With our ever increasing dependence on computers, many governments around the world have started to investigate strengthening the regulations on vulnerabilities and their lifecycle management. Although many previous works have studied this problem space for mainstream software packages and web applications, relatively few have studied this for consumer IoT devices. As our first step towards filling this void, this paper presents a pilot study on the vulnerability disclosures and patch releases of three prominent consumer IoT vendors in Japan and three in the United States. Our goals include (i) characterizing the trends and risks in the vulnerability lifecycle management of consumer IoT devices using accurate long-term data, and (ii) identifying problems, challenges, and potential approaches for future studies of this problem space. To this end, we collected all published vulnerabilities and patches related to the consumer IoT products by the included vendors between 2006 and 2017; then, we analyzed our dataset from multiple perspectives, such as the severity of the included vulnerabilities and the timing of the included patch releases with respect to the corresponding disclosures and exploits. Our work has uncovered several important findings that may inform future studies. These findings include (i) a stark contrast between how the vulnerabilities in our dataset were disclosed in the two markets, (ii) three alarming practices by the included vendors that may significantly increase the risk of 1-day exploits for customers, and (iii) challenges in data collection including crawling automation and long-term data availability. For each finding, we also provide discussions on its consequences and/or potential migrations or suggestions.
Asuka NAKAJIMA
NTT Secure Platform Laboratories
Takuya WATANABE
NTT Secure Platform Laboratories
Eitaro SHIOJI
NTT Secure Platform Laboratories
Mitsuaki AKIYAMA
NTT Secure Platform Laboratories
Maverick WOO
Carnegie Mellon University
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Asuka NAKAJIMA, Takuya WATANABE, Eitaro SHIOJI, Mitsuaki AKIYAMA, Maverick WOO, "1-day, 2 Countries — A Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States" in IEICE TRANSACTIONS on Information,
vol. E103-D, no. 7, pp. 1524-1540, July 2020, doi: 10.1587/transinf.2019ICP0004.
Abstract: With our ever increasing dependence on computers, many governments around the world have started to investigate strengthening the regulations on vulnerabilities and their lifecycle management. Although many previous works have studied this problem space for mainstream software packages and web applications, relatively few have studied this for consumer IoT devices. As our first step towards filling this void, this paper presents a pilot study on the vulnerability disclosures and patch releases of three prominent consumer IoT vendors in Japan and three in the United States. Our goals include (i) characterizing the trends and risks in the vulnerability lifecycle management of consumer IoT devices using accurate long-term data, and (ii) identifying problems, challenges, and potential approaches for future studies of this problem space. To this end, we collected all published vulnerabilities and patches related to the consumer IoT products by the included vendors between 2006 and 2017; then, we analyzed our dataset from multiple perspectives, such as the severity of the included vulnerabilities and the timing of the included patch releases with respect to the corresponding disclosures and exploits. Our work has uncovered several important findings that may inform future studies. These findings include (i) a stark contrast between how the vulnerabilities in our dataset were disclosed in the two markets, (ii) three alarming practices by the included vendors that may significantly increase the risk of 1-day exploits for customers, and (iii) challenges in data collection including crawling automation and long-term data availability. For each finding, we also provide discussions on its consequences and/or potential migrations or suggestions.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2019ICP0004/_p
Copy
@ARTICLE{e103-d_7_1524,
author={Asuka NAKAJIMA, Takuya WATANABE, Eitaro SHIOJI, Mitsuaki AKIYAMA, Maverick WOO, },
journal={IEICE TRANSACTIONS on Information},
title={1-day, 2 Countries — A Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States},
year={2020},
volume={E103-D},
number={7},
pages={1524-1540},
abstract={With our ever increasing dependence on computers, many governments around the world have started to investigate strengthening the regulations on vulnerabilities and their lifecycle management. Although many previous works have studied this problem space for mainstream software packages and web applications, relatively few have studied this for consumer IoT devices. As our first step towards filling this void, this paper presents a pilot study on the vulnerability disclosures and patch releases of three prominent consumer IoT vendors in Japan and three in the United States. Our goals include (i) characterizing the trends and risks in the vulnerability lifecycle management of consumer IoT devices using accurate long-term data, and (ii) identifying problems, challenges, and potential approaches for future studies of this problem space. To this end, we collected all published vulnerabilities and patches related to the consumer IoT products by the included vendors between 2006 and 2017; then, we analyzed our dataset from multiple perspectives, such as the severity of the included vulnerabilities and the timing of the included patch releases with respect to the corresponding disclosures and exploits. Our work has uncovered several important findings that may inform future studies. These findings include (i) a stark contrast between how the vulnerabilities in our dataset were disclosed in the two markets, (ii) three alarming practices by the included vendors that may significantly increase the risk of 1-day exploits for customers, and (iii) challenges in data collection including crawling automation and long-term data availability. For each finding, we also provide discussions on its consequences and/or potential migrations or suggestions.},
keywords={},
doi={10.1587/transinf.2019ICP0004},
ISSN={1745-1361},
month={July},}
Copy
TY - JOUR
TI - 1-day, 2 Countries — A Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States
T2 - IEICE TRANSACTIONS on Information
SP - 1524
EP - 1540
AU - Asuka NAKAJIMA
AU - Takuya WATANABE
AU - Eitaro SHIOJI
AU - Mitsuaki AKIYAMA
AU - Maverick WOO
PY - 2020
DO - 10.1587/transinf.2019ICP0004
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E103-D
IS - 7
JA - IEICE TRANSACTIONS on Information
Y1 - July 2020
AB - With our ever increasing dependence on computers, many governments around the world have started to investigate strengthening the regulations on vulnerabilities and their lifecycle management. Although many previous works have studied this problem space for mainstream software packages and web applications, relatively few have studied this for consumer IoT devices. As our first step towards filling this void, this paper presents a pilot study on the vulnerability disclosures and patch releases of three prominent consumer IoT vendors in Japan and three in the United States. Our goals include (i) characterizing the trends and risks in the vulnerability lifecycle management of consumer IoT devices using accurate long-term data, and (ii) identifying problems, challenges, and potential approaches for future studies of this problem space. To this end, we collected all published vulnerabilities and patches related to the consumer IoT products by the included vendors between 2006 and 2017; then, we analyzed our dataset from multiple perspectives, such as the severity of the included vulnerabilities and the timing of the included patch releases with respect to the corresponding disclosures and exploits. Our work has uncovered several important findings that may inform future studies. These findings include (i) a stark contrast between how the vulnerabilities in our dataset were disclosed in the two markets, (ii) three alarming practices by the included vendors that may significantly increase the risk of 1-day exploits for customers, and (iii) challenges in data collection including crawling automation and long-term data availability. For each finding, we also provide discussions on its consequences and/or potential migrations or suggestions.
ER -