EMPIRICAL CHARACTERIZATION OF IOT FIRMWARE VERSION DIVERSITY AND PATCHING STATUS
DOI:
https://doi.org/10.55640/ijmcsit-v02i03-01Keywords:
IoT firmware, version diversity, patching status, empirical analysisAbstract
The rapid growth of Internet of Things (IoT) devices has introduced significant challenges in maintaining firmware security and consistency. This study presents an empirical analysis of firmware version diversity and patching status across a wide range of IoT devices. By collecting and analyzing firmware metadata from multiple vendors and device types, we reveal patterns of version fragmentation, delayed patch deployment, and inconsistent update practices. Our findings highlight critical security implications, such as increased vulnerability exposure and lack of standardization in firmware maintenance. The study provides actionable insights for stakeholders to improve firmware management policies, enhance update mechanisms, and strengthen the overall security posture of IoT ecosystems.
References
A. Mangino, M. S. Pour, and E. Bou-Harb, “Internet-scale insecurity of consumer internet of things,” ACM Trans. Manage. Inf. Syst., vol. 11, no. 4, pp. 1–24, 2020, doi: 10.1145/3394504.
I. Makhdoom, M. Abolhasan, J. Lipman, R. P. Liu, and W. Ni, “Anatomy of threats to the Internet of Things,” IEEE Commun. Surv. Tuts., vol. 21, no. 2, pp. 1636–1675, 2019, doi: 10.1109/COMST.2018.2874978.
M. Antonakakis, “Understanding the mirai botnet,” in Proc. 26th USENIX Secur. Symp., 2017, pp. 1093–1110. [Online]. Available: https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakis
R. Yu, X. Zhang, and M. Zhang, “Smart home security analysis system based on the Internet of Things,” in Proc. IEEE 2nd Int. Conf. Big Data Artif. Intell. Internet Things Eng., 2021, pp. 596–599.
T. Yu, V. Sekar, S. Seshan, Y. Agarwal, and C. Xu, “Handling a trillion (unfixable) flaws on a billion devices,” in Proc. 14th ACM Workshop Hot Top. Netw., 2015, pp. 1–7.
N. Dissanayake, A. Jayatilaka, M. Zahedi, and M. A. Babar, “Software security patch management - A systematic literature review of challenges, approaches, tools and practices,” Inf. Softw. Technol., vol. 144, 2021, Art. no. 106771, doi: 10.1016/j.infsof.2021.106771.
M. Fahmideh, A. A. Abbasi, A. Behnaz, J. Grundy, and W. Susilo, “Software engineering for Internet of Things,” IEEE Trans. Softw. Eng., vol. 34, Jan./Feb.2021, Art. no. 1, doi: 10.1109/TSE.2021.3070692.
M. X. Ferreira, S. M. Weinberg, D. Y. Huang, N. Feamster, and T. Chattopadhyay, “Selling a single item with negative externalities,” in Proc. World Wide Web Conf., 2019, pp. 196–206.
M. Shahzad, M. Z. Shafiq, and A. X. Liu, “Large scale characterization of software vulnerability life cycles,” IEEE Trans. Dependable Secure Comput., vol. 17, no. 4, pp. 730–744, Jul./Aug.2019, doi: 10.1109/TDSC.2019.2893950.
IEFT, “Software updates for Internet of Things,” Accessed: Nov.2021. [Online]. Available: https://datatracker.ietf.org/wg/suit/about/
K. Zandberg, K. Schleiser, F. Acosta, H. Tschofenig, and E. Baccelli, “Secure firmware updates for constrained IoT devices using open standards: A reality check,” IEEE Access, vol. 7, pp. 71907–71920, 2019, doi: 10.1109/ACCESS.2019.2919760.
K. Vaniea and Y. Rashidi, “Tales of software updates: The process of updating software,” in Proc. 34th Annu. C.HI Conf. Hum. Factors Comput. Syst., 2016, pp. 3215–3226.
N. Neshenko, E. Bou-Harb, J. Crichigno, G. Kaddoum, and N. Ghani, “Demystifying IoT security: An exhaustive survey on IoT vulnerabilities and a first empirical look on internet-scale IoT exploitations,” IEEE Commun. Surv. Tuts., vol. 21, no. 3, pp. 2702–2733, Jul.–Sep., doi: 10.1109/COMST.2019.2910750.
European Parliament, “Directive (EU) 2019/770,” Accessed: Mar.2020. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A3219L0770
K. J. Smith, G. Dhillon, and L. Carter, “User values and the development of a cybersecurity public policy for the ioT,” Int. J. Inf. Manage., vol. 56, 2021, Art. no. 102123, doi: 10.1016/j.ijinfomgt.2020.102123.
D. He, “Toward hybrid static-dynamic detection of vulnerabilities in IoT firmware,” IEEE Netw., vol. 35, no. 2, pp. 1–6, Mar./Apr.2021, doi: 10.1109/MNET.011.2000450.
N.-W. Lo and S.-H. Hsu, “A secure IoT firmware update framework based on MQTT protocol,” in Advances in Intelligent Systems and Computing, L. Borzemski, J. Świątek, and Z. Wilimowska, Eds., 1st ed., Cham, Switzerland: Springer, 2020, pp. 187–198.
Censys, “Censys,” Accessed: Mar., 2020. [Online]. Available: https://censys.io/
M. S. Pour, E. Bou-Harb, K. Varma, N. Neshenko, D. A. Pados, and K.-K. R. Choo, “Comprehending the IoT cyber threat landscape: A data dimensionality reduction technique to infer and characterize Internet-scale IoT probing campaigns,” Digit. Investigation, vol. 28, pp. S40–S49, 2019, doi: 10.1016/j.diin.2019.01.014.
A. Nappa, R. Johnson, L. Bilge, J. Caballero, and T. Dumitras, “The attack of the clones: A study of the impact of shared code on vulnerability patching,” in Proc. IEEE Symp. Secur. Privacy, 2015, pp. 692–708.
C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, “DDoS in the iot: Mirai and other botnets,” Comput., vol. 50, no. 7, pp. 80–84, 2017, doi: 10.1109/MC.2017.201.
S. Ransbotham, R. G. Fichman, R. Gopal, and A. Gupta, “Special section introduction—Ubiquitous IT and digital vulnerabilities,” Inf. Syst. Res., vol. 27, no. 4, pp. 834–847, 2016, doi: 10.1287/isre.2016.0683.
Z. B. Celik, E. Fernandes, E. Pauley, G. Tan, and P. McDaniel, “Program analysis of commodity IoT applications for security and privacy,” ACM Comput. Surv., vol. 52, no. 4, pp. 1–30, 2019, doi: 10.1145/3333501.
D. Y. Huang, N. Apthorpe, F. Li, G. Acar, and N. Feamster, “IoT inspector: Crowdsourcing labeled network traffic from smart home devices at scale,” Proc. ACM Interactive Mobile Wearable Ubiquitous Technol., vol. 4, no. 2, pp. 1–21, 2020, doi: 10.1145/3397333.
G. Acar, D. Y. Huang, F. Li, A. Narayanan, and N. Feamster, “Web-based attacks to discover and control local IoT devices,” in Proc. Workshop IoT Secur. Privacy, Budapest Hungary, 2018, pp. 29–35.
S. Torabi, E. Bou-Harb, C. Assi, M. Galluscio, A. Boukhtouta, and M. Debbabi, “Inferring, characterizing, and investigating internet-scale malicious IoT device activities: A network telescope perspective,” in Proc. 48th Annu. IEEE/IFIP Int. Conf. Dependable Syst. Netw., 2018, pp. 562–573.
S. Ray, A. Basak, and S. Bhunia, “Patching the Internet of Things,” IEEE Spectr., vol. 54, no. 11, pp. 30–35, Nov.2017, doi: 10.1109/MSPEC.2017.8093798.
P. Liu, “IFIZZ: Deep-state and efficient fault-scenario generation to test IoT firmware,” 2021. [Online]. Available: https://nesa.zju.edu.cn/download/liu_pdf_ifizz.pdf
J. Shim, “Cyber-physical systems and industrial IoT cybersecurity: Issues and solutions,” 2019. [Online]. Available: https://aisel.aisnet.org/amcis2019/info_security_privacy/info_security_privacy/4
S. Liu, R. Kuhn, and H. Rossman, “Surviving insecure IT: Effective patch management,” IT Professional, vol. 11, no. 2, pp. 49–51, 2009, doi: 10.1109/MITP.2009.38.
ServiceNow, “Costs and consequences of gaps in vulnerability response,” 2018. Accessed: May, 2021. [Online]. Available: https://www.servicenow.com/lpayr/ponemon-vulnerability-survey.html
AimPoint Group, “Cyber hygiene report: Lessons learned from a survey of the state of endpoint patching and hardening,” 2020. Accessed: Feb., 2022. [Online]. Available: https://patch.automox.com/rs/923-VQX-349/images/Automox_2020_Cyber_Hygiene_Report-What_You_Need_to_Know_Now.pdf
P. Anand, Y. Singh, A. Selwal, M. Alazab, S. Tanwar, and N. Kumar, “IoT vulnerability assessment for sustainable computing: Threats, current solutions, and open challenges,” IEEE Access, vol. 8, pp. 168825–168853, 2020, doi: 10.1109/ACCESS.2020.3022842.
Capgemini, “Securing the Internet of Things opportunity: Putting cybersecurity at the heart of the ioT,” Accessed: Jan.2021. [Online]. Available: https://www.capgemini.com/at-de/resources/securing-the-internet-of-things-opportunity-putting-cyber-security-at-the-heart-of-the
IDG Research Services, “Studie Internet of Things,” 2019, Accessed: Jan., 2021. [Online]. Available: https://www.q-loud.de/hubfs/Kundendownloads/IDG-Studie_IoT_2018_2019.pdf
IEEE, “Software engineering body of knowledge (SWEBOK),” Accessed: Jan., 2022. [Online]. Available: https://www.computer.org/education/bodies-of-knowledge/software-engineering
K. Fawaz and K. G. Shin, “Security and privacy in the Internet of Things: D,” Computer, vol. 52, no. 4, pp. 40–49, 2019, doi: 10.1109/MC.2018.2888765.
R. Tollefsen, I. Rais, J. M. Bjorndalen, P. H. Ha, and O. Anshus, “Distribution of updates to IoT nodes in a resource-challenged environment,” in Proc. IEEE/ACM 21st Int. Symp. Cluster Cloud Internet Comput., 2021, pp. 684–689.
M. Stolikj, P. Cuijpers, and J. Lukkien, “Patching a patch - software updates using horizontal patching,” IEEE Trans. Consum. Electron., vol. 59, no. 2, pp. 435–441, May2013, doi: 10.1109/tce.2013.6531128.
L. Baresi, C. Ghezzi, X. Ma, and V. P. La Manna, “Efficient dynamic updates of distributed components through version consistency,” IEEE Trans. Softw. Eng., vol. 43, no. 4, pp. 340–358, Apr.2017, doi: 10.1109/TSE.2016.2592913.
Z. Zhao, Y. Jiang, C. Xu, T. Gu, and X. Ma, “Synthesizing object state transformers for dynamic software updates,” in Proc. IEEE/ACM 43rd Int. Conf. Softw. Eng., 2021, pp. 1111–1122.
P. Pfister and M. Konstantynowicz, “Patching the Internet of Things: IoT software update workshop,” 2016, Accessed: Jan. 4, 2022. [Online]. Available: https://www.ietf.org/blog/patching-internet-things-iot-software-update-workshop-2016/
I. Mugarza, A. Amurrio, E. Azketa, and E. Jacob, “Dynamic software updates to enhance security and privacy in high availability energy management applications in smart cities,” IEEE Access, vol. 7, pp. 42269–42279, 2019, doi: 10.1109/ACCESS.2019.2905923.
S.-M. Cheng, P.-Y. Chen, C.-C. Lin, and H.-C. Hsiao, “Traffic-aware patching for cyber security in mobile ioT,” IEEE Commun. Mag., vol. 55, no. 7, pp. 29–35, Jul.2017, doi: 10.1109/MCOM.2017.1600993.
P. Morgner, C. Mai, N. Koschate-Fischer, F. Freiling, and Z. Benenson, “Security update labels: Establishing economic incentives for security patching of IoT consumer products,” in Proc. IEEE Symp. Secur. Privacy, 2020, pp. 429–446.
A. Forget, “Do or do not, there is no try: User engagement may not improve security outcomes,” 2016, pp. 97–111. [Online]. Available: https://www.usenix.org/conference/soups2016/technical-sessions/presentation/forget
M. Gratian, S. Bandi, M. Cukier, J. Dykstra, and A. Ginther, “Correlating human traits and cyber security behavior intentions,” Comput. Secur., vol. 73, pp. 345–358, 2018, doi: 10.1016/j.cose.2017.11.015.
GitHub, “Octoverse report 2020,” Dec.2020. Accessed: Nov.2021. [Online]. Available: https://octoverse.github.com/static/github-octoverse-2020-security-report.pdf
A. Arora, R. Krishnan, R. Telang, and Y. Yang, “An empirical analysis of software vendors' patch release behavior: Impact of vulnerability disclosure,” Inf. Syst. Res., vol. 21, no. 1, pp. 115–132, 2010, doi: 10.1287/isre.1080.0226.
K. R. Jones, T.-F. Yen, S. C. Sundaramurthy, and A. G. Bardas, “Deploying android security updates: An extensive study involving manufacturers, carriers, and end users,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2020, pp. 551–567.
Z. Singer and B. Jones, “The Internet of Things: The effects of security attitudes and knowledge on security practices,” 2019. [Online]. Available: https://aisel.aisnet.org/amcis2019/info_security_privacy/info_security_privacy/29
Canonical, “Taking charge of the iot's security vulnerabilities: White paper,” 2017. Accessed: Apr., 2020. [Online]. Available: https://ubuntu.com/engage/whitepaper-iot-security
F. Vitale, J. McGrenere, A. Tabard, M. Beaudouin-Lafon, and W. E. Mackay, “High costs and small benefits,” in Proc. CHI Conf. Hum. Factors Comput. Syst., 2017, pp. 4242–4253.
StatCounter, “Software version share,” Accessed: Apr.2020. [Online]. Available: https://gs.statcounter.com/
Avast, “PC trends report,” Accessed: Mar., 2020. [Online]. Available: https://blog.avast.com/pc-trends-reports
WhatWeb, “WhatWeb,” Accessed: Mar., 2020. [Online]. Available: https://www.whatweb.net/
D. Privitera and L. Li, “Can IoT devices be trusted? An exploratory study,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2018. [Online]. Available: https://aisel.aisnet.org/amcis2018/Security/Presentations/44
X. Wang, Y. Wang, X. Feng, H. Zhu, L. Sun, and Y. Zou, “IoTTracker: An enhanced engine for discovering Internet-of-Thing devices,” in Proc. IEEE 20th Int. Symp. A World Wireless, Mobile Multimedia Netw., 2019, pp. 1–9.
A. Cui, M. Costello, and S. Stolfo, “When firmware modifications attack: A case study of embedded exploitation,” in Proc. 20th Annu. Netw. Distrib. System Secur. Symp., 2013, pp. 1–13, doi: 10.7916/D8P55NKB.
P. Marrapese, “Abusing P2P to hack 3 million cameras,” 2020. [Online]. Available: https://av.tib.eu/media/49779
D. Kumar, “All things considered: An analysis of IoT devices on home networks,” 2019. [Online]. Available: https://www.usenix.org/system/files/sec19-kumar-deepak_0.pdf
Y. Chen and F. M. Zahedi, “Individuals' internet security perceptions and behaviors: Polycontextual contrasts between the United States and China,” MISQ, vol. 40, no. 1, pp. 205–222, 2016, doi: 10.25300/MISQ/2016/40.1.09.
ITU, “Global cybersecurity index,” 2018, Accessed: Jan., 2021. [Online]. Available: https://www.itu.int/pub/D-STR-GCI.01
X. Feng, Q. Li, H. Wang, and L. Sun, “Acquisitional rule-based engine for discovering Internet-of-Thing devices,” in Proc. 27th USENIX Secur. Symp., 2018, pp. 327–341.
E. Rodríguez, A. Noroozian, M. van Eeten, and C. Gañán, “Superspreaders: Quantifying the role of IoT manufacturers in device infections,” 2021. [Online]. Available: https://weis2021.econinfosec.org/wp-content/uploads/sites/9/2021/06/weis21-rodriguez.pdf
R. Perdisci, T. Papastergiou, O. Alrawi, and M. Antonakakis, “IoTFinder: Efficient large-scale identification of IoT devices via passive DNS traffic analysis,” in Proc. IEEE Eur. Symp. Secur. Privacy, 2020, pp. 474–489.
A. Sivanathan, “Classifying IoT devices in smart environments using network traffic characteristics,” IEEE Trans. Mobile Comput., vol. 18, no. 8, pp. 1745–1759, Aug.2019, doi: 10.1109/TMC.2018.2866249.
Y. Meidan, “ProfilIoT,” in Proc. 32nd Annu. ACM Symp. Appl. Comput., 2017, pp. 506–509.
J. Ortiz, C. Crawford, and F. Le, “DeviceMien: Network device behavior modeling for identifying unknown IoT devices,” in Proc. Internet Things Des. Implementation, 2019, pp. 106–117.
Shodan, Accessed: Mar., 2020. [Online]. Available: https://www.shodan.io/
Downloads
Published
How to Cite
Issue
Section
License
Authors retain the copyright of their manuscripts, and all Open Access articles are disseminated under the terms of the Creative Commons Attribution License 4.0 (CC-BY), which licenses unrestricted use, distribution, and reproduction in any medium, provided that the original work is appropriately cited. The use of general descriptive names, trade names, trademarks, and so forth in this publication, even if not specifically identified, does not imply that these names are not protected by the relevant laws and regulations.