Patchy Performance? Uncovering the Vulnerability Management Practices of IoT-Centric Vendors

The enduring problems with IoT security has shifted the attention of researchers and governments to the role of vendors. The security community is no stranger to the repeated claim that vendors are dropping the ball on security and privacy, with numerous papers highlighting the many vulnerabilities in IoT products. Are IoT-centric vendors performing worse than other vendors in the industry? To answer this question, we need to do more than simply count the number of vulnerabilities disclosed by each vendor. In our study we analyze the factors influencing the number of vulnerabilities per vendor, like its size, its location and the presence of a vulnerability disclosure policy. We then statistically estimate if IoT-centric vendors produce more vulnerabilities, while controlling for those other factors. The answer is that they do. We can more directly observe the security performance of a vendor by looking at its patching behavior. We collect a unique dataset on the availability and timeliness of patches for 2,741 IoT and non-IoT vulnerabilities from 104 leading vendors. We also collect data on a set of potential causal factors for vendor patching performance. This allows us to estimate a statistical model of factors to explain why some vendors do better than others. We find that IoT-centric vendors are no worse in terms of releasing patches for their vulnerabilities, in fact, they tend to release more patches on-time than non-IoT-centric vendors. Our study increases our understanding of the factors shaping IoT security and provides an empirical basis for regulatory interventions that aim to improve the security performance of IoT vendors.