Abstract
Software updates are critical for ensuring systems remain free of bugs and vulnerabilities while they are in service. While many Internet of Things (IoT) devices are capable of outlasting desktops and mobile phones, their software update practices are not yet well understood, despite a large body of research aiming to create new methodologies for keeping IoT devices up to date. This paper discusses efforts towards characterizing the IoT software update landscape through network-level analysis of IoT device traffic. Our results suggest that vendors do not currently follow security best practices, and that software update standards, while available, are not being deployed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Such as Microsoft Azure IoT, or Amazon Web Services IoT.
- 2.
- 3.
Originally, Ren et al. had 81 devices with 26 common devices between regions, thus 55 unique devices.
- 4.
References
Albright, S., Leach, P.J., Gu, Y., Goland, Y.Y., Cai, T.: Simple service discovery protocol/1.0. Internet-Draft, Internet Engineering Task Force (1999)
Alrawi, O., Lever, C., Antonakakis, M., Monrose, F.: SoK: security evaluation of home-based IoT deployments. In: IEEE S &P, pp. 1362–1380 (2019)
Apple Inc: Secure software updates (2021). https://support.apple.com/en-ca/guide/security/secf683e0b36/web
Bellissimo, A., Burgess, J., Fu, K.: Secure software updates: disappointments and new challenges. In: First USENIX Workshop on Hot Topics in Security (2006)
Bellman, C., Van Oorschot, P.C.: Analysis, implications, and challenges of an evolving consumer iot security landscape. In: 2019 17th International Conference on Privacy, Security and Trust, pp. 1–7. IEEE (2019)
Bettayeb, M., Nasir, Q., Talib, M.A.: Firmware update attacks and security for IoT devices: survey. In: Proceedings of the ArabWIC 6th Annual International Conference Research Track, pp. 1–6. ACM Press (2019)
Boudguiga, A., et al.: Towards better availability and accountability for IoT updates by means of a blockchain. In: IEEE Euro S &PW, pp. 50–58 (2017)
Buentello, D.: Belkin wemo - arbitrary firmware upload (2013). https://www.exploit-db.com/exploits/24924
Cui, A., Costello, M., Stolfo, S.: When firmware modifications attack: a case study of embedded exploitation. NDSS (2013)
CVE Details: Linux 2.6.31 rc3: Security vulnerabilities. https://www.cvedetails.com/version/446073/Linux-Linux-Kernel-2.6.31-rc3.html
He, X., Alqahtani, S., Gamble, R., Papa, M.: Securing over-the-air IoT firmware updates using blockchain. In: Proceedings of the International Conference on Omni-Layer Intelligent Systems (COINS 2019), pp. 164–171. ACM (2019)
iPhone Wiki: Apple OTA updates. https://www.theiphonewiki.com/wiki/OTA_Updates
Karthik, T., et al.: Uptane: securing software updates for automobiles. In: The 14th ESCAR Europe, pp. 1–11 (2016)
Moran, B., Tschofenig, H., Birkholz, H.: A manifest information model for firmware updates in internet of things (IoT) devices. RFC 9124 (2022)
Moran, B., Tschofenig, H., Brown, D., Meriac, M.: A firmware update architecture for internet of things. RFC 9019 (2021)
National Vulnerability Database: CVE-2008-4395
National Vulnerability Database: CVE-2013-2748
Nikitin, K., et al.: CHAINIAC: proactive software-update transparency via collectively signed skipchains and verified builds. In: 26th USENIX Security Symposium, pp. 1271–1287 (2017)
OConnor, T., Enck, W., Reaves, B.: Blinded and confused: uncovering systemic flaws in device telemetry for smart-home internet of things. In: 12th WiSEC Conference, pp. 140–150. ACM (2019)
Paracha, M.T., Dubois, D.J., Vallina-Rodriguez, N., Choffnes, D.: IoTLS: understanding TLS usage in consumer IoT devices. In: Proc. of the Internet Measurement Conference, pp. 165–178 (2021)
Prakash, V., Xie, S., Huang, D.Y.: Software update practices on smart home IoT devices (2022). http://arxiv.org/abs/2208.14367
Qualys Inc.: Qualys SSL labs. https://www.ssllabs.com/
Rahman, L.F., Ozcelebi, T., Lukkien, J.: Understanding IoT systems: a life cycle approach. Procedia Comput. Sci. 130, 1057–1062 (2018)
Ren, J., Dubois, D.J., Choffnes, D., Mandalari, A.M., Kolcun, R., Haddadi, H.: Information exposure from consumer IoT devices: a multidimensional, network-informed measurement approach. In: Proceedings of IMC, pp. 267–279. ACM (2019)
Rudolph, H.C., Grundmann, N.: TLS ciphersuite search. https://ciphersuite.info/
Samuel, J., Mathewson, N., Cappos, J., Dingledine, R.: Survivable key compromise in software update systems. In: 17th ACM CCS, pp. 61–72 (2010)
Torvalds, L.: Linux 2.6.31 released (2009). https://www.linux.com/news/linux-2631-released/
Tschofenig, H., Housley, R., Moran, B.: Firmware Encryption with SUIT Manifests. Internet-draft, Internet Engineering Task Force (2021)
Wang, A., Liang, R., Liu, X., Zhang, Y., Chen, K., Li, J.: An inside look at IoT malware. In: Chen, F., Luo, Y. (eds.) Industrial IoT 2017. LNICST, vol. 202, pp. 176–186. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60753-5_19
Yu, J.Y., Kim, Y.G.: Analysis of IoT platform security: a survey. In: International Conference on Platform Technology and Service (PlatCon), pp. 1–5 (2019)
Zandberg, K., Schleiser, K., Acosta, F., Tschofenig, H., Baccelli, E.: Secure firmware updates for constrained IoT devices using open standards: a reality check. IEEE Access 7, 71907–71920 (2019)
Zhang, H., Anilkumar, A., Fredrikson, M., Agarwal, Y.: Capture: centralized library management for heterogeneous IoT devices. In: USENIX Security Symposium (2021)
Acknowledgements
This research is supported by the Natural Sciences and Engineering Research Council of Canada (NSERC) through a Discovery Grant.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Bradley, C., Barrera, D. (2023). Towards Characterizing IoT Software Update Practices. In: Jourdan, GV., Mounier, L., Adams, C., Sèdes, F., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2022. Lecture Notes in Computer Science, vol 13877. Springer, Cham. https://doi.org/10.1007/978-3-031-30122-3_25
Download citation
DOI: https://doi.org/10.1007/978-3-031-30122-3_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30121-6
Online ISBN: 978-3-031-30122-3
eBook Packages: Computer ScienceComputer Science (R0)