Connect with us

Hi, what are you looking for?

Editor’s Pick

IoT Security Foundation Announces Fifth Report on Consumer IoT Vulnerability Disclosure Policy Status

Disappointing Results and the Enactment of the UK Product Security and Telecommunications Infrastructure Bill Means Firms Could Face Monetary Penalties for Non-Compliance.

The IoT Security Foundation has published its latest influential research report which monitors the security management behaviour of consumer IoT product companies.

The study reviewed the practice of 332 companies identified as selling IoT products for consumer and commercial uses such as appliances, routers, audio, smart home, lighting, mobile, tablets and laptops. This is the fifth published report in the series, plotting industry progress since 2018 with prior versions cited as evidence in global standards and regulatory processes. The desk-based research was carried out during the summer of 2022 by Copper Horse Ltd., who are experts in mobile and IoT security.

Key Findings

Vulnerability management is critical for connected product security and is widely accepted as a basic hygiene practice for vendors. It features in nearly 30 cybersecurity guidance initiatives [1], including IoTSF’s highly popular IoT Security Assurance Framework [2]. Easy reporting of security issues is therefore regarded as essential for security lifecycle maintenance.

Once again, the main finding is that vulnerability disclosure practice remains at a disappointingly low level. In 2018 we found that just 9.7% of firms in the study had a disclosure policy and in this latest report that number is just 27.1%. This is still far below the near-100% the researchers would like to see.

Whilst it is not always easy to determine the origin of products, the analysis also indicates the best-performing region to be Asia, with European suppliers trailing significantly behind (34.7% vs. 14.5% respectively).

Evolving Practice

The report was originally conceived to raise awareness of vulnerability management and the likelihood of legislation, and it has also served as an ongoing commentary on the evolution of industry practices. As part of the study the researchers identified increases in the use of the ‘/security’ contact page, the use of machine-readable ‘secuity.txt’ files and a small decline in PGP key usage for secure submissions. Two policy maintenance trends are also identified; a noticeable rise in the number of companies that are failing to keep their policies up to date and an increase in the number of companies using a third-party ‘proxy service’ to host and maintain their policies.

Regulation has arrived

As anticipated, the UK’s long-awaited Product Security and Telecoms Infrastructure (PSTI) Bill achieved Royal Assent on December 6th, 2022, meaning it is now law [3]. Within the legislation, there are responsibilities for manufacturers, importers, and distributors to provide a vulnerability disclosure policy [4]. This means that the 72.9% of companies identified in the report who do not have a policy, will be in breach of UK law.

John Moor, Managing Director of IoTSF said:

“Naturally it is disappointing to see so many consumer IoT companies still not taking basic steps to maintain their product security. IoTSF members are strong advocates for building secure IoT systems and we work together to help others by sharing knowledge and publishing how-to guides, for those in need – many resources are published for free. There is no excuse – good design and simple hygiene practices mean manufacturers can protect their customers cost-effectively.”

David Rogers, CEO of Copper Horse Ltd., said: “The overall picture remains shocking. If the adoption of vulnerability disclosure policies continues at the current rate, IoT manufacturers won’t be fully compliant until 2039! Even with the threat of incoming legislation, there is complacency in manufacturers that translates into an unacceptable risk for consumers when it comes to the security of IoT devices.”

HackerOne Inc., supported the creation of the 2022 report and Laurie Mercer, Senior Manager of Security Engineering said: “Knowing about security vulnerabilities within products and services through a Vulnerability Disclosure Policy (VDP) is an important way to identify and rectify them as part of the product security lifecycle. It’s a best practice that customers are increasingly looking for their supplier to adopt, but this research suggests it is not yet common practice. The fact that the UK has seen higher adoption speaks to the impact government legislation and policy can have on cybersecurity. Mandating VDPs is going to be the most effective way of ensuring consumer safety.”

Moor concluded with an optimistic outlook: “We should also praise those who made it their business to be on the 2022 green list and look forward to the next report, when we trust the legislation, with a possible penalty of up to £20,000 per day, will provide the necessary motivation to get off the red list of companies contained in the report.

The report can be downloaded here. More reports from the IoTSF can be downloaded for free and without registration here.

[1] https://iotsecuritymapping.com/provision-2/
[2] https://www.iotsecurityfoundation.org/best-practice-guidelines/
[3] https://bills.parliament.uk/bills/3069
[4] https://www.gov.uk/guidance/the-product-security-and-telecommunications-infrastructure-psti-bill-product-security-factsheet

The post IoT Security Foundation Announces Fifth Report on Consumer IoT Vulnerability Disclosure Policy Status appeared first on IoT Business News.

Enter Your Information Below To Receive Free Trading Ideas, Latest News, And Articles.
Your information is secure and your privacy is protected. By opting in you agree to receive emails from us. Remember that you can opt-out any time, we hate spam too!

You May Also Like

Stock

Alibaba Group Holding Ltd (NYSE: BABA) is in focus on Tuesday after Ryan Cohen was reported to have built a stake in the multinational...

Stock

U.S. banks are reportedly working together to launch a digital wallet that will rival the likes of Apple Pay and PayPal. Analyst’s take on...

Editor’s Pick

An article by Takeshi Niwa, Marketing Analyst at Techno Systems Research Co., Ltd, based on TSR’s market research report 2022 Cellular Broadband Device &...

Stock

Shares of Spotify Technology SA (NYSE: SPOT) ended slightly up on Monday after the music streaming company revealed plans of lowering its global headcount...

Dislaimer: Investmentsspirit.com, its managers, its employees, and assigns (collectively “The Company”) do not make any guarantee or warranty about what is advertised above. Information provided by this website is for research purposes only and should not be considered as personalized financial advice. The Company is not affiliated with, nor does it receive compensation from, any specific security. The Company is not registered or licensed by any governing body in any jurisdiction to give investing advice or provide investment recommendation. Any investments recommended here should be taken into consideration only after consulting with your investment advisor and after reviewing the prospectus or financial statements of the company.


Copyright © 2023 Investments Spirit