ナカニシ アキ
Nakanishi Aki
中西 晶 所属 明治大学 経営学部 職種 専任教授 |
|
言語種別 | 英語 |
発行・発表の年月 | 2016/03 |
形態種別 | 国際会議議事録 |
査読 | 査読あり |
標題 | Firmware Update Trend in the Internet of Things-An Empirical Survey of Japanese HGW Vendors-
(Full Paper) |
執筆形態 | 共著(筆頭者以外) |
掲載誌名 | Proceedings of The International Conference on Computing Technology, Information Security and Risk Management (CTISRM2016) |
掲載区分 | 国外 |
出版社・発行元 | SDIWC Digital Library(CD ROM) |
著者・共著者 | ◎Ichiro Mizukoshi, Aki Nakanishi, Atsuhiro Goto |
概要 | Firmware vulnerability is a serious concern in the Internet of Things (IoT) environment. Home Gateway (HGW) is a small router that connects the home network to the Internet. Malicious hackers attack HGW utilizing its vulnerability. HGW can be considered as a standard example of IoT as it is always connected to the Internet and many HGWs exit. In Japan, there are more than 40 million units. In this paper, we first report the current situation regarding vulnerability management
by the HGW vendors in Japan. There are two types of business models. The first one is called "SELL", and the other is "SUBSCRIPTION" (hereafter SUB). The SELL model is simple. The vendor sells HGWs to the end user and the vendor cannot access the HGWs without the end user7's permission. The SUB model is slightly complicated. HGWs are leased to the end user from the vendor and the vendor also acts as a service operator providing Internet connectivity to the user. The vendor is required to maintain the functioning of the HGWs. Next, we describe our findings as follows: 1) Aggressiveness with regard to the security update varies for each vendor. 2) SELL vendors have an average of 4.5 times of updates during the lifetime and the final update is provided 46.7 days before the end of sales. 3) SUB has 16.45 times of updates and the final update is provided 1069.7 days after the end of sales. Finally, we discuss some issues as follows: The devices that are not updated against vulnerability become dangerous debris and the mass of debris will become a serious risk. There are several ways to regulate them. Based on Lessig's code, we classified them into four categories: Law, Norms, Market, and Architecture. Our classification is as follows: Law - Product Liability act. Norms - Open source, Market - Subscription, and Architecture - programmed to die. |