Over the last few months or years I have reported vulnerabilities on several IoT devices. None have been patched so far, and I think it is time to discuss the situation openly.
One of the issues I have faced several times is the zero-security-culture phenomenon. Some of those IoT companies were typically very small and young, with sadly neither the skills nor the resources to fix security issues.
For example, I remember sending several vulnerabilities to a given company. I got an automated response for the first email (ok), but then no answer for the next ones (strange). Of course, I re-sent it and even tried other email recipients: no response. I finally found out that their only action to my first vulnerability report had been... guess? ... to black list my email because they had mistaken the vulnerability report for spam. See the screenshot below, where I tried to submit a request online, which highlights the problem: "requester is suspended"!
So, how do you get in touch when your email has been blacklisted?
Of course, you can try another email, but that will only result in getting that other email blacklisted too. After several attempts, I had the idea to ask them for a quote (there's an online form for that) to "bait" them. I got an answer in less than 24 hours! The difference of speed in handling a request for a quote compared to a request for support speaks for itself :(
So, finally, we managed to get in touch and I explained the vulnerabilities. The answer was it would be fixed "soon," with the "amusing" claim that the vulnerability I found would only be possible on my account, because my account was "special" and that others would be handled differently (lol). We inquired (months ago) when "soon" would be and haven't received any answer so far.
But... what did I notice a few weeks ago? ... That my account has been closed (without any warning or notification). That's a great patch, isn't it? :( If you close the accounts of security researchers, you don't get any security vulnerability reports, which means your product is secure, right?
I wish I could say that my experience here was unique. But it wasn’t. I can't conclude anything except that IoT will remain unsecure if there is no will to secure it.
-- A frustrated Crypto Girl ;)