You will be surprised to know the percentage of the IoT products that does not protect consumer from being spied upon, stolen information, or spread of malware to take down online services.
In 2019, 90%, yes, NINETY PERCENT of IoT products or brand failed to protect consumer from those digital crimes mentioned above.
The report, Understanding the Contemporary Use of Vulnerability Disclosure in Consumer Internet of Things Product Companies, commissioned by the IoT Security Foundation (IoTSF), found that nine out of ten of the global consumer IoT brands simply do not allow security researchers to properly report the vulnerabilities that they find.
All of the products included in the research were available on the open market, not prototypes, and both the brands and manufacturers involved were generally international in scope. Total of 331 consumer products companies were included in the results; collectively responsible for several hundred IoT product lines and millions of devices sold. These covered everything from internet-connected toys like Hasbro and Mattel to weapon brands like Armatrix, Tracking Point and Vaultek, not to mention DLink, NEC, OnePlus, Sonos and TomTom. A shocking 299 (90.3%) of them had no form of public vulnerability disclosure policy, leaving only 32 (9.7%) with some form of system for researchers to use in security. Of those 32, only 15 had an incentive, or bug bounty, program to encourage security researchers to find flaws in their products that could be exploited by malicious actors. One company even went so far as to claim that safe search was not allowed by placing restrictions on safe search in its terms of service. The top performers overall were some of the bigger brands; in particular Google and Samsung. Apple offered a bug bounty program, but it was by invitation only. Amazon, Huawei, HTC, LG, Motorola, Samsung, and Sony had vulnerability disclosure processes, but no bug bounty programs.
David Rogers, author of the report, mentioned in one of his interviews:
“There is a direct link between companies that provide vulnerability disclosure schemes and security”
“It shows that those that have them have at least got as far as thinking about the fact that security researchers may want to disclose vulnerabilities to them and that indicates they are thinking about security within their business and products.”
“This research merely quantifies what the security research and hacking community have known for years, that IoT product companies have little interest in making it easy for security researchers to be able to contact them.”
“It is time that this situation changed.”
“Industry bodies like the IoTSF have recommendations available to implement, so there is no excuse for companies not to be operating vulnerability disclosure schemes.” John Moor, managing director of the IoTSF, agrees with David.
Ian Trump, head of security at AMTrust International, factors out that for the duration of human records the perception that industry will regulate itself has been doomed to failure.
He told that:
“We would not have clean air or seatbelts in cars in the U.S.A. if it were not for the EPA and DOT”
“We are about to embark for an unknown connected world and if we can’t trust devices that are critical to life safety, then what the hell are we doing?”
“Maybe an entire Department of Internet Connected Devices is overkill but, from a simple consumer protection standpoint something has to be done about vulnerable devices being put on the internet which could directly or indirectly hurt or kill folks.”
Privacy and protection are vital on any device or service offered by IoT companies and it is non-negotiable.
[Ti2] is a proud partner of Softing, offers uaGate SI Gateway with integrated firewall. This device is a closed door to hackers. uaGate SI Gateway offer maximum protection from attacks. The data encryption and user authentication systems used likewise comply with the very highest security requirements.
To know more about uaGate SI Gateway, please click here.
Article inspired from Forbes.com