The IoT Security Foundation (IoTSF) has launched an online platform to help IoT vendors receive, assess, manage and mitigate vulnerability reports.
As the first global standard for consumer IoT cybersecurity, the new ETSI EN 303 645 specification is targeted at IoT vendors. This could include device manufacturers or importers and distributors. It requires them to publish a clear and transparent vulnerability disclosure policy and establish an internal vulnerability management procedure. It also needs them to make contact information for vulnerability reporting publicly available and continually monitor for and identify security vulnerabilities within their products.
Governments around the world including in the UK, Australia, Singapore, Finland and the American states of California and Oregon have already published codes of practice, product labelling schemes or prepared legislation aligned to the standard. Implementing a means to accept vulnerability reports is a common feature of these initiatives. Without mechanisms to report, manage and resolve vulnerabilities – such as Co-ordinated Vulnerability Disclosure (CVD) – the security of consumer IoT products diminishes over time and the risk of attack or abuse increases, says the not-for-profit body.
“Vulnerability management is such a fundamental element to IoT cyber-hygiene that it is no surprise that governments and regulators around the world are making this a mandatory requirement,” said John Moor, managing director of the IoT Security Foundation.
“Industry must do more to protect their customers and their own businesses. We therefore see the need to drive this vital security practice and aim to help make it as simple as possible with the launch of the Vulnerable Things platform – especially for the uninitiated and firms who may lack resources. The service brokers good communications between researchers and vendors and guides both through the process until complete.”
The IoT Security Foundation is currently piloting the service to test the likely demand and gain feedback for users.
You might also like
Welcomed by government
Failure by a vendor to respond to a reported vulnerability, whether from a consumer or a specialist security researcher, could result in public disclosure of the vulnerability which would increase the risk of attacks. Fixing a vulnerability promptly reduces risks to users, devices, networks and IoT manufacturers.
Matt Warman, the UK Government’s Digital Infrastructure Minister said he welcomed the initiative. He said it would “help industry improve the security of internet of things devices and boost our burgeoning digital economy while protecting people online. We want everyone to have confidence that the internet-connected products they are buying have stronger security and are working on legislation in this field to help make this a reality.”
VulnerableThings.com aims to provide an “off-the-shelf, user-friendly vulnerability management tool and other valuable member resources” including policy templates, issue resolution guidelines and a directory of advisors to help IoT manufacturers prepare for emerging regulations and to maintain compliance.
Manufacturers that subscribe will have access to a dashboard to guide them through the vulnerability resolution process and facilitate communication with the reporter. Where a vulnerability is reported from a vendor that hasn’t registered, an alert will be sent to their public email address, who can then securely access the details of the vulnerability report on VulnerableThings.
Access to VulnerableThings.com is available free until January 31, 2021. Subscribing to the service also provides access to professional support for co-ordinated disclosure announcements.
While vulnerabilities can be reported by any individual anonymously, by registering with VulnerableThings.com, security researchers can use a dashboard to monitor their progress towards resolving vulnerabilities they have reported.