Title: Firmware Update Trend in the Internet of Things -An Empirical Survey of Japanese HGW Vendors-

Year of Publication: March - 2016
Page Numbers: 19-29
Authors: Ichiro Mizukoshi , Aki Nakanishi and Atsuhiro Goto
Conference Name: The International Conference on Computing Technology, Information Security and Risk Management (CTISRM2016)
- United Arab Emirates


Firmware vulnerability is a serious concern in the Internet of Things (IoT) environment. Home Gateway (HGW) is a small router that connects the home network to the Internet. Malicious hackers attack HGW utilizing its vulnerability. HGW can be considered as a standard example of IoT as it is always connected to the Internet and many HGWs exit. In Japan, there are more than 40 million units. In this paper, we first report the current situation regarding vulnerability management by the HGW vendors in Japan. There are two types of business models. The first one is called “SELL,” and the other is “SUBSCRIPTION” (hereafter SUB). The SELL model is simple. The vendor sells HGWs to the end user and the vendor cannot access the HGWs without the end user’s permission. The SUB model is slightly complicated. HGWs are leased to the end user from the vendor and the vendor also acts as a service operator providing Internet connectivity to the user. The vendor is required to maintain the functioning of the HGWs. Next, we describe our findings as follows: 1) Aggressiveness with regard to the security update varies for each vendor. 2) SELL vendors have an average of 4.5 times of updates during the lifetime and the final update is provided 46.7 days before the end of sales. 3) SUB has 16.45 times of updates and the final update is provided 1069.7 days after the end of sales. Finally, we discuss some issues as follows: The devices that are not updated against vulnerability become dangerous debris and the mass of debris will become a serious risk. There are several ways to regulate them. Based on Lessig’s code, we classified them into four categories: Law, Norms, Market, and Architecture. Our classification is as follows: Law - Product Liability act., Norms - Open source, Market – Subscription, and Architecture - programed to die.