A Pilot Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States (CMU-CyLab-19-001)

With our ever increasing dependence on computers, many governments around the world have started to investigate strengthening the regulations on vulnerabilities and their lifecycle management. Although many previous works have studied this problem space for mainstream software packages and web applications, relatively few have studied this for consumer IoT devices. As a first step towards filling this void, this paper presents a pilot study on the vulnerability disclosures and patch release behaviors related to 3 prominent consumer IoT vendors in Japan and 3 in the United States. The goals of this study include (i) characterizing trends and risks using accurate data that spans a long period, and (ii) identifying problems, challenges, and potential approaches for future studies of this problem space. To this end, we collected all published vulnerabilities and their patches for the consumer IoT products by these vendors between 2006 and 2017; then, we analyzed them from multiple perspectives such as the timing of patch releases with respect to disclosures and exploits as well as the severity of the vulnerabilities. Our work has uncovered several important findings that may inform future studies. These findings include (i) a stark contrast in the vulnerability disclosures in the two included countries, (ii) multiple alarming practices by the included vendors that may pose significant risks of 1-day exploits, and (iii) challenges in data collection including crawling automation and long-term data availability. For each of these findings, we also provide discussions on its consequences and/or potential migrations or solutions.