The Disastrous State of IoT Vulnerability Reporting
The Disastrous State of IoT Vulnerability Reporting
Less than 10% of consumer IoT brands have a reporting process.
Join the DZone community and get the full member experience.Join For Free
It's no secret that IoT security is one of the biggest oxymorons in tech.
One would think that after two years of some of the worst security breaches on the planet, companies — particularly consumer-oriented companies — would have smartened up their smart products.
The IoT Security Foundation just came out with a vulnerability disclosure report that surveyed how easy companies make it for security researchers to report bugs, raise security-related issues, and disclose those issues to consumers.
The headline they ran after compiling the results?
Those are some great optics there.
But hey, maybe these "Vulnerability Disclosure guidelines" are unreasonable and require your firstborn child's soul and a monthly tithe to the IoT Security Foundation.
Well, according to the IOTSF's best practices, companies that sell connected devices should:
Have an easy-to-find webpage about vulnerability reporting/disclosures.
Have an easily identifiable point of contact and a secure means of communication for said vulnerability disclosures.
Have a policy of constructive communication with security researchers, including conflict resolution.
Clearly acknowledge how long researchers should expect to wait to hear a response. Furthermore, if a vulnerability is confirmed, follow-up communications should set the expectation of how long a fix will take.
Have a way to issue security advisories to users so they can be informed about problems and fixes.
Offer credit to researchers who report vulnerabilities and, optionally, offer money or bounties to researchers who find confirmed vulnerabilities.
Discourage damaging actions, like performing DoS attacks, in the name of research.
Wow, that sure is a lot of common sense right there.
And yet, only 32 of the 331 surveyed companies that sell IoT products took the drastic steps of "having a vulnerability disclosure webpage" or "having any sort of vulnerability disclosure policy at all."
Now, most of the bigger players like Amazon, HP, Apple, and Google have this covered. And a lot of the more recognizable mid-range brands like Fitbit and Bosch and HTC have also implemented these kinds of best practices.
But to me, the most damning part of this report is the breakdown by industry. The IOTSF took a look at the uses/categories of companies' products, such as smart homes, TV, health and fitness, etc.
Unsurprisingly, a large number of IoT devices focus on security — smart cameras, smart locks, connected alarm systems and the like. It's the easiest sales pitch in the world: "What if you could look in on your home from your phone while you were at work?"
Sadly, but perhaps also unsurprisingly given the 90% ratio we're dealing with here, incredibly few of those security-oriented companies have a way for researchers to get in touch with them about potential vulnerabilities in their products.
So when I head over to Apollo Tech USA's website for its Momentum cameras, I can't help but feel a bit indignant when I see this:
And not just because Paul's picture is obviously a stock image.
Don't get me wrong — assuming Paul is a real person, I'm glad he feels his garage door opener is so convenient and brings him peace of mind. I know what it's like to worry and wonder, "Did I leave the garage door open this morning?" And I'm assuming that Momentum puts a lot of effort into their products' security, too!
That being said, if you're reading this, then you probably know more than most that there's no such thing as perfect protection. Give a determined person enough time and they will crack your system. That's a well-known mantra — all the way up to the CISO level, according to a survey Kaspersky Lab put out earlier this year.
And while peace of mind is clearly an important component of any security-related device, you know what would make me (and I'm sure Paul) feel even better?
Having a way for smart people to report potential security flaws.
The Point: Self-Regulation Is a Myth
But I don't just want this to be a rant about the state of IoT security. That's been done before, and I can't think of anything more useless than someone shouting, "Something has to be done about this!" into the void of the Internet.
It's clear that most firms aren't willing to take responsibility for the security and privacy of their users.
And that's unthinkable in a world where IoT-related incidents like the Mirai botnet attack that temporarily took down Dyn in 2016 are fresh in our memories.
Clearly, the idea of the industry regulating itself is a joke — and a bad one. Yes, some companies are taking security seriously, but nowhere near enough.
And to be blunt, some of the arguments out there against having some sort of reporting mechanism seem pretty laughable. According to the IoT Security Foundation, a common point these companies raise is that by having a reporting process, you're encouraging people to attack their products.
Since when do bad actors need an excuse to try breaking into something? And frankly, I'd rather the White Hats out there have a way to report the problems they find. Because the problems are aplenty.
So it's time for governments to step in and enforce some sort of bare minimum IoT security mechanisms. Write or call your congressmen and women, your senators, your MPs — whoever represents you — and let them know you want these companies to take your security and privacy seriously.
It doesn't have to be disruptive — they can simply start by insisting that if you're going to put an Internet-connected device on the market, then you need to take responsibility for it. There needs to be a simple, standardized way researchers can report any vulnerabilities they find.
And if that's too much overhead for you as a company to bear, then you shouldn't be selling Internet-connected devices.
It's absolutely the least you can do.
Opinions expressed by DZone contributors are their own.