Skip to main content
SpringerLink
Log in

Towards Characterizing IoT Software Update Practices

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13877))

Included in the following conference series:

Abstract

Software updates are critical for ensuring systems remain free of bugs and vulnerabilities while they are in service. While many Internet of Things (IoT) devices are capable of outlasting desktops and mobile phones, their software update practices are not yet well understood, despite a large body of research aiming to create new methodologies for keeping IoT devices up to date. This paper discusses efforts towards characterizing the IoT software update landscape through network-level analysis of IoT device traffic. Our results suggest that vendors do not currently follow security best practices, and that software update standards, while available, are not being deployed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Such as Microsoft Azure IoT, or Amazon Web Services IoT.

  2. 2.

    https://github.com/KimiNewt/pyshark.

  3. 3.

    Originally, Ren et al. had 81 devices with 26 common devices between regions, thus 55 unique devices.

  4. 4.

    https://github.com/ReFirmLabs/binwalk.

References

  1. Albright, S., Leach, P.J., Gu, Y., Goland, Y.Y., Cai, T.: Simple service discovery protocol/1.0. Internet-Draft, Internet Engineering Task Force (1999)

    Google Scholar 

  2. Alrawi, O., Lever, C., Antonakakis, M., Monrose, F.: SoK: security evaluation of home-based IoT deployments. In: IEEE S &P, pp. 1362–1380 (2019)

    Google Scholar 

  3. Apple Inc: Secure software updates (2021). https://support.apple.com/en-ca/guide/security/secf683e0b36/web

  4. Bellissimo, A., Burgess, J., Fu, K.: Secure software updates: disappointments and new challenges. In: First USENIX Workshop on Hot Topics in Security (2006)

    Google Scholar 

  5. Bellman, C., Van Oorschot, P.C.: Analysis, implications, and challenges of an evolving consumer iot security landscape. In: 2019 17th International Conference on Privacy, Security and Trust, pp. 1–7. IEEE (2019)

    Google Scholar 

  6. Bettayeb, M., Nasir, Q., Talib, M.A.: Firmware update attacks and security for IoT devices: survey. In: Proceedings of the ArabWIC 6th Annual International Conference Research Track, pp. 1–6. ACM Press (2019)

    Google Scholar 

  7. Boudguiga, A., et al.: Towards better availability and accountability for IoT updates by means of a blockchain. In: IEEE Euro S &PW, pp. 50–58 (2017)

    Google Scholar 

  8. Buentello, D.: Belkin wemo - arbitrary firmware upload (2013). https://www.exploit-db.com/exploits/24924

  9. Cui, A., Costello, M., Stolfo, S.: When firmware modifications attack: a case study of embedded exploitation. NDSS (2013)

    Google Scholar 

  10. CVE Details: Linux 2.6.31 rc3: Security vulnerabilities. https://www.cvedetails.com/version/446073/Linux-Linux-Kernel-2.6.31-rc3.html

  11. He, X., Alqahtani, S., Gamble, R., Papa, M.: Securing over-the-air IoT firmware updates using blockchain. In: Proceedings of the International Conference on Omni-Layer Intelligent Systems (COINS 2019), pp. 164–171. ACM (2019)

    Google Scholar 

  12. iPhone Wiki: Apple OTA updates. https://www.theiphonewiki.com/wiki/OTA_Updates

  13. Karthik, T., et al.: Uptane: securing software updates for automobiles. In: The 14th ESCAR Europe, pp. 1–11 (2016)

    Google Scholar 

  14. Moran, B., Tschofenig, H., Birkholz, H.: A manifest information model for firmware updates in internet of things (IoT) devices. RFC 9124 (2022)

    Google Scholar 

  15. Moran, B., Tschofenig, H., Brown, D., Meriac, M.: A firmware update architecture for internet of things. RFC 9019 (2021)

    Google Scholar 

  16. National Vulnerability Database: CVE-2008-4395

    Google Scholar 

  17. National Vulnerability Database: CVE-2013-2748

    Google Scholar 

  18. Nikitin, K., et al.: CHAINIAC: proactive software-update transparency via collectively signed skipchains and verified builds. In: 26th USENIX Security Symposium, pp. 1271–1287 (2017)

    Google Scholar 

  19. OConnor, T., Enck, W., Reaves, B.: Blinded and confused: uncovering systemic flaws in device telemetry for smart-home internet of things. In: 12th WiSEC Conference, pp. 140–150. ACM (2019)

    Google Scholar 

  20. Paracha, M.T., Dubois, D.J., Vallina-Rodriguez, N., Choffnes, D.: IoTLS: understanding TLS usage in consumer IoT devices. In: Proc. of the Internet Measurement Conference, pp. 165–178 (2021)

    Google Scholar 

  21. Prakash, V., Xie, S., Huang, D.Y.: Software update practices on smart home IoT devices (2022). http://arxiv.org/abs/2208.14367

  22. Qualys Inc.: Qualys SSL labs. https://www.ssllabs.com/

  23. Rahman, L.F., Ozcelebi, T., Lukkien, J.: Understanding IoT systems: a life cycle approach. Procedia Comput. Sci. 130, 1057–1062 (2018)

    Article  Google Scholar 

  24. Ren, J., Dubois, D.J., Choffnes, D., Mandalari, A.M., Kolcun, R., Haddadi, H.: Information exposure from consumer IoT devices: a multidimensional, network-informed measurement approach. In: Proceedings of IMC, pp. 267–279. ACM (2019)

    Google Scholar 

  25. Rudolph, H.C., Grundmann, N.: TLS ciphersuite search. https://ciphersuite.info/

  26. Samuel, J., Mathewson, N., Cappos, J., Dingledine, R.: Survivable key compromise in software update systems. In: 17th ACM CCS, pp. 61–72 (2010)

    Google Scholar 

  27. Torvalds, L.: Linux 2.6.31 released (2009). https://www.linux.com/news/linux-2631-released/

  28. Tschofenig, H., Housley, R., Moran, B.: Firmware Encryption with SUIT Manifests. Internet-draft, Internet Engineering Task Force (2021)

    Google Scholar 

  29. Wang, A., Liang, R., Liu, X., Zhang, Y., Chen, K., Li, J.: An inside look at IoT malware. In: Chen, F., Luo, Y. (eds.) Industrial IoT 2017. LNICST, vol. 202, pp. 176–186. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60753-5_19

    Chapter  Google Scholar 

  30. Yu, J.Y., Kim, Y.G.: Analysis of IoT platform security: a survey. In: International Conference on Platform Technology and Service (PlatCon), pp. 1–5 (2019)

    Google Scholar 

  31. Zandberg, K., Schleiser, K., Acosta, F., Tschofenig, H., Baccelli, E.: Secure firmware updates for constrained IoT devices using open standards: a reality check. IEEE Access 7, 71907–71920 (2019)

    Article  Google Scholar 

  32. Zhang, H., Anilkumar, A., Fredrikson, M., Agarwal, Y.: Capture: centralized library management for heterogeneous IoT devices. In: USENIX Security Symposium (2021)

    Google Scholar 

Download references

Acknowledgements

This research is supported by the Natural Sciences and Engineering Research Council of Canada (NSERC) through a Discovery Grant.

Author information

Authors and Affiliations

  1. School of Computer Science, Carleton University, Ottawa, Canada

    Conner Bradley & David Barrera

Authors
  1. Conner Bradley
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Barrera
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Conner Bradley .

Editor information

Editors and Affiliations

  1. University of Ottawa, Ottawa, ON, Canada

    Guy-Vincent Jourdan

  2. Université Grenoble Alpes, Grenoble, France

    Laurent Mounier

  3. University of Ottawa, Ottawa, ON, Canada

    Carlisle Adams

  4. University Toulouse III Paul Sabatier, Toulouse, France

    Florence Sèdes

  5. Telecom SudParis, Palaiseau, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bradley, C., Barrera, D. (2023). Towards Characterizing IoT Software Update Practices. In: Jourdan, GV., Mounier, L., Adams, C., Sèdes, F., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2022. Lecture Notes in Computer Science, vol 13877. Springer, Cham. https://doi.org/10.1007/978-3-031-30122-3_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-30122-3_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-30121-6

  • Online ISBN: 978-3-031-30122-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation