Today marks the publication of the IoT Security Foundation’s sixth annual report into the adoption of vulnerability disclosure by manufacturers in the consumer IoT space. We’re grateful for HackerOne’s continued support for Copper Horse to create this important work. They have respected our need to work entirely independently in order to prepare an objective report.
In our first year we had less than 10% of IoT manufacturers in the world with any way for security researchers to contact them and now we’ve progressed to 24%. That might sound like progress, but it is really, really bad. If we flip that around – we’ve gone from 90% of manufacturers not doing much on security to 76% not doing much on security. It’s not as if the world has stood still in those six years, technology has improved and governments across the world have stated repeatedly that they want to see products secured – and even told manufacturers how to do it.
There are no grounds for a manufacturer to say they don’t know what they should be doing – product security in IoT is an absolute must and the negative consequences of not doing anything have been widely publicised in recent years. The UK’s Product Security and Telecommunications Infrastructure (PSIT) Act Regulations come into force on April 29th 2024 and one of the things that will be regulated is the existence of a manufacturer contact point for security problems as part of a Coordinated Vulnerability Disclosure policy. We’re now (at time of writing) only 173 days from this regulation coming into force.
This year we decided to expand our dataset – what we found was that this process of refinement of the global picture showed that the picture was actually worse than we had originally predicted. Tracking our original dataset found that around 31% of companies supported vulnerability disclosure, whereas our widened, expanded dataset reduced that number to 24%. Our work researches just the popular products in retailers, so while we are widening our product and manufacturer set towards the ‘long tail’ of the industry, there is a much longer tail that we have not captured, which extends all the way into the counterfeit product domain. Consumers will buy these products. Manufacturers have to do better and it is disappointing that many of them have not taken the opportunity to do so. Equally, our research contains a look at retailers who are stocking these products. As transparency requirements force manufacturers to be upfront about their lack of security, all eyes are going to be on the retailers who continue to stock the insecure products. These companies will not be immune from enforcement action. It looks like the regulators are going to be busy in the next year or so.