The IoT is getting a lot bigger, but security is still getting left behind

Four in five Internet of Things device vendors don't provide any information on how to disclose security vulnerabilities. That means problems just don't get fixed.

How these unusual smart devices can be hacked and what it means for the IoT

Four out of five Internet of Things (IoT) device manufacturers are failing basic cybersecurity practices by not providing a way for people to disclose security vulnerabilities in their products – something that can potentially put users of the device at risk of cyberattacks and breaches of privacy.

Research by the IoT Security Foundation (IoTSF) – a tech industry group that aims to help encourage securing the Internet of Things – analysed hundreds of popular IoT product manufacturers and found that only just over one in five advertise a public channel for reporting security vulnerabilities in order for them to be fixed.

ZDNet Recommends

The best cybersecurity certifications

Cybersecurity certifications can help you enter an industry with a high demand for skilled staff.

Read More

The 21% of vendors offering this kind of channel has risen slightly since last year, something that the IoT Security Foundation report describes as "glacial" progress on providing what it describes as "a basic hygiene mechanism".

SEE: Sensor'd enterprise: IoT, ML, and big data (ZDNet special report) 

That's despite countries around the world including the UK, the US, Singapore, India and Australia as well as the European Union attempting to emphasise the importance of cybersecurity in IoT devices and the ability to be able to make vulnerability disclosures.

The report notes that some of the lack of vulnerability disclosure policy could be attributable to "non-traditional IT businesses" entering the IoT market for the first time, such as fashion providers launching connected products or kitchen appliance manufacturers adding smart features to their products.

In these cases, it's very likely the manufacturer's first experience of having to think about building cybersecurity into products themselves, so not only could vulnerabilities find their way into devices, there's no set pathway for reporting them.

Nonetheless, the report points out how "IoT-related best practice has been freely available for anyone with an internet connection since 2017" and that the way in which four out of five companies are failing to provide a mechanism for allowing security vulnerabilities to be reported so they can be fixed is "unacceptably low" – and that could point to wider problems.

"This is often the tip of the iceberg – it's an insecurity canary that makes you realise that these companies probably also pay very little attention to security," David Rogers, CEO of Copper Horse, the company behind the research, told ZDNet.

"Some companies are still stuck in the dark ages when it comes to attitudes to security researchers. Their response will be to get the lawyers onto the researchers or try to force them into NDAs. It's really foolish behaviour considering we've had ISO standards for this since 2014 and it's been seen as good practice for even longer. When legislation comes, some of these companies are going to have a big shock," he added.

Internet of Things devices are increasingly a fixture in homes and offices. While many household brands do ensure their products are equipped with good security practices – the report cites technology firms including Sony, Panasonic, Samsung, LG, Google, Microsoft, Dell, Lenovo, Amazon, Logitech and Apple among these – it's common for consumers to purchase cheaper alternatives that don't have as much of a focus on security.

SEE: Cloud security in 2021: A business guide to essential tools and best practices

That means if security vulnerabilities are uncovered and there's no means for informing the manufacturer, it could put users at risk. That's particularly the case for companies that appear to have shut down – which the report notes, some have – meaning even if there was a means of reporting the vulnerability, it's unlikely to be fixed.

But while the research paper often presents a grim picture of the IoT security landscape today, the IoT Security Foundation believes that eventually, that will change and it will become a fundamental part of product design.

"Security is a bit like quality. For it to be properly delivered, it needs to be endemic within all processes within a company so that it is assured throughout – that is, not an afterthought or bolted on," John Moor, manager director of the IoT Security Foundation, told ZDNet.

"It is my belief that security will follow a similar path to that of quality over the past 30 years as we transform our society and economies to be more digital – if we establish a general understanding of its fundamental importance and get the processes right, we'll do it naturally – not as an add-on," he added.

MORE ON CYBERSECURITY