1-day, 2 Countries - A Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States

With our ever increasing dependence on computers, many governments around the world have started to investigate strengthening the regulations on vulnerabilities and their lifecycle management. Although many previous works have studied this problem space for mainstream software packages and web applications, relatively few have studied this for consumer IoT devices. As our first step towards filling this void, this paper presents a pilot study on the vulnerability disclosures and patch releases of three prominent consumer IoT vendors in Japan and three in the United States. Our goals include (i) characterizing the trends and risks in the vulnerability lifecycle management of consumer IoT devices using accurate long-term data, and (ii) identifying problems, challenges, and potential approaches for future studies of this problem space. To this end, we collected all published vulnerabilities and patches related to the consumer IoT products by the included vendors between 2006 and 2017; then, we analyzed our dataset from multiple perspectives, such as the severity of the included vulnerabilities and the timing of the included patch releases with respect to the corresponding disclosures and exploits. Our work has uncovered several important findings that may inform future studies. These findings include (i) a stark contrast between how the vulnerabilities in our dataset were disclosed in the two markets, (ii) three alarming practices by the included vendors that may significantly increase the risk of 1-day exploits for customers, and (iii) challenges in data collection including crawling automation and long-term data availability. For each finding, we also provide discussions on its consequences and/or potential migrations or suggestions. key words: consumer IoT, vulnerability disclosure, patch, exploit, measurement

[1]  Mitsuaki Akiyama,et al.  A Pilot Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States , 2019, AsiaCCS.

[2]  Chao Zhang,et al.  Fuzzing: a survey , 2018, Cybersecur..

[3]  Michael Backes,et al.  Didn't You Hear Me? - Towards More Successful Web Vulnerability Notifications , 2018, NDSS.

[4]  Jia Zhang,et al.  How to Notify a Vulnerability to the Right Person? Case Study: In an ISP Scope , 2017, GLOBECOM 2017 - 2017 IEEE Global Communications Conference.

[5]  Vern Paxson,et al.  A Large-Scale Empirical Study of Security Patches , 2017, CCS.

[6]  Christopher King,et al.  The CERT Guide to Coordinated Vulnerability Disclosure , 2017 .

[7]  Michael Backes,et al.  Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification , 2016, USENIX Security Symposium.

[8]  David Lie,et al.  Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[9]  Stefan Savage,et al.  You've Got Vulnerability: Exploring Effective Vulnerability Notifications , 2016, USENIX Security Symposium.

[10]  Leyla Bilge,et al.  The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching , 2015, 2015 IEEE Symposium on Security and Privacy.

[11]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[12]  Zhuhua Cai,et al.  Software Vulnerability Discovery Techniques: A Survey , 2012, 2012 Fourth International Conference on Multimedia Information Networking and Security.

[13]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[14]  B. Kahle THE INTERNET ARCHIVE , 2012 .

[15]  Muhammad Zubair Shafiq,et al.  A large scale exploratory analysis of software vulnerability life cycles , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[16]  Ahmed E. Hassan,et al.  Security versus performance bugs: a case study on Firefox , 2011, MSR '11.

[17]  Rahul Telang,et al.  Competition and patching of security vulnerabilities: An empirical analysis , 2010, Inf. Econ. Policy.

[18]  Ramayya Krishnan,et al.  An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure , 2010, Inf. Syst. Res..

[19]  John Steven,et al.  Security Testing , 2010, Encyclopedia of Software Engineering.

[20]  Guido Schryen,et al.  A Comprehensive and Comparative Analysis of the Patching Behavior of Open Source and Closed Source Software Vendors , 2009, 2009 Fifth International Conference on IT Security Incident Management and IT Forensics.

[21]  Stefan Frei,et al.  Security econometrics: The dynamics of (in)security , 2009 .

[22]  David Brumley,et al.  Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[23]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[24]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[25]  Linda Pesante,et al.  CERT® Coordination Center , 2002 .