With Legislation Mandating Vulnerability Disclosure for Consumer IoT, the Industry Still Falls Short

We’re pleased to announce that the IoT Security Foundation has released the latest annual report examining the state of vulnerability disclosure in the consumer internet of things (IoT) space. The report was created by Copper Horse with the support of HackerOne. You can find out more here.

The research, which was first conducted in 2018, has consistently tracked consumer IoT companies around the world, from a list of approximately 300 consumer IoT companies. This has ensured that there is an annual snapshot of the global picture showing whether manufacturers provide vulnerability disclosure pages for security researchers to be able to contact them. The previous reports can be found at the IoTSF website.

The headline figure for this year’s research is that only 27.11% of the companies included in this dataset have a detectable vulnerability disclosure policy.

While this is over double the figure from 2018, which was 9.7%, the average year on year increase has only been around 4.3%.

If the rate of adoption continues at the same pace, it would take until 2039 to get to 100% adoption of vulnerability disclosure by IoT manufacturers!

A positive trend we observed this year is that the use of coordinated vulnerability disclosure policies is up and the use of non-disclosure policies has decreased.

Copper Horse also reviewed the dataset to establish whether companies would be adherent to legislation. These expectations being:

  • A company having a detectable vulnerability disclosure policy and;
  • Including information on expected timelines in this policy

As previously discussed, only 27.11% or 90 of the 332 companies included in this year’s data would pass that first test.

Only 10.24% of the dataset would pass the second test, meaning 89.76% of the vendors we have reviewed would not be fully compliant with expected legislation.

With the Product Security and Telecommunications Infrastructure (PSTI) legislation receiving Royal Assent in the UK, we conducted a dip test to gauge adherence of products sold by UK retailers. To do this we looked at a subset of retailers in the list used for this research and found that of the popular IoT products sold on them, 70.59% of them have a detectable policy. Additionally, within this group, 41.18% include timeline information, and would be compliant with expected regulations. This is a huge difference from the dataset in its entirety. UK retailer compliance is an area and we will investigate further in the next report.

Public Key Usage

One of the biggest statistical changes observed this year, was found in the provision of public keys for security researchers to contact companies securely. This year there was an approximately 14% decrease in the number of manufacturers providing public key (e.g. PGP/GPG key) information for researchers to use to submit vulnerabilities. This may be due to more organisations choosing to use secure web forms for submissions.

Regional Differences

In terms of regional differences, based on where vendors are headquartered, the story is similar to previous reports using this data.

Asia leads the pack with 34.69% of vendors using vulnerability disclosure, America follows this closely with 32.61%, and Europe falls behind at 14.47%.

Product Categories

There is still a huge difference across product categories in the number of manufacturers that implement vulnerability disclosure. Some product categories included in this research still vastly outperform others.

TV, Wi-Fi, and Mobile are all the highest performers with 100%, 84.62%, and 68.75% respectively. At the other end of the spectrum are categories like Leisure and Hobbies, Health and Fitness, and Environmental, which achieved 0%, 10.53%, and 11.11% respectively. This may be due to more mature product categories, like TV or Wi-Fi having more experience implementing product security measures.

Legislation and regulation is now in place in some countries and imminent in others, yet consumer IoT device manufacturers are still falling short. The UK’s Product Security and Telecommunications Infrastructure (PSTI) Act was passed in December and the EU’s Cyber Resilience Act is continuing to develop. Both mandate the use of vulnerability disclosure, yet it appears that despite years of best practices and standards being published, with warnings of future regulation, the IoT industry continues to be far from ready. This entirely justifies government action around the world to correct what is demonstrably, market failure.

The reason we looked at vulnerability disclosure in the first place was that it was one of the few places where we could easily measure whether companies were taking a serious and proactive approach towards IoT product security; an ‘insecurity canary’. If the situation is this bad on the things that we can all see publicly, what is it like for the things that are hidden inside the product itself?

Check out the 2022 report here.