Smart home IoT devices are known to be breeding grounds for security and privacy vulnerabilities. Although some IoT vendors deploy updates, the update process is mostly opaque to researchers. It is unclear what software components are on devices, whether and when these components are updated, and how vulnerabilities change alongside the updates. This opaqueness makes it difficult to understand the security of software supply chains of IoT devices. To understand the software update practices on IoT devices, we leverage IoT Inspector's dataset of network traffic from real-world IoT devices. We analyze the User Agent strings from plain-text HTTP connections. We focus on four software components included in User Agents: cURL, Wget, OkHttp, and python-requests. By keeping track of what kinds of devices have which of these components at what versions, we find that many IoT devices potentially used outdated and vulnerable versions of these components - based on the User Agents - even though less vulnerable, more updated versions were available; and that the rollout of updates tends to be slow for some IoT devices.
翻译:智能家用 IoT 设备已知是安全和隐私脆弱性的滋生地。 虽然一些 IoT 供应商部署更新, 但更新过程对研究人员来说大多是不透明的。 不清楚设备上有哪些软件组件, 这些组件是否更新, 何时更新, 以及这些组件是如何变化的。 这种不透明使得难以理解IoT 设备软件供应链的安全性。 要了解IoT 设备上软件更新的做法, 我们使用IoT 检查员关于真实世界 IoT 设备网络流量的数据集。 我们从普通文本 HTTP 连接中分析用户代理字符串。 我们侧重于用户代理器中包含的四个软件组件: cURL、 Wget、 OkHttp 和 python 请求。 通过跟踪这些组件中哪些版本的哪些类型的设备, 我们发现许多 IoT 设备可能使用这些组件的过时和脆弱版本 — 以用户代理器为基础 — 尽管不那么脆弱, 更更新版本是可用的; 更新的版本的推出过程对于某些 IoT 设备来说往往很慢。