TY - GEN
T1 - Inferring Software Update Practices on Smart Home IoT Devices Through User Agent Analysis
AU - Prakash, Vijay
AU - Xie, Sicheng
AU - Huang, Danny Yuxing
N1 - Funding Information:
We would like to thank Santiago Torres Arias and our shepherd Sofía Celi for helpful feedback.
Publisher Copyright:
© 2022 Copyright held by the owner/author(s).
PY - 2022/11/11
Y1 - 2022/11/11
N2 - Smart home IoT devices are known to be breeding grounds for security and privacy vulnerabilities. Although some IoT vendors deploy updates, the update process is mostly opaque to researchers. It is unclear what software components are on devices, whether and when these components are updated, and how vulnerabilities change alongside the updates. This opaqueness makes it difficult to understand the security of software supply chains of IoT devices. To understand the software update practices on IoT devices, we leverage IoT Inspector's dataset of network traffic from real-world IoT devices. We analyze the User Agent strings from plain-text HTTP connections. We focus on four software components included in User Agents: cURL, Wget, OkHttp, and python-requests. By keeping track of what kinds of devices have which of these components at what versions, we find that many IoT devices potentially used outdated and vulnerable versions of these components-based on the User Agents-even though less vulnerable, more updated versions were available; and that the rollout of updates tends to be slow for some IoT devices.
AB - Smart home IoT devices are known to be breeding grounds for security and privacy vulnerabilities. Although some IoT vendors deploy updates, the update process is mostly opaque to researchers. It is unclear what software components are on devices, whether and when these components are updated, and how vulnerabilities change alongside the updates. This opaqueness makes it difficult to understand the security of software supply chains of IoT devices. To understand the software update practices on IoT devices, we leverage IoT Inspector's dataset of network traffic from real-world IoT devices. We analyze the User Agent strings from plain-text HTTP connections. We focus on four software components included in User Agents: cURL, Wget, OkHttp, and python-requests. By keeping track of what kinds of devices have which of these components at what versions, we find that many IoT devices potentially used outdated and vulnerable versions of these components-based on the User Agents-even though less vulnerable, more updated versions were available; and that the rollout of updates tends to be slow for some IoT devices.
KW - IoT
KW - supply chain
KW - updates
UR - http://www.scopus.com/inward/record.url?scp=85143975677&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85143975677&partnerID=8YFLogxK
U2 - 10.1145/3560835.3564551
DO - 10.1145/3560835.3564551
M3 - Conference contribution
AN - SCOPUS:85143975677
T3 - SCORED 2022 - Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, co-located with CCS 2022
SP - 93
EP - 103
BT - SCORED 2022 - Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, co-located with CCS 2022
PB - Association for Computing Machinery, Inc
T2 - 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, SCORED 2022 - Co-located with CCS 2022
Y2 - 11 November 2022
ER -