Nakanishi Aki
   Department   Undergraduate School  , School of Business Administration
   Position   Professor
Language English
Publication Date 2016/03
Type International Conference
Peer Review Peer reviewed
Title Firmware Update Trend in the Internet of Things-An Empirical Survey of Japanese HGW Vendors-
(Full Paper)
Contribution Type Co-authored (other than first author)
Journal Proceedings of The International Conference on Computing Technology, Information Security and Risk Management (CTISRM2016)
Journal TypeAnother Country
Publisher SDIWC Digital Library(CD ROM)
Author and coauthor ◎Ichiro Mizukoshi, Aki Nakanishi, Atsuhiro Goto
Details Firmware vulnerability is a serious concern in the Internet of Things (IoT) environment. Home Gateway (HGW) is a small router that connects the home network to the Internet. Malicious hackers attack HGW utilizing its vulnerability. HGW can be considered as a standard example of IoT as it is always connected to the Internet and many HGWs exit. In Japan, there are more than 40 million units. In this paper, we first report the current situation regarding vulnerability management
by the HGW vendors in Japan. There are two types of business models. The first one is called "SELL", and the other is
"SUBSCRIPTION" (hereafter SUB). The SELL model is simple. The vendor sells HGWs to the end user and the vendor cannot access the HGWs without the end user7's permission. The SUB model is slightly complicated. HGWs are leased to the end user from the vendor and the vendor also acts as a service operator providing Internet connectivity to the user. The vendor is required to maintain the functioning of the HGWs. Next, we describe our findings as follows: 1) Aggressiveness with regard to the security update varies for each vendor. 2) SELL vendors have an average of 4.5 times of updates during the lifetime and the final update is provided 46.7 days before the end of sales. 3) SUB has 16.45 times of updates and the final update is provided 1069.7 days after the end of sales. Finally, we discuss some issues as follows: The devices that are not updated against vulnerability become dangerous debris and the mass of debris will become a serious risk. There are several ways to regulate them. Based on Lessig's code, we classified them into four categories: Law, Norms, Market, and Architecture. Our classification is as follows: Law - Product Liability act. Norms - Open source, Market - Subscription, and Architecture - programmed to die.