GUEST BLOG: Vulnerability Disclosure Adoption In The Consumer IoT space Is Lagging, But What About Elsewhere?

There is a lot of focus, rightly so, on the consumer IoT space. We have had a lot of incidents in the past few years through connected devices with security flaws that often never received a software update. The vulnerabilities in these products stretch back many years. The people who made them —  likely unknowingly — did so without designing in security. For many enterprises operating within the digital economy, speed-to-market is the primary business driver, which means that security is often considered a secondary design requirement, if at all. This might sound cynical, but many of the products that you see in online retailers are just this – re-badged white-label products from companies that you’ve never heard of at impossibly low prices. Then there are some of the big companies – often with the same types of vulnerabilities, but with more established and inherent consumer trust. Incredibly, some of the bigger names that you’ve heard of still fail to allow vulnerability reporting in a standardized way. I always say that you can think of this as the tip of the iceberg. If this is the public face of their product security, what does that say about the product itself, the bits that you can’t easily see; their engineering processes and their teams?

What About Other Sectors?

We have focussed on the consumer IoT space, but we have often wondered what it is like in other domains. Our report broke down sub-categories of products and we found variances – for example the TV industry demonstrably has got its act together. Where action has been taken, sometimes this can be traced  back to specific incidents where the industry has been frightened into action, or by other factors such as influence from other domains. The adoption of Android into TVs also brings with it the experience of the smartphone industry and particularly Google’s leadership in promoting Coordinated Vulnerability Disclosure (CVD). We can point to potential influencing factors.

Image from the 5th annual IoT vulnerability disclosure report showing a breakdown of consumer IoT segments of companies with vulnerability disclosure policies.

Since Charlie Miller and Chris Valasek’s very public Jeep-Chrysler remote-control car hack in 2015, the automotive industry has almost been shamed into taking cyber security seriously. Prior to that, elements of the industry were amongst the most aggressive in taking down security researchers through legal threats. They’ve seen an almost Damascene conversion in terms of their approach to security. But does that apply to the entire vendor stack? There is a huge supply chain beneath the automotive OEMs and while incoming standards on cyber security are changing things, it is a big ask to expect some of these companies to change the things that they have been doing in the same old way for many decades. With cyber security skills at a premium, can these companies afford to hire the right people even if they can find them?

Many of the same technologies appear in other sectors – for example mining vehicles all run with the same insecure CANbus architectures that we’ve seen exploited in cars. CANbus appears all over the place – in the agriculture sector, industrial equipment, yachts and even in space. All of these different sectors have huge supply chains of their own and they’re all using broadly the same technologies as everyone else – the same chipsets, the same or even older, legacy operating systems. They suffer the same issues – lack of secure-by-default configurations, default passwords and almost zero implementation of secure coding. 

So, what do we think the results would look like if we looked at these sectors? Any different to the 72.89% of the consumer IoT industry that has no form vulnerability disclosure policy?

For full insights , download the fifth annual report into the State of Vulnerability Disclosure Policy (VDP) Usage in Global Consumer IoT in 2022