The search functionality is under construction.
The search functionality is under construction.

1-day, 2 Countries — A Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States

Asuka NAKAJIMA, Takuya WATANABE, Eitaro SHIOJI, Mitsuaki AKIYAMA, Maverick WOO

  • Full Text Views

    0

  • Cite this

Summary :

With our ever increasing dependence on computers, many governments around the world have started to investigate strengthening the regulations on vulnerabilities and their lifecycle management. Although many previous works have studied this problem space for mainstream software packages and web applications, relatively few have studied this for consumer IoT devices. As our first step towards filling this void, this paper presents a pilot study on the vulnerability disclosures and patch releases of three prominent consumer IoT vendors in Japan and three in the United States. Our goals include (i) characterizing the trends and risks in the vulnerability lifecycle management of consumer IoT devices using accurate long-term data, and (ii) identifying problems, challenges, and potential approaches for future studies of this problem space. To this end, we collected all published vulnerabilities and patches related to the consumer IoT products by the included vendors between 2006 and 2017; then, we analyzed our dataset from multiple perspectives, such as the severity of the included vulnerabilities and the timing of the included patch releases with respect to the corresponding disclosures and exploits. Our work has uncovered several important findings that may inform future studies. These findings include (i) a stark contrast between how the vulnerabilities in our dataset were disclosed in the two markets, (ii) three alarming practices by the included vendors that may significantly increase the risk of 1-day exploits for customers, and (iii) challenges in data collection including crawling automation and long-term data availability. For each finding, we also provide discussions on its consequences and/or potential migrations or suggestions.

Publication
IEICE TRANSACTIONS on Information Vol.E103-D No.7 pp.1524-1540
Publication Date
2020/07/01
Publicized
2020/03/24
Online ISSN
1745-1361
DOI
10.1587/transinf.2019ICP0004
Type of Manuscript
Special Section PAPER (Special Section on Information and Communication System Security)
Category
Network and System Security

Authors

Asuka NAKAJIMA
  NTT Secure Platform Laboratories
Takuya WATANABE
  NTT Secure Platform Laboratories
Eitaro SHIOJI
  NTT Secure Platform Laboratories
Mitsuaki AKIYAMA
  NTT Secure Platform Laboratories
Maverick WOO
  Carnegie Mellon University

Keyword