A Large-scale Empirical Study on the Vulnerability of Deployed IoT Devices

Abstract The Internet of Things (IoT) has become ubiquitous and greatly affected peoples' daily lives. With the increasing development of IoT devices, the corresponding security issues are becoming more and more challenging. Such a severe security situation raises the following questions that need urgent attention: What are the primary security threats that IoT devices face currently? How do vendors and users deal with these threats? In this paper, we aim to answer these critical questions through a large-scale systematic study. Specifically, we perform a ten-month-long empirical study on the vulnerability of 1, 362, 906 IoT devices varying from six types. The results show sufficient evidence that N-days vulnerability is seriously endangering the IoT devices: 385, 060 (28.25%) devices suffer from at least one N-days vulnerability. Moreover, 2, 669 of these vulnerable devices may have been compromised by botnets. We further reveal the massive differences among five popular IoT search engines: Shodan [1], Censys [2], [3], Zoomeye [4], Fofa [5] and NTI [6]. To study whether vendors and users adopt defenses against the threats, we measure the security of MQTT [7] servers, and identify that 12, 740 (88%) MQTT servers have no password protection. Our analysis can serve as an important guideline for investigating the security of IoT devices, as well as advancing the development of a more secure environment for IoT systems.
  • Binbin Zhao
  • Shouling Ji
  • Wei-Han Lee
  • Changting Lin
  • Haiqing Weng
  • Jingzheng Wu
  • Pan Zhou
  • Liming Fang
  • Raheem Beyah
Date Nov-2020
Venue IEEE Transactions on Dependable and Secure Computing (2020) [link]