The IoT is getting much bigger, but security is still lagging behind

The IoT is getting much bigger, but security is still lagging behind

Four out of five Internet of Things (IoT) device manufacturers are failing basic cybersecurity practices by not providing a way for people to disclose security vulnerabilities in their products, something that can potentially put users of the device at risk of cyber attacks and privacy violations.

IoT Security Foundation Research (IoTSF), a tech industry group that aims to help advance the security of the Internet of Things, analyzed hundreds of vendors of popular IoT products and found that only one in five announce a public channel for reporting security vulnerabilities. security for resolution. .

The 21% of vendors offering this type of channel is up slightly from last year, something the IoT Security Foundation report describes as “glacial” progress in providing what it describes as “a basic hygiene mechanism.” .

WATCH: Company with sensors: IoT, ML and big data (ZDNet special report)

That’s despite countries around the world, including the UK, US, Singapore, India, and Australia, as well as the European Union, trying to emphasize the importance of cybersecurity in IoT devices and the ability to be able to disclose vulnerabilities.

The report notes that some of the lack of a vulnerability disclosure policy could be attributed to “non-traditional IT businesses” entering the IoT market for the first time, such as fashion vendors launching connected products or kitchen appliance manufacturers entering the IoT market for the first time. add smart features to their products.

In these cases, it is very likely that it will be the manufacturer’s first experience of having to think about incorporating cybersecurity into the products themselves, so the vulnerabilities could not only reach the devices, but there is no established way to report them.

Nonetheless, the report notes how “IoT-related best practices have been freely available to anyone with an internet connection since 2017” and how four out of five companies fail to provide a mechanism to allow vulnerabilities to be reported. security for them to be fixed is “unacceptably low,” and that could indicate broader problems.

“This is usually the tip of the iceberg: It’s an insecurity canary that makes you realize that these companies probably also pay very little attention to security,” David Rogers, CEO of Copper Horse, the company behind the company, told ZDNet. the investigation.

“Some companies are still stuck in the dark ages when it comes to attitudes towards security researchers. Their response will be to have lawyers approach researchers or try to force them to sign NDAs. It’s really silly behavior considering that “We’ve had ISO standards for this since 2014 and it’s been seen as good practice for longer. When legislation comes along, some of these companies are going to have a big impact,” he added.

Internet of Things devices are increasingly a fixture in homes and offices. While many home brands make sure their products are equipped with good security practices (the report cites tech companies like Sony, Panasonic, Samsung, LG, Google, Microsoft, Dell, Lenovo, Amazon, Logitech, and Apple among them) , it’s common for consumers to buy cheaper alternatives that don’t focus as much on safety.

WATCH: Cloud Security in 2021: A Business Guide to Essential Tools and Best Practices

That means if security vulnerabilities are discovered and there’s no way to tell the manufacturer, it could put users at risk. That’s particularly the case for companies that appear to have shut down, which the report notes, some have, meaning that even if there was a means of reporting the vulnerability, it’s unlikely to be fixed.

But while research work often paints a bleak picture of the IoT security landscape today, the IoT Security Foundation believes that will eventually change and become a critical part of product design.

“Security is a bit like quality. To be delivered correctly, it needs to be endemic within all processes within a company so that it is assured at all times, i.e. it is not an afterthought or an add-on”, John Moor, managing director of the IoT Security Foundation, told ZDNet.

“I believe that safety will follow a similar path to quality over the last 30 years as we transform our society and economies to be more digital; if we establish a general understanding of its fundamental importance and get the processes right, I will naturally, not as a supplement,” he added.

MORE ABOUT CYBERSECURITY

Leave a Comment