IETF Logo Mail Archive

[Iot-directorate] vulnerability reporting -- hard to do!

Michael Richardson <mcr@sandelman.ca> Tue, 17 March 2020 22:18 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: iot-directorate@ietfa.amsl.com
Delivered-To: iot-directorate@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE1FB3A0901 for <iot-directorate@ietfa.amsl.com>; Tue, 17 Mar 2020 15:18:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QJcAsmXNR1Nr for <iot-directorate@ietfa.amsl.com>; Tue, 17 Mar 2020 15:18:51 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FCFF3A08BB for <iot-directorate@ietf.org>; Tue, 17 Mar 2020 15:18:51 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 833A43897B for <iot-directorate@ietf.org>; Tue, 17 Mar 2020 18:17:32 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 6BBD937D for <iot-directorate@ietf.org>; Tue, 17 Mar 2020 18:18:50 -0400 (EDT)
From: Michael Richardson <mcr@sandelman.ca>
To: iot-directorate@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 17 Mar 2020 18:18:50 -0400
Message-ID: <24085.1584483530@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-directorate/6dfppy2jrZQKLSXltgHFjHWwraQ>
Subject: [Iot-directorate] vulnerability reporting -- hard to do!
X-BeenThere: iot-directorate@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for the IoT Directorate Members <iot-directorate.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-directorate>, <mailto:iot-directorate-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-directorate/>
List-Post: <mailto:iot-directorate@ietf.org>
List-Help: <mailto:iot-directorate-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-directorate>, <mailto:iot-directorate-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2020 22:19:20 -0000

https://www.iotsecurityfoundation.org/just-13-percent-of-consumer-iot-firms-allow-vulnerability-reporting-despite-incoming-laws-and-international-standards 

17th March 2020 – An analysis of 330 consumer IoT device manufacturers has revealed five of every six companies (86.7%, 286) don’t allow for vulnerability reporting. This would see them fall foul of new international standards and recently announced plans for a British IoT security law; as well as proposed Australian code of practice and recommendations from the US Dept of Homeland Security.

Vulnerability reporting enables vendors to be alerted to, and fix, cyber security weaknesses that could be exploited by hackers. It is widely considered to be a baseline requirement of IoT device security (Scroll down for international regulations and high-profile hacks).

Of the manufacturers that did allow vulnerability reporting, variations exist and many used a weakened policy, with more than a third (38.6%) indicating no timeline of disclosure.

European headquartered firms performed the worst among their cohort. Just 5 of the 82 companies based in the region (6.1%) comply with incoming standards and laws; this compares with 16.0% (23 of 144) of North American firms and 16.3% (16 of 98) of Asian developers.

Slight progress has been seen on 2018’s analysis, when less than 10% (32 of 330) implemented vulnerability reporting. The IoTSF report concludes “the industry must do better… much better”.

The study and analysis has been published by the IoT Security Foundation (IoTSF) and is its second annual report. As part of its remit to drive security best practice, the IoTSF is also calling for more collaboration between manufacturers and cybersecurity researchers.

....

v2.23.0 | Report a Bug | By Email