Internet of Things devices keep getting hacked, their data breached, their operation hijacked.
Worldwide, the installed base of all IoT devices is set to total nearly 35 billion units this year, according to Omdia (formerly IHS Markit – Technology). That represents 35 billion chances for hackers to compromise security, Bill Morelli, Omdia’s vice president, enterprise research, told EE Times in an email. “As a result, cybersecurity has become a major priority for organizations worldwide, with global spending on cybersecurity expected to swell to $157 billion in 2023, up from $60 billion in 2019,” he noted.
Each consumer IoT device vulnerability can translate into millions of users with compromised security or privacy. Many vulnerabilities in connected consumer products are discovered not by the device manufacturer, but by outside cybersecurity researchers and white-hat hackers.
That’s why vulnerability reporting is widely considered to be a basic requirement of IoT device security. Shouldn’t it stand to reason, then, that manufacturers would do everything possible to solicit those discoveries, so they can quickly find and fix them?
Vulnerability Reporting Is Still a New Idea
A recent report from the IoT Security Foundation found that over 86% of consumer IoT device manufacturers surveyed don’t have a vulnerability reporting policy. Yet legislation mandating this will be coming into force soon, and international standards are being drafted.
This second annual report on the topic surveyed 330 consumer IoT manufacturers around the globe, making a wide variety of products from cameras to washing machines. The two largest product categories were smart home lighting and smart home security. As the report notes, “[There’s] a sense of irony for the ‘smart home security’ segment, as just 3 out of 37 (8.1% of the product category) had a visible policy in place.”
The percentage of companies with a vulnerability disclosure policy only increased from 9.7% to 13.3%. With few exceptions, these are large companies with major consumer brands, such as Amazon, Apple, FitBit, Dyson, Garmin, Google, HP, HTC, Huawei, Lenovo, LG, Motorola, Samsung, Siemens, Signify and Sony.
John Moor, managing director of the IoTSF, told EE Times, “While I haven’t conducted a study to determine the reasons [for this low rate], I’d say they are first, a lack of awareness, as many of these companies are just now entering into the connected embedded space. Second-most important is a lack of ownership of the issue: since there’s no regulation, some companies just don’t bother.” But it’s not really about cost: the simplest vulnerability reporting system consists of putting up a “/security” web page.
Lack of awareness is a major problem. The proliferation of embedded products now connected to the Internet “are profoundly changing the electronic design and field support requirements,” said Moor. “Adding connectivity and software features to traditional air-gapped embedded systems dramatically increases the attack surface of those systems, and anything they’re connected to.”
Until recently, a vulnerability disclosure process wasn’t a great concern for electronic engineers or their management, but for products that are now IoT devices it’s a basic security requirement.
Even among the 44 manufacturers that do enable vulnerability reporting, policies can vary widely in type and complexity. More than a third did not set a disclosure timeline, considered a best practice. Only four included a 90-day deadline for fixing reported issues. Of this 44, less than half also use some type of bug bounty program. These can give white-hat hackers a financial incentive to report bugs to the company instead of trading them on the black market.
A survey of global manufacturers of consumer IoT products reveals that vulnerability disclosure policies have increased only slightly since the previous year’s study. (Source: IoT Security Foundation)
“Vulnerability disclosure is at the very top of the tree,” said Moor. “If you have a channel where anyone — customers, users, researchers, white-hat hackers — can report to you, you’ve got intelligence: you can go fix that problem.”
Upcoming Standards Will Force Compliance
Recommendations for securing IoT devices already exist from the U.S. Department of Homeland Security (DHS), and the “Recommendations for IoT Device Manufacturers” published by the National Institute of Standards and Technology (NIST). The IoTSF also publishes Secure Design Best Practice Guides for developers.
New international standards governing IoT devices such as those proposed by the European Telecommunications Standards Institute (ETSI), as well as recently announced plans for a British IoT security law, are going to force the vulnerability disclosure issue. So will a proposed Australian code of practice.
“Although the proposed standards don’t all use the same language, they’re basically all describing the same things,” said Moor. In addition, the go-to standard for the vulnerability handling process is ISO/IEC 30111. The 2014 and 2015 versions were published free of charge, but the 2019 version has been placed behind a firewall, “which creates a low, but notable, barrier,” he said.
The emerging ETSI standard is expected to be published this summer. It’s based on the UK Code of Practice for Consumer IoT Security and that code’s minimum requirements. These are: changing default passwords, implementing a vulnerability disclosure policy, and continuing to make software security updates.
Of the global companies surveyed, European-headquartered firms had the fewest number complying with upcoming standards and laws compared to North American and Asian companies. (Source: IoT Security Foundation)
The general objective of the ETSI standard and the UK code is to establish a baseline for IoT device cybersecurity. The researchers began at the consumer level since these products are the lowest cost, and security for them doesn’t need to be as strong as in medical applications or cars or national infrastructure such as utilities.
“If a manufacturer of connected products doesn’t have a vulnerability disclosure policy, they should not be in the connected IoT business,” said Moor. “It’s critical to the industry’s success and the safety of end-users. And sooner or later they’ll have to be, because regulation is coming.”
[This article originally cited a vulnerability in several ZyXEL network-attached storage devices and firewalls could allow unauthorized remote code execution on the device; we described that vulnerability as “unpatched.” ZyXEL released a firmware update fixing the flaw in late February, less than two weeks after receiving notification of the flaw. embedded.com regrets the error. – ed.]
>> This article was originally published on our sister site, EE Times.