IoT security is broken. We know this from the studies highlighting terrible vendor practices, from pen tester reports showing how entire categories of IoT product are leaking data on vulnerable users, to mounting government concerns leading us ever-closer to IoT security regulation.
A recent paper published by students at TU Delft sheds some light on why IoT security seems constantly relegated to the back burner. One possible reason, they said, is because a lot of IoT companies are startups. That Kickstarter project to produce an Internet-connected umbrella/toilet seat/cat's water bowl? How much of that money do you think will go on slowing down the design process and paying for a code security audit?
The paper proposes a mixture of bug bounties and responsible disclosure policies to help solve these problems. Companies already run bug bounties on IoT kit, and hackers that submit bug reports do very well from them according to a report this August from bug bounty company BugCrowd. The number of IoT vulnerabilities reported rocketed by 384% compared to the prior year, it said. That's compared to an average increase of 92% across all bug reports.
That doesn't mean that all is well in IoT bug bounties, though. Part of the reason for the huge rise is that so few IoT flaws are reported in the first place. They made up just 1% of the total vulnerabilities in the BugCrowd program this year.
Successful bug reports on IoT devices are low because whereas researchers can test web apps relatively easily, getting hold of a physical IoT box to fuzz is more difficult. How can IoT companies encourage crowdsourced bug hunting without shipping free units to researchers and eating into their profits?
The researchers suggest implementing bug bounties as part of a broader overall bug hunting program. Begin by factoring security in at the design phase, they say. It may slow things down, but you'll end up with a strong product. Then, pay for a penetration tester when you've prototyped it. Finally, when you've weeded out a decent number of bugs through those processes, you can conduct either a private bug bounty program limited to a few reputable researchers who receive the kit, or a public bug bounty hackathon hosted at a physical location for a small time period. Both these options minimize the cost and complexity of setting up an IoT program.
That all sounds like a plausible way to improve the security of IoT products, but it still requires an investment on the vendors' part, and an incentive to spend the capital. That’s where the paper’s other concern comes in.
The researchers argue that while governments and security pros might wring their hands about IoT security, the average consumer user doesn't really give a hoot. Perhaps you understand the significance of unsigned firmware updates or IDOR attacks on web-based IoT monitoring interfaces, but your non-techie neighbor does not. He wants a cat flap that makes his phone go bing when Pebbles makes an entrance, and he wants it now.
The processes for weeding out IoT bugs are there. The question is whether the motivation will follow.
