1-day, 2 Countries — A Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States

抄録

With our ever increasing dependence on computers, many governments around the world have started to investigate strengthening the regulations on vulnerabilities and their lifecycle management. Although many previous works have studied this problem space for mainstream software packages and web applications, relatively few have studied this for consumer IoT devices. As our first step towards filling this void, this paper presents a pilot study on the vulnerability disclosures and patch releases of three prominent consumer IoT vendors in Japan and three in the United States. Our goals include (i) characterizing the trends and risks in the vulnerability lifecycle management of consumer IoT devices using accurate long-term data, and (ii) identifying problems, challenges, and potential approaches for future studies of this problem space. To this end, we collected all published vulnerabilities and patches related to the consumer IoT products by the included vendors between 2006 and 2017; then, we analyzed our dataset from multiple perspectives, such as the severity of the included vulnerabilities and the timing of the included patch releases with respect to the corresponding disclosures and exploits. Our work has uncovered several important findings that may inform future studies. These findings include (i) a stark contrast between how the vulnerabilities in our dataset were disclosed in the two markets, (ii) three alarming practices by the included vendors that may significantly increase the risk of 1-day exploits for customers, and (iii) challenges in data collection including crawling automation and long-term data availability. For each finding, we also provide discussions on its consequences and/or potential migrations or suggestions.