Who Ya’ Gonna Call? Why IoT Companies Should Embrace Vulnerability Disclosure Programs

Several manufacturers of common consumer connected devices, including those making locks and faucets, are not taking an essential step to ensure that their products remain secure. In a survey of 75 makers of popular consumer connected devices 28 percent did not even have an easily discoverable way to report a vulnerability to the company through a dedicated security point of contact.

Without an easy way to report cybersecurity vulnerabilities, the manufacturers of these devices make it hard for security researchers to share vulnerabilities before a malicious hacker tries to take advantage of them. A common next step after a researcher discovers and tests a security vulnerability is to reach out and let the manufacturers know, so they can take action. 

Shouting into the Void

In fact, Consumer Reports’ (CR) testing team encountered this issue earlier this year. CR’s test team discovered several security vulnerabilities in a video doorbell made by Eken, a Chinese company. At CR the first step after discovering a vulnerability is to contact the company to try to get it fixed. But we couldn’t find an email or web contact form to report our findings to. So we sent emails to the generic support and info emails in hopes that someone would read them.

We didn’t hear back until after we published an article detailing the flaws. When we talked to the company they said our emails reporting the vulnerabilities must have gone to spam or junk mail, and that they hadn’t received them. While Eken eventually fixed the vulnerabilities, it took longer than it could have. This scenario isn’t uncommon, and it puts the buyers of such products at risk.

As more malicious hackers target devices and companies through both known and new vulnerabilities, it becomes essential for companies to provide opportunities for security researchers who see something, to say something and give the company a chance to fix the problem. This is why companies that make connected devices should provide a dedicated point of contact for security researchers such as those on the CR test team to report vulnerabilities.

Beyond just having a point of contact, we also believe that any company making a connected device should also establish a formal vulnerability disclosure program (VDP). These are also known as vulnerability disclosure policies. These programs lay out a process for how security researchers can report a vulnerability to a company and describe how the company plans to research and remediate the vulnerability. It may also explain whether the company will inform users about the vulnerability.

For example, the VDP should spell out how a security researcher should share their findings, and explain how the company typically handles a vulnerability report. Ideally, the VDP should lay out how long the researcher will take to hear from the company after making a report and how the company would like to handle responsible disclosure of the vulnerability.

More in-depth vulnerability disclosure programs lay out the company’s idea of ethical behavior for security researchers and assure researchers that if they follow the guidelines, the company will not sue. A few even lay out how long the company’s security team should take to mitigate a vulnerability.

This is such an accepted and core tenet of good cyber hygiene that it is part of National Institute of Standards and Technology (NIST) recommendations for consumer IoT products, and the Cybersecurity Infrastructure Security Administration (CISA) operates a VDP program for government agencies. CISA also has made publishing a vulnerability disclosure program part of its newly launched Secure by Design Pledge. The CISA program is aimed at enterprise companies, but at CR we think that any company making a device that connects to the internet and has an app should also publish a VDP. It provides an avenue for researchers to report potential vulnerabilities, and also indicates that the company is thinking about security when designing their products.

Most Companies Provide a Security Contact

Fortunately, it appears that many makers of connected consumer products are thinking about security. Many have a dedicated point of contact for security researchers and also publish VDPs. We looked at 75 companies, from toy makers to smart speaker companies, and discovered that 72 percent have a dedicated point of contact for security researchers. 

Fifty-nine percent of these security contacts were easily findable using Google and the search term ”[company name] report a security vulnerability.” If the search didn’t turn up anything we scanned the site’s privacy policies, terms of service, and forums for dedicated points of contact to report bugs.

We then followed up with letters to each manufacturer, including a questionnaire designed to assess how mature their vulnerability disclosure program is. We gave companies 30 days to respond and then nudged them again via email, giving them an additional two weeks. After that we compiled the data and created this blog post. 

Of the 75 companies, we could not find dedicated security contacts for 23 percent, or those companies did not respond. Four of the 75 companies, or 5 percent, confirmed that they did not have a dedicated point of contact. In addition to a dedicated point of contact for security researchers, we wanted to find out how many of these 75 companies had a formal vulnerability disclosure policy. Only 66 percent did, while the remaining 34 percent either confirmed they didn’t have one or we could not find one.

The types of companies that didn’t have any dedicated security contact ran the gamut, but some were especially concerning. We couldn’t find any dedicated security contacts and didn’t hear back from connected lock manufacturers Lockly and Level, or connected garage door opener manufacturer Genie. Liftmaster, which makes Chamberlain myQ garage door openers and related products, told us by email that security researchers should report vulnerabilities to the generic corporate communications email, which is “monitored regularly and any queries related to security vulnerabilities are immediately triaged to our Security team,” according to a Chamberlain spokeswoman. A cybersecurity flaw in any of these products could potentially provide attackers with access to consumers’ homes. We also could not find a dedicated security point of contact for Abode, the manufacturer of a DIY smart home security system.

A lack of dedicated security contacts for Delta and Moen, both of which make connected faucets, means that those seeking to report a bug that could lead to an attack on a home’s plumbing can’t easily do so. The same concerns apply to the company that makes the Orbit B-Hyve connected sprinkler and hose control systems.  And finally, we couldn’t find a dedicated security contact and didn’t hear back from Mattel, which makes connected toys and app-controlled bassinets, sound machines and other products for babies under the Fisher Price brand name.

When it comes to consumer safety, CR recommends that consumers choose connected products that do have some form of direct security contact and a formal vulnerability disclosure program. The following companies did not respond to multiple inquiries about a dedicated security contact, nor could we find one. We also didn’t find a vulnerability disclosure program for these businesses:

  • Aerogarden (Aerogarden has a web form tied to a BugCrowd form but it is not live, which means no one can actually use it to report an issue) 
  • Abode
  • Aqara
  • Bissell
  • Chamberlain MyQ (Chamberlain doesn’t have a dedicated point of contact for security researchers but does have an ISO 27001 certification, which means it does manage risks related to the security of data owned or handled by the company according to a reputable standard)
  • Delta
  • Eight Sleep
  • Fisher Price/Mattel
  • Genie/Overhead Door
  • Hydrow
  • Level
  • Lockly
  • Lutron
  • Moen
  • Orbit/B-Hyve
  • Sleep Number
  • Tempo
  • Tonal
  • Trane
  • Vizio
  • Whirlpool (A Whirpool spokesperson says Whirlpool Corporation has a full vulnerability disclosure program for externally facing systems and that this will be expanded to IoT / Production Security in the near future)

The following additional companies do not have a formal vulnerability disclosure program that we could find, but they do have a dedicated security reporting contact:

  • D-Link
  • Ecovacs
  • Garmin
  • Kholer
  • NordicTrak (iFit)
  • Tuya

The following companies do have dedicated points of contact for security researchers:

  • Allegion/Schlage
  • Amazon
  • Assa Abloy (Kwikset)
  • Ecobee
  • Eufy/Anker
  • Eve Home
  • Feit
  • GE Appliances
  • Google
  • Govee
  • HiSense
  • The Home Depot
  • iRobot
  • Nanoleaf
  • Owlet
  • Peloton
  • Rachio
  • Reolink
  • Resideo
  • Roborock
  • Roku
  • Samsung
  • Savant/GE Lighting
  • Schneider Electric
  • Shelley
  • Signify
  • SimpliSafe
  • Vivint
  • Belkin (Wemo)
  • LG
  • ADT
  • Apple
  • Arlo
  • Bosch
  • Comcast
  • D-Link
  • Ecovacs
  • Electrolux/Frigidaire
  • Fortune Brands (Yale, August, Master Lock)
  • Garmin
  • Hasbro
  • IKEA
  • Kohler
  • Kidde/Carrier
  • Meross
  • Miele
  • NordicTrak (iFit)
  • Sengled
  • Shark
  • Sony
  • Sylvania/Ledvance
  • TP Link
  • Tuya
  • Wyze

Digging a Little Deeper

As part of this research, we asked companies to fill out a ten-question survey that covers elements we’d like to see in their vulnerability disclosure programs. Not all companies answered every one of the ten questions and many of the published vulnerability disclosure programs don’t include all of the information we were looking for, so the results only cover 56 of the companies we surveyed. 

Below are the questions that we asked and the results from the survey. We also include information on why each of these elements are important for boosting the overall cybersecurity of consumer IoT products.

1. Does your company have a published dedicated point of contact (email, web portal or designated individual) for security researchers to contact if they find a vulnerability?

The first step in creating any form of vulnerability disclosure policy (VDP) is ensuring that reports of security vulnerabilities make it to a monitored inbox in the company, and that researchers can find this point of contact. No researcher wants to see their vulnerability report end up in a spam filter or junk folder, and no company wants to miss out on a potentially big vulnerability simply because a researcher couldn’t find out how to tell anyone at the company about the problem. However, simply having a dedicated, findable point of contact isn’t enough. A company should also have a process and resources in place to respond to security vulnerability reports. This is why we ask the following questions.

2. Does your company have a standardized process to communicate with the reporters of the vulnerability, ( including acknowledging receipt of the vulnerability, information of remediation, and when fixed) when a vulnerability is found?  

Having a dedicated point of contact for researchers to share vulnerabilities is only the first step. A strong VDP also needs to have a process in place for accepting, validating and responding to vulnerability reports. A simple acknowledgement of receipt is a good first step, but a stronger program will include a statement indicating that the company will validate the bug and issue some kind of response within a set time frame. Ideally the response will also note how long the company plans to take to remediate the problem. 

3. Does your company respond to a vulnerability report within a published and reasonable time frame? 

As mentioned above, it’s not enough to simply accept the report of a security bug, a responsible company will let the researcher know how long it will take before the researcher hears back from the manufacturer. This step is even more important if the vulnerability is actively being exploited.

4. How long does it take to acknowledge a vulnerability report?

This time frame can vary. The Consumer Reports testing team waits two weeks to hear back from a company before publishing their ratings absent any follow-up from a manufacturer. Note that once a company responds, CR gives 90 days for a patch to be issued before publication. Another way to structure a program is Google’s Project Zero security research team, which gives a company 90 days to issue a patch and then publishes results 30 days after the patch is issued, or immediately if no patch is issued.

5. When a vulnerability is reported, how long does it take for your company to fix the vulnerability? 

Companies were given the option to fill in the blank for this question, and most answers were some variation of “it depends on the severity and complexity of the vulnerability.” This makes sense. More severe bugs are often fixed faster, and more complicated vulnerabilities can take more time to mitigate. However we did see that six of the companies that replied said they worked to solve the vulnerability within 90 days, while four said they tried to solve vulnerabilities within 30 days and three aimed for two weeks or less. We also saw two companies that tried to ensure mitigation within 180 days or less.

Researchers participate in vulnerability disclosure programs for a variety of reasons, but a big reason to report a bug is to ensure that the bug gets fixed. Providing a commitment to mitigate a vulnerability within a reasonable time frame (most programs use 90 days and can also provide a 14-day grace period) shows that the company is committed to fixing the problems that researchers share with them.This ultimately protects the end users, and improves security outcomes broadly across society by eliminating weak links that can be exploited. 

6. When a vulnerability is reported, does your company test other products that may use the same software for the vulnerability and plan mitigation for those products as well?

Researchers may come to a company reporting a vulnerability in a specific product. But that vulnerability might extend to other products as well. A robust vulnerability disclosure program will take steps to assess whether or not the vulnerability extends across the company’s product portfolio and then commit to fixing it.

7. Do you engage with the security community via something like hackathons, conferences, or bug bounty programs such as BugCrowd, HackerOne, etc.?

While not strictly necessary, active engagement with the security community indicates a recognition that securing connected products is an ongoing effort, and that the company wants to ensure its products stay secure. Additionally, participation in a bug bounty program where a company pays “bounties” to security researchers when they report vulnerabilities, can incentivize researchers to report found vulnerabilities as opposed to selling them to the highest bidder. Such programs also provide the exact terms of how the vulnerability disclosure program works, making it easier for researchers to see what they can expect from a program. BugCrowd and HackerOne are services that can help your company create and manage a bug bounty program. 

8. Does your company pledge not to take legal action against researchers who responsibly disclose a vulnerability?

Most VDPs provide researchers an assurance that if they tell the manufacturer about the bug, document it, and give the manufacturer time to remediate the bug, they will not take legal action against the researcher. This creates a beneficial relationship between the manufacturer and the security research community, and ensures that when people find problems, they feel safe reporting them. Having a set and delineated policy also helps ensure that researchers come to the manufacturer first when they find vulnerabilities.

9. Does your company require security researchers who report vulnerabilities to sign an NDA?

Forcing researchers to sign non-disclosure agreements will lead security researchers to avoid reporting vulnerabilities. It can signal an adversarial relationship with researchers, and also can tie researchers’ hands should the company decide not to fix a vulnerability, although ideally companies would issue security advisories after they validate reports of a vulnerability and issue a patch.

10. Does your company have a program to track and log vulnerabilities over time?

Tracking vulnerabilities over time can help a company understand how well it (or its partners) are incorporating security into their design processes, as well as ensuring that there is a record of potential vulnerabilities that can be shared with other organizations if merited. Additionally, tracking vulnerabilities helps prevent the same vulnerabilities from popping up again and again.

As part of the inquiry we heard back from three companies, to whom we promised anonymity, that said they created or improved their vulnerability disclosure policies as a result of our inquiries. We are hopeful that other companies listed in this blog post also make changes to help bolster the overall security of their devices.

Next Steps for Manufacturers

While there is fairly broad adoption of vulnerability disclosure programs across the consumer IoT industry, there is still room for improvement, especially with products that consumers purchase to protect their physical security such as locks, garage door openers, and security systems. Consumer Reports also calls upon all companies to start by providing a dedicated point of contact for security researchers that gets checked daily. 

We encourage companies to also develop robust vulnerability disclosure policies, which include:

    • adopting a robust vulnerability disclosure program for consumer IoT products;
    • communicating receipt of a vulnerability report with the reporting security researcher within one week;
    • sharing their bug mitigation plan with the researcher including if they plan to mitigate it and communicate the bug to consumers;
    • creating a program to track vulnerabilities over time in their products;
    • testing other products that may use the same software for the vulnerability and plan mitigation for those products; 
    • avoiding non-disclosure agreements for researchers;
    • and encouraging researchers to report by pledging not to sue those who conduct their research while following the best practices listed in the publicly available VDP.

By implementing these policies, companies that manufacture smart devices can help make those products more secure and protect consumers from unauthorized access and ransomware attacks, as well as boost national security by helping keep these products from becoming part of a botnet that could be used to attack our nation’s critical infrastructure. Everyone needs to take steps to boost our cybersecurity, and at CR we’re calling on companies who make connected consumer devices to do their part. 

 

This post was updated on August 6, 2024 to reflect the addition of TP Link and Sylvania/Ledvance to the list of companies that also have dedicated points of contact for security researchers. 

Get the latest on Innovation at Consumer Reports

Sign up to stay informed

We care about the protection of your data. Read our Privacy Policy