IoTSF makes a case for mandatory IoT security for consumer devices

The IoT Security Foundation says vulnerability reporting is essential to keep consumer IoT products and services safe from intruders, and finds it to be woefully lacking.
It has just released the results of a survey of vendors’ vulnerability reporting and disclosure practices saying: “An analysis of 330 consumer IoT device manufacturers has revealed five of every six companies (86.7 percent) don’t allow for vulnerability reporting.”
Vulnerability reporting enables vendors to be alerted to, and fix, cyber security weaknesses that could be exploited by hackers. According to IoTSF, “It is widely considered to be a baseline requirement of IoT device security,” and “It is crucial that security mitigations are managed beyond the design stage and throughout operating life – leveraging the researcher community significantly aids that undertaking.”
IoTSF found facilities for reporting vulnerabilities to only marginally better than 2018 when the same 330 companies were surveyed: then then 90.3 percent did not allow for vulnerability reporting.
However the 2019 figures are worse than the raw numbers suggest. IoTSF found that of the 86.7 percent of manufacturers that did allow vulnerability reporting there were many policy variations and 36.8 percent provided no timeframe within which they would disclose a reported vulnerability.
Of the 44 companies found to have some form of public vulnerability disclosure policy 18 also had a bug bounty programme. Two of these programmes were by invitation only, so not open for general contribution. Nine of the companies with policies used a proxy disclosure service.
The two biggest product categories surveyed were ‘smart home, lighting’ and ‘smart home security’. Both scored poorly for having an associated vulnerability disclosure policy. Only three of 37 smart home security products and only two of 46 smart lighting products had visible policies in place. Hardly smart. Hardly secure.
Vulnerability reporting “essential”
IoTSF managing director John Moor said: “Vulnerability reporting is an essential element for keeping IoT products and services safe from intruders, and is widely considered to be a top three operational security measure. For me, it is the number one essential practice that needs to be adopted due to the impact it can have on managing risk exposure.”
The researcher who undertook the study for IoTSF, David Rogers, CEO of IoT security specialists Copper Horse, said: “Whether it is a conscious choice, or purely ignorance, it is pretty damning that the majority of these companies have no way for security researchers to be able to contact them.”
IoTSF notes that non-compliant companies would be in breach of new  international standards [ETSI EN 303 645 Cyber Security for Consumer Internet of Things] and recently announced plans for a  British IoT security law , as well as Australia’s proposed code for practice .