclosure in Consumer Internet of Things Product Companies report sought to answer a simple, yet fundamental to IoT security, question: how widely practiced is vulnerability disclosure in the consumer IoT product domain? The answer appears to be shockingly badly. The report author looked to uncover whether consumer IoT manufacturers and vendors had a dedicated channel by which security researchers could communicate any security vulnerabilities they might have found. All the products included in the research were available on the open market and not prototypes and both the brands and manufacturers concerned were typically international in scope.
In all, a total of 331 consumer product companies were included in the results; collectively responsible for many hundreds of IoT product lines and millions of devices sold. These covered everything from Internet connected toys from the likes of Hasbro and Mattel, through to weapons brands such as Armatrix, Tracking Point and Vaultek, not to mention D-Link, NEC, OnePlus, Sonos and TomTom. A shocking 299 (90.3%) of them had no form of public vulnerability disclosure policy, leaving just 32 (9.7%) with any form of scheme for security researchers to use. Of that 32 only 15 had an incentive, or bug bounty, program to encourage security researchers to find the holes in their products that could be exploited by threat actors. One company actually went as far as to state that security research was not permitted by putting restrictions on security research in its terms of service. The best performers overall were some of the biggest of the brands; notably Google and Samsung. Apple did offer a bug bounty program, but it was by invitation only. Amazon, Huawei, HTC, LG, Motorola, Samsung and Sony had processes in place for vulnerability disclosure but no bug bounty programs.
I contacted some of those companies that had neither a bug bounty program nor any apparent vulnerability disclosure policy, with a view to finding out why this was and if it was a security oversight they would be rectifying in due course. These included Bose, Foscam, Hasbro, Logitech, Mattel, NEC, OnePlus, Sonos, TomTom, Whirlpool and WyzeCam. None had replied to my request for comment by the time of publication today.
I asked David Rogers, the author of the report, an IoTSF executive board member and CEO at security consultancy Copper Horse, if he sees any commonality between the low number of companies that apparently enable straightforward vulnerability disclosure by external security researchers and the relatively high number of reported exploits that continue to blight the IoT sector? “There is a direct link between companies that provide vulnerability disclosure schemes and security” David says, adding “it shows that those that have them have at least got as far as thinking about the fact that security researchers may want to disclose vulnerabilities to them and that indicates they are thinking about security within their business and products.” That such a high number of companies have no reporting mechanism at all is a pretty clear indicator that all is not well. “This research merely quantifies what the security research and hacking community have known for years” David confided, continuing “that IoT product companies have little interest in making it easy for security researchers to be able to contact them.” He sees this as being the tip of the iceberg when it comes to the poor levels of IoT security seen in consumer products around the world and it has a direct impact on consumers. “It is time that this situation changed” David insists, “industry bodies like the IoTSF have recommendations available to implement, so there is no excuse for companies not to be operating vulnerability disclosure schemes.”