David Rogers MBE
Founder, Copper Horse
David is a mobile phone and IoT security expert who runs Copper Horse Ltd, a software and security company based in Windsor, UK. His company is currently focusing on security and privacy research for the Internet of Things as well as future automotive cyber security.
David chairs the Fraud and Security Group at the GSMA and sits on the Executive Board of the Internet of Things Security Foundation. He authored the UK’s ‘Code of Practice for Consumer IoT Security’, in collaboration with UK government and industry colleagues and currently sits on the UK’s Telecoms Diversification Task Force.
He has worked in the mobile industry for over twenty years in security and engineering roles. Prior to this he worked in the semiconductor industry.
David holds an MSc in Software Engineering from the University of Oxford and a HND in Mechatronics from the University of Teesside. He lectured in Mobile Systems Security at the University of Oxford from 2012-2019 and served as a Visiting Professor in Cyber Security and Digital Forensics at York St John University.
He was awarded an MBE for services to Cyber Security in the Queen’s Birthday Honours 2019.
He blogs from https://mobilephonesecurity.org and tweets @drogersuk
“Shining the Light of Truth: a journey into vulnerability disclosure practices at consumer IoT product companies”
Governments around the world have, in recent years signalled the need for companies to implement good practice on IoT security. Vulnerability disclosure is a big and publicly visible part of that.
In 2018, Copper Horse produced a report for the IoT Security Foundation which showed that less than 10% of consumer IoT product companies had any way of security researchers contacting them to report vulnerabilities.
A year later and the situation had only slightly improved to 13%. The way a company publicly approaches vulnerability disclosure handling is a good indicator of a company’s overall stance towards product security and unfortunately the global situation does not appear to be good. As we head into 2021, with international standards published and legislation imminent, will companies have finally understood that they must take steps to improve IoT product security?
“Manage Vulnerability Reports”
Without mechanisms to report, manage and resolve vulnerabilities, the security of consumer IoT products will diminish over time – and the likelihood of attack or abuse will increase. 87% of consumer IoT companies do not have a vulnerability disclosure policy. However, new standards and regulations require IoT manufacturers, and some importers, to publish a vulnerability
disclosure policy, to act on disclosures in a timely manner and promote coordinated vulnerability disclosure.
This talk will provide guidance on how to manage vulnerability reports and follow coordinated vulnerability disclosure best practices.