Okay, you use password manager, but do your IoT devices get updates regularly?

TLDR. Do IoT devices update? How is their update practice similar, different, better, or worse than non-IoT devices? Our study examined 2+ years of smart home network traffic data. We found that software components on IoT devices are more outdated than those on non-IoT devices (e.g., computers and phones); and that vendors were slow to roll out updates. These outdated software components presented serious supply chain security risks to the IoT devices.

Overview

Internet of things (IoT) devices or smart home devices are used by people for convenience. A few examples of these devices are smart home assistants (Amazon Alexa, Google Nest), smart TVs (Roku, Amazon Fire TV), digital thermostats, smart bulbs, and smart cameras.

In this post, we look at the update practice of IoT devices. We ask: Is their update practice different from other kinds of devices (computer, mobile, tablet, etc)? If it’s different, is it better or worse than other kinds of devices update practice?

We try to answer this question by inferring the update practice of IoT devices by looking at the different kinds and versions of HTTP user agents used on them over a period of two and half years. Our dataset consists of 4,562 different smart homes with 23,837 unique devices (including IoT and non-IoT devices) from Apr 2019 to Oct 2021.

This puppy only has canines, so it’s probably at least 3–4 weeks old.

It’s in a way like trying to figure out dogs’ age by looking at their teeth. Our dataset is like we had a lot of dogs of different kinds and ages so we could tell if the methodology works.

Background

Before we jump into answering the question posed in the post, let’s see why updates are important.

Update and update practice

IoT devices, like other computing devices, often use more than one software component to be able to do what they do. Device manufacturers (vendors) resort to this strategy to avoid reinventing the wheel and save resources and time. These software components get updated frequently, say from every few weeks to years, because they often have bugs, and new features are added to them. But one of the other important reasons is that software components also patch vulnerabilities with updates. Users can easily avoid possible security incidents because of those vulnerabilities by just updating the software component. If they don’t update these vulnerabilities might get exploited by attackers and lead to security incidents.

Researchers have found that not updating and using outdated software components have been correlated with compromise. Also, a positive correlation has been found between a lack of regular update practice and infection (security incident). So the bottom line is wherever a software component is used, it needs to be updated over time as vulnerabilities are found in them by security researchers.

Four factors of update

Now we have discussed why updates are important, let’s talk about what factors play an important role in updating software components.

One way to define the security of a device is how vulnerable it is to attacks; the less vulnerability a host has, the more secure it likely is. From the software update perspective, there are four factors that decide the vulnerable state of a host: 1) how quickly users install the updates; 2) how quickly vendors deploy the patch; 3) Using what mechanism vendors deploy the patch; 4) how frequently vulnerabilities are found. These combined together inform about update practice. Of the four factors, the fourth factor is common for all kinds of devices so we will focus on the first three factors to answer the question we posed in this post.

Method

As mentioned earlier, we tried to answer the IoT update practices question by looking at the different versions of HTTP User Agent used by IoT devices in plain HTTP traffic. Let’s look into how we get our hands on this kind of data, how diverse it is, and how it could answer the question.

To understand software update practices on real-world IoT devices, we use IoT Inspector’s dataset of network traffic, crowdsourced from smart homes around the world. The dataset includes names and manufacturers of devices, along with the User Agent strings extracted from plain-text HTTP connections, and the time when the HTTP traffic was seen. The User Agent string likely informs us what software component is used by the IoT device. It also tells us the version of the used software component.

In our study, we looked at the usage of four different popular software components — cURL, Wget, OkHttp, and Python Requests — used by HTTP clients on IoT devices and non-IoT devices. Besides collecting HTTP data from these devices, for each of the four software components, we also mapped their different versions to when the version was released and how many vulnerabilities it had at the time of our study, from publicly available data sources.

Combining these two datasets helped us in inferring update practices using the metrics we defined. These metrics are the following:

1. Number of avoidable vulnerabilities by updating the software component to the latest available version when it’s used. Vulnerabilities directly contribute to the vulnerable state of a host adversely.
2. The number of versions behind. How many versions behind a used software component are from the latest available version when it’s used?
3. Number of days behind (directly correlated with the number of versions behind),

Metrics 2 and 3 both show how quickly hosts are updated which involves both user promptness in installing updates and vendors deploying updates.

To understand more about our data and how we calculated these metrics please read our paper published in the CCS ’22 SCORED workshop.

Findings

Our data and metrics are able to characterize the update practice

The plot of those metrics, along with the number of months per release, is shown in the figure below. We can see that the updated practices of software components are different. Looking at these plots all together gives us a complete idea of the dynamics of update practice for these software components, which individual plots don’t show. If we only associate outdatedness with a vulnerable state, the order of software components from least secure to most secure would be cURL, Wget, OkHttp, and Requests.

Distribution of different metrics for all software components in our data.

If we only associate the number of versions behind with vulnerable states, the order of vulnerable states would be cURL, OkHttp, Requests, and Wget — although this is not true, because Wget releases new versions less frequently than all of the other software components. The more frequently a software component releases new versions, the more likely that versions behind the used software components are going to be high in the wild. Hence we can’t use only outdatedness by month or versions. The number of avoidable vulnerabilities shows a more accurate measure of how vulnerable a software component is.

Using that for our data, the performance of four software components from least secure to most secure is: cURL, Wget, Python requests, and OkHTTP.

IoT vs Non-IoT

Okay, so far we can say that our collected data and metric can tell us about the update practice of software components. To answer the question “Are update practices of IoT devices different from non-IoT devices?” we categorized the devices available in our data into six categories: “IoT platforms”, “IoT non-platforms”, “Computing”, “Storage and Printers”, “Networking”, and “Others”. We distinguish between “IoT platforms” and “IoT non-platforms” as if an IoT device allows third-party applications to be installed on them, we call them “IoT Platform”, else “non-platform”. The “Computing” category includes general-purpose computing devices, e.g., computers, mobile phones, tablets, etc.

We plotted out our three metrics for each category for each software component we studied.

Distribution of the number of avoidable vulnerabilities, number of versions behind, and number of months behind for all categories of IoT devices using cURL

Distribution of the number of avoidable vulnerabilities, number of versions behind, and number of months behind for all categories of IoT devices using Wget.

We see that update practices of IoT devices (including IoT platforms and non-platforms) are not just different from computing devices; it’s worse. Comparing IoT platforms and non-platforms, platforms do even worse than IoT non-platforms. This is likely because multiple applications running on IoT platforms use different versions of software components with poor update hygiene.

More findings

In our study, we also found that when vendors do deploy updates they don’t update to the latest available version leaving IoT devices vulnerable to easily avoidable vulnerabilities.

For a full analysis of updated practice, please read our paper accepted at ACM CCS ’22 Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED) workshop. A pre-published version of this study is available here.

Written by:

• Vijay Prakash, PhD researcher at New York University
• Danny Y. Huang, Assistant Professor at New York University

About All Things Inspected: We are a group of academic researchers who are passionate about security and privacy issues that affect daily lives. For more details, view this post.