Hee-Hyun Kim and Jinho Yoo*
Analysis of Security Vulnerabilities for IoT Devices
Abstract: Recently, the number of Internet of Things (IoT) devices has been increasing exponentially. These IoT devices are directly connected to the internet to exchange information. IoT devices are becoming smaller and lighter. However, security measures are not taken in a timely manner compared to the security vulnerabilities of IoT devices. This is often the case when the security patches cannot be applied to the device because the security patches are not adequately applied or there is no patch function. Thus, security vulnerabilities continue to exist, and security incidents continue to increase. In this study, we classified and analyzed the most common security vulnerabilities for IoT devices and identify the essential vulnerabilities of IoT devices that should be considered for security when producing IoT devices. This paper will contribute to reducing the occurrence of security vulnerabilities in companies that produce IoT devices. Additionally, companies can identify vulnerabilities that frequently occur in IoT devices and take preemptive measures.
Keywords: CVE Vulnerability , CVSS , IoT Device , Security Vulnerabilities
The term, Internet of Things (IoT), was first coined in 1999 by Keen Ashton of MIT University of Technology when he predicted that “in the future, IoT will be built on things that use and utilize RFID and other sensors in daily life.” The International Telecommunication Union (ITU) defined IoT as a technology that connects anything, anytime, and anywhere. Currently, each institution and organization defines IoT slightly differently, and the scope of IoT applications has been expanded [1,2].
According to IDC Korea (https://www.idc.com/kr), the size of the domestic IoT platform market in 2019 reached KRW 754 billion, an increase of 19.5% from the previous year, and the market will show an average annual growth rate of 16.1% until 2023, to KRW 1.33 trillion. Additionally, the size of the global market is expected to reach USD 1.12 trillion in 2023, 1.8 times higher than in 2018 (USD 620.3 billion) .
New security vulnerabilities are expected to emerge due to various environments, such as the openness of the IoT platform, various heterogeneous terminals/sensors, and interworking between wired and wire¬less networks. Therefore, to activate IoT services, it is necessary to solve security problems that may occur in various environments .
As the number of IoT devices increases significantly in the future, it is expected that security vulnerabilities will naturally increase. It goes without saying that more vulnerabilities will lead to more attacks and damage in smart homes and highly secure governments and enterprises. Additionally, IoT will not be the only target for attacks. In this regard, Panda Lab predicted that attacks on networks, such as IoT devices, routers and network equipment, and Wi-Fi, will increase .
Therefore, in this study, we classified and analyzed the vulnerabilities of the IoT devices based on the CVE (Common Vulnerabilities and Exposures) vulnerability data. By analyzing the vulnerabilities of IoT devices, we tried to prevent hacking and industrial accidents in advance by securing the safety of the IoT device system. The results of this study can be used to examine the vulnerabilities of IoT device systems and evaluate IoT system security.
The remainder of this document is organized as follows. Section 2 presents the motivation for this study through previous studies. Section 3 provides a research method to classify IoT vulnerabilities based on the CVE website. Section 4 analyzes the type, frequency, and risk score of vulnerabilities of IoT devices. Finally, Section 5 presents the conclusion.
2. Related Research
2.1 Prior Research
Park and Park  examined the challenges, opportunities, and solutions of IoT, 5G mobile networks, and artificial intelligence (AI). They addressed clustering, Hyperledger Fabric, data, security, machine vision, convolutional neural network, IoT technology, and resource management of 5G mobile networks. Blinowski and Piotrowski  analyzed and presented the scope of IoT by dividing it into IoT architecture, IoT application, and security issues with IoT systems. Jeong and Park  introduced 18 novel and enhanced research studies from different countries in the world. They presented different paradigms to subjects that tackle diverse kinds of research areas, such as IoT and smart city.
Kim et al.  classified various threats, solutions, and cyber physical system (CPS) security projects related to the problems and threats faced by CPS, one of the core technologies for implementing IoT. Additionally, they proposed solutions for each threat. Sicato et al.  provided a comprehensive over¬view of existing intrusion detections system for the IoT environment, cyber-security threat challenges, and transparent problems. They proposed software-defined IDS-based distributed cloud architecture that provides a secure IoT environment.
Kim et al.  suggested security threats for each IoT component with terminals, wired/wireless networks, and applications. Hong et al.  proposed a checklist for home IoT, including categories of applications, hardware, systems, web interfaces, and networks. Yang et al.  explained the security vulnerabilities of IoT smart home networks. Lee and Park  divided the IoT-based smart home into sensors, network sections, and smart terminals to deduce security threats and establish protection measures. Jung and Cha  presented security requirements by classifying the IoT device platform layer (device, gateway, and service) and classification according to the function of the IoT device (data-carrying device, data-capturing device, sensing and actuating device, general device, and grade device). Hong and Sin  analyzed vulnerabilities through scenarios by dividing them into the terminal, network, and service layers.
Wang et al.  proposed a method of balancing three aspects (user privacy, data integrity in edge-assisted IoT devices, and computational cost) to ensure the privacy of IoT users and maintain the integrity of the collected data. Meng et al.  proposed a security-based hybrid collaboration recommendation method that can more scalably and safely handle large-scale IoT services that can be accessed by the cloud. Qi et al.  proposed a new privacy-aware data fusion and prediction approach for the smart city industrial environment based on the classic locality-sensitive hashing (LSH) technology.
2.2 Research Issues and Challenges
Many organizations, corporations, and manufacturers do not independently identify vulnerabilities of IoT devices or manage action guides. The reality is that institutions and enterprises do not separate and manage IoT device assets, nor do they know how many IoT devices exist inside.
Although hacking accidents through IoT devices (configuration of large-scale botnets, such as Mirai Botnet) are major social issues, analysis of vulnerabilities of IoT devices has not been actively conducted. An accident representing the Mirai Botnet hacking occurred on October 21, 2016, when DNS service provider Dyn was attacked by a large-scale distributed denial of service (DDoS) attack, and many websites, such as Netflix and Twitter, were paralyzed or service delayed. The analysis results confirmed that many IoT devices with weak passwords (devices operating with default ID/PW set) were infected with Mirai malware and caused a large-scale DDoS attack .
“OWASP IoT Top 10” , an IoT vulnerability selected by OWASP, refers to vulnerabilities as guidelines for safe IoT usage rather than actual hacking techniques. As mentioned above, the existing studies mainly focus on overall vulnerabilities, such as IoT areas, components, and threat scenarios, rather than on the vulnerabilities themselves caused by IoT devices.
Therefore, in this study, not the general analysis mentioned above, we focus on the vulnerabilities that IoT devices actually generate and the ratio of IoT vulnerability among each type of vulnerability. We analyze the enterprise, Scada, Home, Mobile, and PC, with the most vulnerabilities. Our analyses will contribute to deriving the vulnerability items to be aware of in IoT devices, preventing the recurrence of IoT vulnerabilities.
3. Research Method
In this study, we classified and analyzed the vulnerability of IoT based on the vulnerabilities in the CVE website (http://www.cvedetails.com) [21-23]. The classified vulnerabilities are expressed in 13 types, such as DoS, code execution, XSS, and SQL injection (Fig. 1). Among the data from 1999 to 2019, only 2019 data were used to prepare basic data for analysis.
The research progress is as follows. First, we excluded vulnerabilities occurring by themselves in mobile apps and operating system (OS) (e.g., Windows and Linux) from the basic data. As the first step of the basic data, we examined whether the vulnerability was a vulnerability of the IoT devices or not. In the second step, we analyzed whether it corresponds to a vulnerability related to hardware, such as the IoT devices’ own OS or a vulnerability related to software running in the IoT devices. Among software-related vulnerabilities, vulnerabilities occurring in mobile apps (Android, iOS) were excluded to validate the analysis, and only the vulnerability data of the mobile device were included.
Additionally, vulnerabilities of the IoT devices were divided into six categories, and these processes were manually classified and analyzed (Table 1, Fig. 2). The six categories are Home (H), Scada (S), enterprise (E), mobile (M), PC (P), and other (A). The vulnerabilities of IoT devices were classified based on where they occur the most .
4. Analysis Result
Vulnerabilities occurring in IoT devices were manually classified by reading the description of each vulnerability rather than an automatic method, such as keyword search. The results are summarized in Fig. 3.
In 2019, the total number of vulnerabilities was 12,174, and the number of vulnerabilities classified into 13 types was 8,988. Among them, there are 1,342 IoT device vulnerabilities, 11% of the total vulnerabilities, and 14.9% of the 13 types of vulnerabilities.
Among the 919 DoS vulnerabilities, 198 were found in IoT devices. Among the 2,277 code execution vulnerabilities, 349 were identified in IoT devices. Fig. 4 shows the number of each vulnerability. We can see that among the 13 types of vulnerabilities, code execution (349), overflow (256), DoS (198), gain information (103), memory corruption (97), XSS (96), bypass something (82) had the most vulnerabilities in the order.
As shown in ① of Fig. 3, IoT device vulnerabilities accounted for 32.8% (97/296) of the memory corruption vulnerabilities discovered in 2019. Among HTTP response splitting vulnerabilities, IoT device vulnerabilities accounted for 25% (1/4), gain privileges vulnerability 23.3%, DoS vulnerability 21.5%, and overflow vulnerability 20.5%. As shown in ② of Fig. 3, among the total vulnerabilities of discovered IoT devices, code execution, overflow, DoS vulnerability, gain information vulnerability, and corruption vulnerability were 26% (349/1,342), 19.1% (256/1,342), 14.8%, 7.7%, and 7.2%, respectively.
Combining the two analyzes of the percentage of vulnerabilities of each type of IoT device and the ratio of each type to the total IoT vulnerabilities, we obtain that vulnerabilities with high overlapping frequency are DoS, overflow, and memory corruption (Table 2, Fig. 5). These vulnerabilities can be seen as vulnerabilities to be very careful about.
When analyzing the proportion of hardware-related and software-related vulnerabilities among IoT devices, hardware and software are 84.8% and 15.2%, respectively. Thus, the nature of the IoT device is hardware-dependent, and there are many vulnerabilities related to it.
In detail, hardware vulnerabilities account for a large percentage of most vulnerabilities, such as DoS and code execution vulnerabilities. In contrast, HTTP response splitting and gain privileges vulnerabili¬ties have a high proportion of software vulnerabilities.
As a result of classifying and analyzing into six categories, we found that the most vulnerabilities occurred in the order of E, S, H, M, A, and P. It can be seen that the most common vulnerabilities of enterprise and industrial IoT devices are found. However, as the use of H and M IoT devices increases, this area needs to be carefully considered and paid attention to in the future.
As shown in Fig. 6, in the case of DoS vulnerabilities, a total of 198 (100%) vulnerabilities emerged, of which 104 (53%) in E-class equipment and 37 (19%) in S-class were ranked 1st and 2nd, respectively. Among the 349 vulnerabilities in code execution, 148 (42%) in E-class equipment and 101 (29%) in S-class equipment were ranked 1st and 2nd, respectively.
DoS vulnerability occurred most frequently in E-class, and S-class equipment occurred the second most frequently. In other words, the devices that have the most DoS, code execution, XSS, gain infor¬mation, gain privilege, and file inclusion vulnerabilities are E-class and S-class devices. For each of the 13 vulnerabilities, it can be seen that vulnerabilities occur evenly in S-class and E-class devices, followed by H-class and M-class devices. As the use of H-class and M-class IoT devices increases, vulnerabilities in that field will also increase.
As shown in Fig. 7, for the H-class device, 71 (32%), 34 (15.2%), and 33 (14.8%) of code execution, overflow, and DoS vulnerabilities, respectively, were detected among the 223 vulnerabilities. In the H-class and S-class devices, code execution, overflow, and DoS vulnerabilities took the 1st, 2nd, and 3rd places, respectively. The E-class and A-class devices appear to have only the ranking of code execution, overflow, and DoS vulnerabilities changed. Additionally, memory corruption and gain information vulnerabilities were included in some of the top three.
Commonly found vulnerabilities for each class are code execution, overflow, and DoS. They can be seen as vulnerabilities that must be considered when producing and developing IoT devices.
Table 3 shows a distribution of vulnerabilities by common vulnerability scoring system (CVSS) [24,25] score section. CVSS is used to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (e.g., low, medium, and high) to help organizations properly assess and prioritize their vulnerability management processes. Table 3 also shows the percentage of the total number of vulnerabilities from 1999 to 2019, the percentage of the number of vulnerabilities in 2019, and the percentage of the number of vulnerabilities in IoT devices in 2019.
In this study, we analyzed the CVSS vulnerability range by dividing it into low (0–4), medium (4–7), and high (7–10). The distributions of vulnerabilities that occurred from 1999 to 2019 were 8.95%, 55.32%, and 35.73% in the low, medium, and high sections, respectively
The vulnerabilities that occurred in 2019 were 13.46%, 60.90%, and 25.64% in the low, medium, and high sections, respectively. In contrast, the vulnerabilities of IoT devices that occurred in 2019 were 12.52%, 45.68%, and 41.80% in the low, medium, and high sections, respectively.
As the vulnerability distribution percentage score for IoT devices is relatively high in the high and medium sections, it can be determined that the risk of vulnerability for IoT devices is high. Therefore, it is necessary to quickly prepare security measures for IoT devices.
Fig. 8 presents the results of analyzing the CVSS risk level of IoT devices using 13 types of vulnerabilities. The low section showed the highest percentage of file inclusion vulnerabilities, and the medium section showed XSS, Http response splitting, and CSRF vulnerabilities. In the high section, code execution, overflow, and privilege gain vulnerabilities were high. Code execution, overflow, and gain privileges vulnerabilities have a high degree of risk; thus, they can be viewed as vulnerabilities with a large impact when hacking occurs. Therefore, it is essential to take countermeasures against the vulnerability.
In this study, the vulnerabilities of IoT devices were specifically selected and analyzed using the CVE vulnerability database. We performed the CVSS risk analysis for IoT devices. Based on the data classified by each stage, we found that memory corruption, overflow, DoS, and bypass something vulnerabilities occur the most among the vulnerabilities that occur in IoT devices. Most vulnerabilities occur in the following order: E, S, H, M, A, and P. We found that the current E-class and S-class IoT devices have the most vulnerabilities. However, due to the growing trend of using IoT devices in H-class and M-class devices, this area needs attention and review.
As a result of analyzing the CVSS risk of IoT devices, we found that the risk was relatively higher than the existing vulnerabilities. The risk of security vulnerabilities in IoT devices is high, and special attention must be paid to prevent memory corruption, overflow, DoS, and code execution vulnerabilities from occurring as much as possible.
Due to the nature of IoT devices, when a security vulnerability occurs, there are many cases where a device or environment cannot perform security updates. When developing a new product in the future, if it is developed by adding the essential security update function, it will be a good way to remove or improve vulnerabilities because it is possible to respond flexibly to future security incidents.
The results of this paper can be used to study various devices and software vulnerabilities in the future since it investigated the vulnerabilities of IoT devices based on the CVE vulnerability. Additionally, by securing the safety of the IoT device system, hacking and industrial accidents are prevented in advance, and IoT device system developers, operators, and security managers can use this result for future development, production, and construction. Finally, it is expected to contribute to preventing the recurrence of vulnerabilities in IoT devices and be used as basic data to analyze vulnerabilities and prepare security measures for IoT devices. This study has a limitation in that the number of samples is small by classifying the vulnerabilities of IoT devices using only 2019 data. In future studies, we will conduct analysis with multi-year data.
He received his Bachelor’s degree in Computer Science from Korea National Open University in 2011. He is also completing the master’s and doctoral courses at Sangmyung University. He has been with POSCO ICT since March 2007. His current research interests are computer security and information protection, IoT, control systems, and vulnerability analysis.
He is a Professor at Sangmyung University. He received his B.S. degree in Mathema-tics and M.S. in Statistics and Ph.D. degrees in Information Management and Security at Korea University. Prior to joining Sangmyung University, he worked as a director of the Korea Internet and Security Agency (KISA), as a managing consultant of CRM and data mining at IBM, and as a researcher of R&D planning at the Electronics and Telecommunications Research Institute (ETRI). His research interests include issues related to information security and privacy, big data analytics, blockchain, and data mining.