著者

Asuka NAKAJIMA Takuya WATANABE Eitaro SHIOJI Mitsuaki AKIYAMA Maverick WOO

出版者

The Institute of Electronics, Information and Communication Engineers

雑誌

IEICE Transactions on Information and Systems (ISSN:09168532)

巻号頁・発行日

vol.E103.D, no.7, pp.1524-1540, 2020-07-01 (Released:2020-07-01)

参考文献数

40

---

With our ever increasing dependence on computers, many governments around the world have started to investigate strengthening the regulations on vulnerabilities and their lifecycle management. Although many previous works have studied this problem space for mainstream software packages and web applications, relatively few have studied this for consumer IoT devices. As our first step towards filling this void, this paper presents a pilot study on the vulnerability disclosures and patch releases of three prominent consumer IoT vendors in Japan and three in the United States. Our goals include (i) characterizing the trends and risks in the vulnerability lifecycle management of consumer IoT devices using accurate long-term data, and (ii) identifying problems, challenges, and potential approaches for future studies of this problem space. To this end, we collected all published vulnerabilities and patches related to the consumer IoT products by the included vendors between 2006 and 2017; then, we analyzed our dataset from multiple perspectives, such as the severity of the included vulnerabilities and the timing of the included patch releases with respect to the corresponding disclosures and exploits. Our work has uncovered several important findings that may inform future studies. These findings include (i) a stark contrast between how the vulnerabilities in our dataset were disclosed in the two markets, (ii) three alarming practices by the included vendors that may significantly increase the risk of 1-day exploits for customers, and (iii) challenges in data collection including crawling automation and long-term data availability. For each finding, we also provide discussions on its consequences and/or potential migrations or suggestions.

著者

Ayako Akiyama Hasegawa Takuya Watanabe Eitaro Shioji Mitsuaki Akiyama Tatsuya Mori

出版者

Information Processing Society of Japan

雑誌

Journal of Information Processing (ISSN:18826652)

巻号頁・発行日

vol.28, pp.1030-1046, 2020 (Released:2020-12-15)

参考文献数

42

---

Online service providers exert tremendous effort to protect users' accounts against sensitive data breaches. Although threats from complete outsiders, such as account hijacking for monetization, still occur, recent studies have shed light on threats to privacy from insiders. In this study, we focus on these latter threats. Specifically, we present the first comprehensive study of an attack from insiders that identifies the existence of a target's account by using the target's email address and the insecure login-related messages that are displayed. Such a threat may violate intimates' or acquaintances' privacy because the kinds of service accounts a user has implies his/her personal preferences or situation. We conducted surveys regarding user expectations and behaviors on online services and an extensive measurement study of login-related messages on online services that are considered sensitive. We found that over 80% of participants answered that they have sensitive services and that almost all services were vulnerable to our attack. Moreover, about half the participants who have sensitive services were insecurely registered on them, thus could be potential victims. Finally, we recommend ways for online service providers to improve login-related messages and for users to take appropriate defensive actions. We also report our responsible disclosure process.

著者

Kazuki Nomoto Takuya Watanabe Eitaro Shioji Mitsuaki Akiyama Tatsuya Mori

出版者

Information Processing Society of Japan

雑誌

Journal of Information Processing (ISSN:18826652)

巻号頁・発行日

vol.31, pp.620-642, 2023 (Released:2023-09-15)

参考文献数

80

---

Modern Web services provide advanced features by utilizing hardware resources on the user's device. Web browsers implement a user consent-based permission model to protect user privacy. In this study, we developed PERMIUM, a web browser analysis framework that automatically analyzes the behavior of permission mechanisms implemented by various browsers. We systematically studied the behavior of permission mechanisms for 22 major browser implementations running on five different operating systems. We found fragmented implementations. Implementations between browsers running on different operating systems are not always identical. We determined that implementation inconsistencies could lead to privacy risks. We identified gaps between browser permission implementations and user perceptions from the user study corresponding to the analyses using PERMIUM. Based on the implementation inconsistencies, we developed two proof-of-concept attacks and evaluated their feasibility. The first attack uses permission information to secretly track the user. The second attack aims to create a situation in which the user cannot correctly determine the origin of the permission request and the user mistakenly grants permission. Finally, we clarify the technical issues that must be standardized in privacy mechanisms and provide recommendations to OS/browser vendors to mitigate the threats identified in this study.