About a third, 35.59 per cent of global IoT manufacturers have a vulnerability disclosure policy, according to the seventh report into the state of vulnerability disclosure practices by manufacturers in the IoT product ecosystem, by the IoT Security Foundation. That means that most offer no way for security researchers to contact them, the report points out.
Comment
In an introduction to the report, John Moor, Managing Director of the IoT Security Foundation, noted that the report came after the coming into force in April of the Product Security and Telecommunications Infrastructure (PSTI) Act, after its progress was delayed due to the global pandemic. “This report illustrates how we are seeing the effect, and intended outcomes of the UK regulation. It also shows those that are following in Europe and the US are consistent in pointing the way forward, not just regarding product security, but also the processes that are expected of the supply chain to ensure security is monitored and maintained throughout life usage.”
As for ‘smart’ product categories, notable laggards he said are Health and Fitness, Lighting and, ‘somewhat paradoxically’, Security. Those manufacturer report cards read “must do better”, Moor said. He concluded that in an increasingly digital world, ‘without fit-for-purpose cybersecurity, we are all at risk’. The UK official NCSC offers free resources for manufacturers of such ‘smart’ products to go about making a disclosure programme, whether for a baby monitor, smart watch or connected lighting. The report complains that hundreds of companies in the IoT market have done nothing, despite there being no real excuse for not adopting best practice.
PTSI effect
While the PTSI Act has had some effect in the UK, its implementation seems ‘fragmented and inconsistent’, according to the report: “While some leading UK retailers are showing that around 90 per cent of the IoT manufacturers they stock have vulnerability disclosure policies, there are some notable exceptions to this ‘dip test’ of the market and there are obvious differences in online marketplaces.”
Definition
As the 34-page report set out, vulnerability disclosure is often misunderstood outside the security and hacking worlds; confused with the concept of incident reporting (or disclosure), where companies are required in some jurisdictions to alert the authorities of data breach or compromise. Vulnerability disclosure is, instead, ‘about security researchers disclosing
vulnerabilities to a company to get them rectified – to protect the company’s products and services, but most importantly the company’s customers. It is not about asking companies to disclose public information about unresolved vulnerabilities they may have.’
The European Union Agency for Cybersecurity (ENISA) defines vulnerability disclosure as “the process of identifying, reporting and patching weaknesses of software, hardware or services that can be exploited”. Outside the UK, a relative equivalent in the European Union, the Cyber Resilience Act (CRA), subjects some classes of product subjects to more stringent requirements and conformity assessments. The finalisation of the CRA 2024 means that regulation comes into force from 2027. In March 2024, the federal agency the FCC in the United States introduced a ‘Voluntary IoT Labeling Programme’.
Some manufacturers choose to offer bug bounties alongside a vulnerability disclosure scheme. A bug bounty is defined in the report as ‘a mechanism for offering a financial reward to encourage security researchers to submit vulnerabilities to a manufacturer’, including via third parties such as BugBase, Intigriti, Yes We Hack, BugCrowd and HackerOne. Among the most basic security weaknesses are leaving in hard-coded default passwords and the ability for easily accessible remote access, that hackers can take advantage of.
You can download the report at the IoTSF website; visit https://iotsecurityfoundation.org/.
