The explosion of Internet of Things (IoT) devices over the last decade has connected us in so many different ways, radically changing the way we consume content, shop for groceries and go about our daily lives – even the way we make our morning cup of joe. According to a forecast by International Data Corporation (IDC), there will be 41.6 billion IoT devices in deployment by 2025, more than four devices for every man, woman and child on the planet.
One thing consumers didn’t expect, however, is how vulnerable IoT devices make us. According to a recent study conducted by Bitdefender, in a monitored network environment, up to 70% of IoT traffic was identified as potentially malicious. That is an incredible finding. Just think about that for a minute. Three out of four bits that travel between your baby monitor, smart thermostat or smart fridge and your home router are unauthorized.
This invasion of privacy is part of a dirty little secret among IoT manufacturers. Market pressure to deliver new connected devices at an immense scale is putting consumers at great risk, and companies are not doing enough to protect users from malicious activity. Known vulnerabilities are rarely fixed within a reasonable time frame – some never at all – and there is typically not a consistent vulnerability disclosure program where engineers, white hat hackers and others can warn vendors that their products can be compromised.
The IoT industry is like the Wild West with little established practices or standards. Products are built using dozens of components and parts sourced from third-party manufacturers all over the world, and there is little transparency into supply chains. IoT devices are also vulnerable due to their connected nature. In order for them to work properly, devices need to be connected to the Internet (or at least a router), and many are managed through the cloud. This architecture, while vital for the intended purpose of connected devices, expands the devices’ threat surfaces, giving threat actors multiple ways to exploit them across hardware, firmware, networking, applications and the cloud.
Of course, we are starting to see some progress in certain markets. The IoT Cybersecurity Improvement Act of 2020 gives the National Institute of Standards and Technology (NIST) the authority to manage IoT cybersecurity risks for devices acquired by the federal government while the upcoming E.U. Cyber Resilience Act introduces specific security obligations for device manufacturers—including reporting vulnerabilities and incidents. While these regulations are a step in the right direction, they run the risk of giving consumers a false sense of security. Compliance with these regulations is widely inconsistent, and manufacturers have a lot of leeway in how they deal with vulnerability disclosures, including how vulnerabilities can be reported and how and when they are resolved.
Significant progress was recently announced in March by the Connectivity Standards Alliance (CSA) with the release of the IoT Device Security Specification 1.0. CSA's specification is aimed at providing a unifying IoT cybersecurity standard, consolidating requirements from three of the most popular IoT regulations from the United States, Europe and Singapore. CSA also announced an accompanying Product Security Verified Mark aimed to identify products that have been verified against the specification's security requirements. The specification mentions several notable requirements such as secure software updates throughout the support period, vulnerability management, and public documentation regarding security. Nevertheless, while this is a significant achievement and step forward, as always, there is still room for improvement.
According to Bitdefender research, only 10% of IoT vulnerabilities are resolved in under 30 days after disclosure, and more than 20% take more than year or are never resolved. The reasons for this lack of urgency are largely market driven. The IoT market is so hot and is evolving so fast that on-going support and security are low priorities. Most IoT vendors prioritize resources for new product development, and many do not even have a vulnerability disclosure program for people to report exploits.
The impact on consumers can be extremely troubling. IoT devices that have been compromised can be mined for contact information and common passwords that may be used for other online services such as email, financial services and banking. IoT devices are also used for large-scale coordinated denial of service attacks. Imagine having the power to control 100,000 wireless baby monitors to overwhelm a well-known website. Malicious actors do it all the time.
IoT vendors need to implement responsible vulnerability disclosure strategies to harden their security posture and keep consumers safe. Just putting a process in place can go a long way in formalizing the program and making sure the right resources are being prioritized for vulnerability management. Vendors should be able to take a vulnerability disclosure and route it through the appropriate support and engineering resources so it can be tested, addressed and fixed within a reasonable amount of time.
Here are three things IoT vendors and the IoT industry can do to implement responsible vulnerability disclosure programs:
You would be amazed to learn how many IoT vendors do not have a dedicated security contact in the organization. Having someone on staff who can deal with security and vulnerability issues can go a long way in a company being accountable for the security and privacy of their customers. It is critical that the company’s vulnerability disclosure policy and contact information is available on the company’s website. Companies can even host a vulnerability report form that people can fill out themselves. This person can be the public face of the organization’s vulnerability disclosure program and help push issues through the testing, engineering and reporting process. Perhaps an enterprising individual or standards organization would be willing to maintain a database of IoT vendors’ vulnerability disclosure processes and contact information.
It is essential that all IoT vendors be held responsible for fixing a vulnerability across the entire lifecycle of the product. The average lifespan of an IoT device is three years, so that seems like a reasonable mandate. By law, IoT manufacturers would be forced to resolve vulnerabilities within this reasonable amount of time—even with components manufactured by suppliers and partners across their supply chain. Once the product times out or is replaced by another model, the vendor can choose to end its vulnerability disclosure policy.
Any new regulation is only as good as its enforcement. Governments and consumer rights agencies should have the power to bar IoT manufacturers if responsible vulnerability disclosure policies are not being met. There are precedents for these mandates. The U.S. has effectively banned Huawei from doing business in the country and is in the process of banning Tiktok. If you’re a “carrot” over the “stick” type of regulator, then flip the script and turn the punishments into an incentive. Any IoT vendor that meets specific cybersecurity mandates would be able to operate in a particular market.
IoT security is a major problem around the world, putting consumers and their identities at risk. Vulnerability disclosure programs have the potential to help vendors identify and fix vulnerabilities in a timely manner, but they must have teeth behind them. IoT vendors need to designate a security contact and publish their reporting policies on their public website. Devices should be supported and protected across the entire product lifespan (typically three years). And companies that don’t meet these standards should face consequences for putting consumers at risk.
It's time we bring security standards and best practices to the IoT industry, and that’s only going to happen if enough stakeholders advocate for change. Download Improving Internet of Things Vulnerability Disclosure and Coordination to learn more about this critical topic.
tags
Dan accelerates Bitdefender's recognition as leader and innovator in the Internet of Things with Bitdefender BOX and its revolutionary IoT security technologies. Bitdefender helps coin the industry definitions of IoT and IoT security in this fragmented space. He previously lead the design and product experience at Bitdefender. His teamdesigned, built and shipped Bitdefender BOX, a revolutionary device that protects all devices in the smart home. Prior to Bitdefender Dan had a key role in developing Vodafone Romania’s online assets and founded the first free WiFi hotspot network in Europe. Dan holds a B.Sc. degree in economics from the Babes-Bolyai University in Cluj-Napoca, Romania.
View all postsDon’t miss out on exclusive content and exciting announcements!