First Vulnerability Submission
In advance of the IoD's first talk at Hackfest I've submitted the first vulnerability report to a vendor.
This vendor has been very open about working with us and supportive. They are willing to be a test case for us to help develop a framework for security vulnerability reporting and disclosure for others. Until we have these issues fixed or we get permission, we won't be disclosing their name as part of our commitment to responsible disclosure.
In general we can say a few things about the issues found. SSL/TLS issues are an almost universal issue across most vendors, this vendor is no exception. Some issues where personal information is disclosed where the user may not want it to be disclosed were also found. Most are indicative of the inexperience that many IoT vendors have with the threats associated with connected devices.
This first report is just issues that have been found and documented so far. Many more have been found but not fully investigated or documented, so some more should be expected soon.
Hopefully this is the start of a long list of findings in the industry and a wakeup call to take the issues of security and privacy more seriously.