short-paper

A Pilot Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States

Authors:

Asuka Nakajima,

Takuya Watanabe,

Mitsuaki Akiyama,

Maverick WooAuthors Info & Claims

Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

Pages 485 - 492

https://doi.org/10.1145/3321705.3329849

Published: 02 July 2019 Publication History

Abstract

With our ever increasing dependence on computers, many governments have started to investigate regulations on vulnerabilities and their lifecycle management. Although many previous works have studied this problem space for mainstream software packages and web applications, few studies have targeted consumer IoT devices. As a first step towards filling this void, this paper presents a pilot study on the vulnerability disclosures and patch release behaviors related to 3 prominent consumer IoT vendors in Japan and 3 in the United States. Our goals include (i) characterizing trends and risks using accurate data that spans a long period, and (ii) identifying problems, challenges, and potential approaches for future studies of this problem space. To this end, we collected all published vulnerabilities and their patches for the consumer IoT products by the included vendors between 2006 and 2017; then, we analyzed our data from multiple perspectives such as the severity of the vulnerabilities and the timing of patch releases with respect to disclosures and exploits. Our work has uncovered several findings that may inform future studies, including (i) a stark contrast in the vulnerability disclosures between the two countries and (ii) three alarming vendor practices that may pose significant risks of 1-day exploits.

References

[1]

Ashish Arora, Chris Forman, Anand Nandkumar, and Rahul Telang. 2010. Competition and Patching of Security Vulnerabilities: An Empirical Analysis. Information Economics and Policy, Vol. 22, 2 (may 2010), 164--177.

[2]

Ashish Arora, Ramayya Krishnan, Rahul Telang, and Yubao Yang. 2010. An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure. Info. Sys. Research, Vol. 21, 1 (March 2010), 115--132.

Digital Library

[3]

Leyla Bilge and Tudor Dumitras. 2012. Before We Knew It--An Empirical Study of Zero-Day Attacks in the Real World. In Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM, 833--844.

Digital Library

[4]

David Brumley, Pongsin Poosankam, Dawn Song, and Jiang Zheng. 2008. Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications. In Proceedings of the 2008 IEEE Symposium on Security and Privacy. IEEE Computer Society, 143--157.

Digital Library

[5]

devttys0. {n.d.}. binwalk. https://github.com/ReFirmLabs/binwalk .

[6]

Zakir Durumeric, James Kasten, David Adrian, J. Alex Halderman, Michael Bailey, Frank Li, Nicolas Weaver, Johanna Amann, Jethro Beekman, Mathias Payer, and Vern Paxson. 2014. The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference. ACM, 475--488.

Digital Library

[7]

Stefan Frei. 2009. Security Econometrics--The Dynamics of (In)Security. Ph.D. Dissertation. ETH Zurich.

[8]

Stefan Frei, Martin May, Ulrich Fiedler, and Bernhard Plattner. 2006. Large-scale Vulnerability Analysis. In Proceedings of the 2006 SIGCOMM Workshop on Large-Scale Attack Defense. ACM Press, 131--138.

Digital Library

[9]

Stefan Frei, Bernhard Tellenbach, and Bernhard Plattner. 2008. 0-Day Patch Exposing Vendors (In)security Performance. In Black Hat Europe 08. Black Hat, 1--15. https://www.blackhat.com/presentations/bh-europe-08/Frei/Whitepaper/bh-eu-08-frei-WP.pdf

[10]

Allen D. Householder, Garret Wassermann, Art Manion, and Chris King. {n.d.}. The CERT Guide to Coordinated Vulnerability Disclosure. https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf .

[11]

Zhen Huang, Mariana DAngelo, Dhaval Miyani, and David Lie. 2016. Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response. In Proceedings of the 2016 IEEE Symposium on Security and Privacy. IEEE, 618--635.

[12]

Internet Archive. {n.d.}. Internet Archive. https://archive.org/.

[13]

JPCERT Coordination Center and Information-technology Promotion Agency. {n.d.}. How to Use JVN iPedia. https://jvndb.jvn.jp/en/nav/jvndbhelp.html .

[14]

JPCERT Coordination Center and IPA Information-technology Promotion Agency. {n.d.}. JVN: JVN iPedia. https://jvndb.jvn.jp/.

[15]

Frank Li, Michael Bailey, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Damon Mccoy, Stefan Savage, Michael Bailey, Damon Mccoy, Stefan Savage, and Vern Paxson. 2016a. You've Got Vulnerability: Exploring Effective Vulnerability Notifications. In Proceedings of the 25th USENIX Security Symposium. USENIX Association, 1033--1050. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/li

Digital Library

[16]

Frank Li, Grant Ho, Eric Kuan, Yuan Niu, Lucas Ballard, Kurt Thomas, Elie Bursztein, and Vern Paxson. 2016b. Remedying Web Hijacking. In Proceedings of the 25th International Conference on World Wide Web. ACM Press, 1009--1019.

Digital Library

[17]

Frank Li and Vern Paxson. 2017. A Large-Scale Empirical Study of Security Patches. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM Press, 2201--2215.

Digital Library

[18]

Ministry of Internal Affairs and Communications, the Government of Japan. {n.d.}. Conducting Survey on Vulnerable IoT Devices. JP: http://www.soumu.go.jp/menu_news/s-news/02ryutsu03_04000088.html, EN: http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/Releases/Telecommunications/170905_1.html .

[19]

MITRE Corporation. {n.d.}. CVE: Common Vulnerabilities and Exposures. https://cve.mitre.org/.

[20]

Asuka Nakajima, Takuya Watanabe, Eitaro Shioji, Mitsuaki Akiyama, and Maverick Woo. 2019. A Pilot Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States. Technical Report Carnegie Mellon University-CyLab-19-001. CyLab, Carnegie Mellon University. https://www.cylab.cmu.edu/_files/pdfs/tech_reports/Carnegie Mellon UniversityCyLab19001.pdf

[21]

Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, and Tudor Dumitracs. 2015. The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching. In Proceedings of the 2015 IEEE Symposium on Security and Privacy. IEEE Computer Society, 692--708.

Digital Library

[22]

National Telecommunications and Information Administration. {n.d.}. Multistakeholder Process--Internet of Things (IoT) Security Upgradability and Patching. https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security .

[23]

Offensive Security. {n.d.}. Exploit-DB. https://www.exploit-db.com/.

[24]

Andy Ozment and Stuart E. Schechter. 2006. Milk or Wine: Does Software Security Improve with Age?. In Proceedings of the 15th USENIX Security Symposium. USENIX Association, 93--104. https://www.usenix.org/legacy/event/sec06/tech/ozment.html

Digital Library

[25]

Rapid 7. {n.d.}. Metasploit Framework. https://www.metasploit.com/.

[26]

Guido Schryen. 2009. A Comprehensive and Comparative Analysis of the Patching Behavior of Open Source and Closed Source Software Vendors. In Proceedings of the Fifth International Conference on IT Security Incident Management and IT Forensics. IEEE, 153--168.

Digital Library

[27]

Muhammad Shahzad, Muhammad Zubair Shafiq, and Alex X. Liu. 2012. A Large Scale Exploratory Analysis of Software Vulnerability Life Cycles. In Proceedings of the 34th International Conference on Software Engineering. IEEE Press, 771--781.

Digital Library

[28]

Ben Stock, Giancarlo Pellegrino, Frank Li, Michael Backes, and Christian Rossow. 2018. Didn't You Hear Me?--Towards More Successful Web Vulnerability Notifications. In Proceedings of the 2018 Network and Distributed System Security Symposium. Internet Society.

[29]

Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes. 2016. Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification. In Proceedings of the 25th USENIX Security Symposium. USENIX Association, 1015--1032. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/stock

Digital Library

[30]

Shahed Zaman, Bram Adams, and Ahmed E. Hassan. 2011. Security Versus Performance Bugs: A Case Study on Firefox. In Proceeding of the 8th Working Conference on Mining Software Repositories. ACM Press, 93--102.

Digital Library

[31]

Jia Zhang, Haixin Duan, Wu Liu, and Xingkun Yao. 2017. How to Notify a Vulnerability to the Right Person? Case Study: In an ISP Scope. In Proceedings of the 2017 IEEE Global Communications Conference. IEEE, 1--7.

Cited By

Pérez SVan Eeten MGañán C(2024)Patchy Performance? Uncovering the Vulnerability Management Practices of IoT-Centric Vendors2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00154(1198-1216)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00154
Sasaki TNoma TMorii YShimura TEeten MYoshioka KMatsumoto T(2024)Who Left the Door Open? Investigating the Causes of Exposed IoT Devices in an Academic Network2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00117(2291-2309)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00117
Chen TTagliaro CLindorfer MBorgolte KVan Der Ham-De Vos J(2024)Are You Sure You Want To Do Coordinated Vulnerability Disclosure?2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00039(307-314)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00039
Show More Cited By

Recommendations

Large-scale vulnerability analysis
LSAD '06: Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense

The security level of networks and systems is determined by the software vulnerabilities of its elements. Defending against large scale attacks requires a quantitative understanding of the vulnerability lifecycle. Specifically, one has to understand how ...
New Hurdles for Vulnerability Disclosure

Vulnerability disclosure is an important part of information security. In recent years, vulnerabilities in specific Web sites and SCADA implementations have created new hurdles for vulnerability disclosure. These aspects of information security have ...
Towards a Greater Understanding of Coordinated Vulnerability Disclosure Policy Documents
Bug bounty programmes and vulnerability disclosure programmes, collectively referred to as Coordinated Vulnerability Disclosure (CVD) programmes, open up an organisation’s assets to the inquisitive gaze of (often eager) white-hat hackers. Motivated by the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

July 2019

708 pages

ISBN:9781450367523

DOI:10.1145/3321705

General Chairs:
Steven Galbraith
University of Auckland, New Zealand
,
Giovanni Russello
University of Auckland, New Zealand
,
Willy Susilo
University of Wollongong, Australia
,
Program Chairs:
Dieter Gollmann
Hamburg University of Technology, Germany & Nanyang Technological University, Singapore
,
Engin Kirda
Northeastern University, USA
,
Zhenkai Liang
National University of Singapore, Singapore

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 July 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

Asia CCS '19

Sponsor:

SIGSAC

Asia CCS '19: ACM Asia Conference on Computer and Communications Security

July 9 - 12, 2019

Auckland, New Zealand

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
426
Total Downloads

Downloads (Last 12 months)43
Downloads (Last 6 weeks)5

Reflects downloads up to 31 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pérez SVan Eeten MGañán C(2024)Patchy Performance? Uncovering the Vulnerability Management Practices of IoT-Centric Vendors2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00154(1198-1216)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00154
Sasaki TNoma TMorii YShimura TEeten MYoshioka KMatsumoto T(2024)Who Left the Door Open? Investigating the Causes of Exposed IoT Devices in an Academic Network2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00117(2291-2309)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00117
Chen TTagliaro CLindorfer MBorgolte KVan Der Ham-De Vos J(2024)Are You Sure You Want To Do Coordinated Vulnerability Disclosure?2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00039(307-314)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00039
Al Alsadi ASameshima KYoshioka KVan Eeten MGañán C(2023)Bin there, target that: Analyzing the target selection of IoT vulnerabilities in malware binariesProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607241(513-526)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607241
Imtiaz NKhanom AWilliams L(2023)Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source PackagesIEEE Transactions on Software Engineering10.1109/TSE.2022.318101049:4(1540-1560)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TSE.2022.3181010
Lin JAdams BHassan A(2023)On the coordination of vulnerability fixesEmpirical Software Engineering10.1007/s10664-023-10403-x28:6Online publication date: 10-Nov-2023
https://doi.org/10.1007/s10664-023-10403-x
Sun JXing ZXu XZhu LLu Q(2022)Heterogeneous Vulnerability Report Traceability Recovery by Vulnerability Aspect Matching2022 IEEE International Conference on Software Maintenance and Evolution (ICSME)10.1109/ICSME55016.2022.00024(175-186)Online publication date: Oct-2022
https://doi.org/10.1109/ICSME55016.2022.00024
Lisi AMukherjee PDe Santis LWu LLagutin DKortesniemi Y(2022)Automated Responsible Disclosure of Security VulnerabilitiesIEEE Access10.1109/ACCESS.2021.312640110(10472-10489)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2021.3126401
NAKAJIMA AWATANABE TSHIOJI EAKIYAMA MWOO M(2020)1-day, 2 Countries — A Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United StatesIEICE Transactions on Information and Systems10.1587/transinf.2019ICP0004E103.D:7(1524-1540)Online publication date: 1-Jul-2020
https://doi.org/10.1587/transinf.2019ICP0004
Liao BAli YNazir SHe LKhan H(2020)Security Analysis of IoT Devices by Using Mobile Computing: A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2020.30063588(120331-120350)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3006358

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents