A Survey of Security Vulnerability Analysis,
Discovery, Detection, and Mitigation on IoT Devices
Miao Yu 1, Jianwei Zhuge 1,2,*, Ming Cao 3, Zhiwei Shi 3and Lin Jiang 4
1Institute of Network Science and Cyberspace, Tsinghua University, Beijing 100091, China;
2Beijing National Research Center for Information Science and Technology, Beijing 100000, China
3China Information Technology Security Evaluation Center, Beijing 100085, China;
email@example.com (M.C.); firstname.lastname@example.org (Z.S.)
4China Luoyang Electronic Equipment Test Center, Luoyang 471000, China; JL13sky@163.com
Received: 24 December 2019; Accepted: 28 January 2020; Published: 6 February 2020
With the prosperity of the Internet of Things (IoT) industry environment, the variety and
quantity of IoT devices have grown rapidly. IoT devices have been widely used in smart homes,
smart wear, smart manufacturing, smart cars, smart medical care, and many other life-related ﬁelds.
With it, security vulnerabilities of IoT devices are emerging endlessly. The proliferation of security
vulnerabilities will bring severe risks to users’ privacy and property. This paper ﬁrst describes the
research background, including IoT architecture, device components, and attack surfaces. We review
state-of-the-art research on IoT device vulnerability discovery, detection, mitigation, and other related
works. Then, we point out the current challenges and opportunities by evaluation. Finally, we forecast
and discuss the research directions on vulnerability analysis techniques of IoT devices.
internet of things (IoT); vulnerability discovery; vulnerability detection;
Internet of Things (IoT) is becoming the most popular and practical online platform. It connects
various sensors and controllers to the Internet and helps to achieve seamless communication between
people and things. It tends to be the crucial future of the Internet. Especially in recent years, with
the prosperity of the IoT industry, the variety and quantity of devices have grown rapidly. Globally,
the total number of current active IoT devices has reached 7 billion [
]. They have been widely used
in smart homes, smart wear, smart manufacturing, smart car, smart medical care, and many other
life-related ﬁelds. We believe that it will greatly improve the quality of our lives.
At the same time, security vulnerabilities of IoT devices often occur, and they are very difﬁcult to
be eliminated. HP’s report showed that 70% of IoT products contain security vulnerabilities, and, on
average, there are 25 vulnerabilities per device [
]. The attacker engaged in various illegal activities by
maliciously exploiting vulnerabilities and controlling devices. The most well-known case is in 2016;
the Mirai virus controlled hundreds of thousands of IoT devices and built botnets by manipulating the
controlled devices. It launched Tbps-level denial-of-service (DoS) attacks on targets, including the DNS
service provider Dyn causing severe problems such as partial Internet paralysis in the
United States 
In conclusion, with the universal usage of IoT devices, the proliferation of security vulnerabilities will
bring severe risks to the security and privacy of the users and even the safety of human lives and
Facing frequent attacking risks, IoT security research has become increasingly popular. After
the concept of “Internet of Things” was ﬁrst proposed by American Auto-ID in 1999 [
], the security
Future Internet 2020,12, 27; doi:10.3390/ﬁ12020027 www.mdpi.com/journal/futureinternet
Future Internet 2020,12, 27 2 of 23
researchers have also contributed to IoT by working on standards of security architecture and
]. Subsequently, there was a lot of discussion about IoT security issues [
Zhang et al. [
] and Mahmoud et al. [
] pointed out the challenges and research directions. Therefore,
researchers began to use traditional security research methods in the ﬁeld of IoT Security [
]. With the
development of artiﬁcial intelligence (AI), the survey of the machine and deep learning methods for
IoT security has also emerged [
]. Alrawi et al. [
] systematically summarized the IoT vulnerabilities
from device, mobile application, cloud endpoint, and communication in smart homes. For the summary
of vulnerability analysis, Xie et al. [
] summed up techniques of detecting IoT vulnerability. Recently
Zheng et al. [
] published a survey of IoT vulnerability discovery techniques. In the two papers above,
the boundaries between vulnerability discovery and vulnerability detection technologies are blurred.
In this paper, the technology of vulnerability discovery is to mine unknown vulnerabilities, and the
technology of vulnerability detection is to detect the existence of known vulnerabilities. Through
the above investigations, we ﬁnd that the current study focuses on IoT security issues and lack
analysis techniques. Secondly, in this kind of vulnerability analysis, they mainly focus on vulnerability
discovery and detection and lack attention to the techniques of vulnerability mitigation. There is a
problem that the technical summary of IoT security is not comprehensive enough.
In order to overcome the above problem, we want to make some contributions in three aspects:
First, we shift our focus from IoT architecture to IoT devices. Second, the classiﬁcation of IoT
device security technologies has been reﬁned. In addition, we summarize the current research,
which is considered from the basic framework of vulnerability analysis, discovering the unknown
vulnerability, detecting known vulnerability, and mitigating vulnerability.
We evaluate the current research of vulnerability analysis on IoT devices. In addition, we analyze
in depth the reasons that hinder the development of security technologies and point out the
challenges and opportunities.
We review the technological development context and point out future research directions for
This paper is organized as below: Section 2describes the IoT security background. It introduces
the IoT architecture, the device components, and the attack surfaces. Section 3reviews current
research works related to IoT device security, including vulnerability analysis, discovery, detection,
and mitigation. Section 4summarizes the challenges and opportunities based on the evaluation of
vulnerability analysis technology. Section 5points out the hot-spot directions of future research. Finally,
Section 6gives the conclusions.
2.1. IoT Architecture
With the rapid development of the Internet, more and more household and industrial devices are
connected to the Internet, which offers us diversiﬁed lives. IoT architecture is mainly developed in
two directions: consumer-level and industry-level.
On the consumer-level, we have several device types like industrial manufacturing, smart
home, smart medical, and smart cars if they are divided by application scenarios. Among them,
the development of smart home is relatively mature. The Internet giants—Samsung, Google, Apple,
and XiaoMi have a large share of the market. In addition, the IoT platforms like SmartThings [
Google Weave [
], Apple HomeKit [
], HomeAssistant [
], and XiaoMi IoT [
] are released.
By investigating these platforms, we ﬁnd that most IoT adopts the “Device <->Cloud<->User”’s
architecture, as Figure 1shows. The smart devices are generally deployed at homes. They communicate
with cloud servers, and directly or indirectly access the network through WiFi [
], ZigBee [
], or other protocols. They upload the data that are collected by the sensor and receive
the control command, which is issued to the actuator. The IoT architecture not only relies on the cloud
Future Internet 2020,12, 27 3 of 23
from the vendor, but also on the cloud from a third party. It supports mutually and offers diverse
services for various functions. Users can connect to the cloud to view the status attribute and download
data by their mobile phone or PC. For some simple scenarios such as wearable devices, the “Device
<-> User” architecture is more practical.
Figure 1. Internet of Things (IoT) architecture on the consumer-level.
On the industry-level, the IoT architecture continues the Information Technology (IT) approach to
centrally manage to interact between users and devices by servers in Figure 2. The difference is that the
apparatus must ﬁrst communicate with the Programmable Logic Controller (PLC) through operational
technology (OT). Thus, the devices in the industry are equivalent to PLC and “sensors + actuators.”
Security research focuses on PLC. The “Device <-> User” architecture also exists in industrial scenarios.
Administrators use conﬁguration software to control devices. Although user-oriented industrial
terminals such as smart meters have also tried the cloud model, there is no large-scale promotion due
to security considerations.
Figure 2. IoT architecture on the industry-level.
2.2. Device Composition
Whether a big and complex machine for car manufacturing or a small and smart bracelet for
wearing, they contain relatively ﬁxed components such as chips, ﬂash, ﬁrmware, and so on. Its
composition mainly includes hardware and software parts.
(1) Hardware parts:
•Logic chip. For complex devices, it has an operating system so that it needs multiple logic chips
or CPU. Simple embedded devices may only use a single microprocessor to run programs.
Provides the storage space for system and program running, ranging from a few KB to
Future Internet 2020,12, 27 4 of 23
The location where the IoT device ﬁrmware is stored. Part of the device’s bootloader
is also stored in the ﬂash.
The difference between IoT devices and traditional embedded devices is that
they connect to the Internet. They generally adopt wireless technology to connect to the Internet
with the hub, such as access points (APs).
•Serial debug interface.
The IoT device often requires means for communicating with the external
world for debugging. The serial debug interface could be to send and receive commands to
and from the vendor developers. One of the most commonly used interfaces is the universal
asynchronous receiver/transmitter (UART).
(2) Software parts:
It is a small program. Before the IoT device system runs, it initializes the hardware
device and loads the ﬁrmware to the boot device. Thus, it brings the system’s software and
hardware environment to a suitable state to prepare the correct environment.
The ﬁrmware includes the operating system, ﬁle system, and service programs.
Security research on IoT devices generally starts with ﬁrmware analysis.
2.3. Attack Surface
IoT devices not only have attack surfaces in the ﬁeld of traditional software security but also
introduce new attack surfaces due to their special structure and requirements. According to the IoT
architecture and device composition, attack surfaces can be divided into three layers in Figure 3.
Figure 3. Attack surface of IoT device.
2.3.1. Attack Surface on the Hardware Layer
Attack surface on the hardware layer is different from the traditional security ﬁeld. It mainly
includes three aspects: unsafe debugging interface, unprotected ﬂash chip, and leakage of sensitive
1. Unsafe debugging interface.
When the IoT device is manufactured, the debug interface such
as UART is left on the circuit board to facilitate the repairing. If it is no authentication or weak
Future Internet 2020,12, 27 5 of 23
authentication, attackers can obtain high authority shell to modify or replace the ﬁrmware by the
interface. The unsafe debugging interface is the ﬁrst item on an IoT security check-list.
2. Unprotected ﬂash chip.
Because the ﬂash chip is often used to store ﬁrmware, it has become
the focus of attention. If the chip is not read-write protected, security researchers can read the
ﬁrmware for analysis or write modiﬁed ﬁrmware to bypass authentication of interface access.
3. Leakage of sensitive hardware information.
The hardware circuit layout is not well sealed.
Leakage of hardware information such as sounds and power consumption causes a side-channel
attack [28–31], which attackers can acquire important information such as encryption keys.
2.3.2. Attack Surface on the Software Layer
Attack Surface on the Software Layer corresponds to the software part of the bootloader and
ﬁrmware in the device composition. It mainly includes the following ﬁve aspects: unsafe bootloader,
unsafe operating system, leakage of sensitive information in ﬁrmware, unsafe application service, and
incorrect conﬁguration strategy:
1. Unsafe bootloader.
It is often easy to ignore the point of attack because the bootloader is a piece
of code that is loaded from the chip after the device running. Its function is to initialize the device
and load the ﬁrmware. Thus, it has a high risk when problems arise. For example, checkm8 [
the Boot ROM exploit, has widely been proclaimed as the most important single exploit ever
released for iPhone, iPad, Apple TV, and Apple Watch devices.
2. Unsafe operating system.
Due to the short development cycle and lightweight requirements
of the IoT device, the kernel of the operating system is tailored, and the version is usually
not up-to-date, which causes various buffer overﬂow problems such as privilege escalation.
In addition, devices use various sensors and communication modules including a large number of
drivers in the kernel. For example, the Marvell WiFi chip driver was found multiple vulnerabilities
such as CVE-2019-14901, CVE-2019-14897, and CVE-2019-14896 [
]. They cause stack-based or
heap-based buffer overﬂow in the kernel. This is also an important part of the attack surface.
3. Leakage of sensitive information in ﬁrmware.
Local storage of IoT devices generally uses a
lightweight storage solution. Developers often ignore security and use plain text or simply
encrypting data, which can easily lead to the leakage of sensitive information.
4. Unsafe application service.
Application services development lacks security standards. Simple
and unsafe application code is compiled and used directly to speed up product development.
Therefore, it is easy to introduce unknown vulnerabilities. IoT security researchers have
discovered a large number of application vulnerabilities developed by manufacturers, including
backdoors that are unknown for some reason.
5. Incorrect conﬁguration strategy.
Services such as ssh, telnet are enabled for easy management of
IoT products. There will be conﬁguration problems. Weak authentication policies are conﬁgured
by default, which allows attackers to easily obtain the shell of device. For example, Telestar
Digital GmbH IoT radio devices could be exploited by remote attackers to hijack devices by telnet
servers without authentication [
]. The vulnerabilities have been tracked as CVE-2019-13473 [
and CVE-2019-13474 .
2.3.3. Attack Surface on the Protocol Interface Layer
The attack surface on the protocol interface layer represents communication and application
programming interface (API). It involves the device directly controlled by the user side, the device
indirectly controlled through the cloud, and the above two types of communication process information
protection issues. Security on the protocol level is not involved. For example, the abuse of IoT
communication protocols and the AR-DDoS [
] attack is performed by the IoT communication
protocols Constrained Application Protocol (CoAP) [
], SSDP [
], and SNMP. Its target is not the
ﬂaws of IoT devices. However, it is also an important research direction of IoT security. Attack surface
Future Internet 2020,12, 27 6 of 23
on the protocol interface layer mainly includes the following three aspects: the unsafe interface of
remote management, leakage of sensitive information transmission, and weak authentication.
1. Unsafe interface of remote management.
For portable management, IoT devices use remote
management interfaces such as HTTP services, which bring multiple vulnerabilities such as SQL
injection, Cross-site Scripting (XSS), and remote execution vulnerability.
2. Leakage of sensitive information transmission.
The IoT communication protocol will use
weak encryption algorithms or even no encryption, which will lead to the leakage of sensitive
information. For example Passwords in the Air [
], the WiFi password is transmitted in plain text
when the IoT device is connected to the network.
3. Weak authentication.
Due to security requirements, the management of IoT devices requires
authentication binding. However, a new attack surface has emerged. Attackers can bypass
authentication, duplicate bind, and obtain other user ’s information. The Phantom Device
Attack  found four speciﬁc attack methods on this attack surface.
3. Vulnerability Analysis, Discovery, Detection, and Mitigation
At this stage, there is no precise classiﬁcation of IoT security. In addition, the core of security
research is vulnerability. Therefore, we focus on the device’s vulnerability. Around its life cycle,
the research process is divided into three stages: discovery, detection, and mitigation. Because of
the particularity of IoT security, it is impossible to have standard interfaces to support analysis.
Thus, research on the basic analytical framework of IoT is also valuable to research content.
To comprehensively review IoT security technologies, we summarize by the following four aspects:
(1) Research on the basic framework of vulnerability analysis, which performs ﬁrmware simulation to
help analyze IoT security issues. (2) Research on vulnerability discovers the technology, which studies
methods to discover unknown vulnerabilities in IoT devices. (3) Research on vulnerability detection,
which studies methods to detect known vulnerabilities based on the features and signatures of existing
vulnerabilities. (4) Research on vulnerability mitigation, which studies methods to automatically ﬁx
vulnerability or access control methods to limit malicious behavior. In addition, this section mainly
summarizes the IoT vulnerability analysis technologies, which require a series of pre-conditions, such
as ﬁrmware extraction . Thus, we mark the technical requirements, but do not sum them up.
3.1. Research on the Basic Framework of Vulnerability Analysis
To address the growing concerns about the security of IoT systems, it is vital to perform an
accurate analysis of ﬁrmware binaries, even when the source code or the hardware documentation is
not available [
]. However, vulnerability analysis in the IoT security ﬁeld is obstructed by the lack
of dedicated the basic framework. For example, the dynamic analysis relies on the ability to execute
software in a controlled environment, often an instrumented emulator [
]. Thus, the basic framework
mainly provides the features of dynamic debugging by semi-simulation and full simulation methods.
It can perform complex dynamic analyses to support IoT security research.
Technical requirements: The ability to fetch ﬁrmware of the IoT device.
For the lack of specialized analysis tools for ﬁrmware, especially dynamic analysis tools,
] proposed a framework to analyze ﬁrmware combining both simulated execution mode
on simulators and the actual execution mode on real devices. When the ﬁrmware is running in the
simulation mode, Avatar forwards the operation to the actual device in the case of input/output
(I/O) access. The real device returns the results to the simulator after dealing with operation so
that the simulator can continue the execution. It effectively solves the problem of speciﬁc peripheral
components without source code and documentation. Then, Prospect [
] and Surrogate [
proposed similar dynamic analysis frameworks. Four years later, the author’s team of Avatar
re-developed Avatar2 [
], which allows security researchers to inter-operate between different
dynamic analysis frameworks, debuggers, simulators, and real devices. In addition, the authors
Future Internet 2020,12, 27 7 of 23
also show how to use Avatar2 to record the execution ﬂow of the device. Chen et al. [
Firmadyne, focusing on Linux-based devices. The ﬁrst use software for system-wide simulation,
then adopt dynamic analysis methods such as scanning and probing to discover vulnerabilities. The
simulation features of the above frameworks are based on QEMU [
]. For sensor operations that
are not easy to simulate, semi-simulation frameworks [
] are to guide I/O operations to physical
hardware by software agent methods when executing ﬁrmware instructions in Table 1.
This table is a summary of the basic framework of vulnerability analysis.
Semi-simulation = The framework needs to rely on the real-world device to receive forwarded I/O
Ref. Architecture Support Simulation Type
ARM MIPS x86
Firmadyne √ √ Full simulation
3.2. Research on Vulnerability Discovery
With the increase in the number of vulnerabilities in IoT devices and the rise of attack trends,
security researchers pay more and more attention to the vulnerability mining of devices. This section
describes the technology of vulnerability discovery, including dynamic analysis and static analysis. By
studying traditional program security analysis, we ﬁnd the dynamic analysis that involves fuzzing [
and taint checking [
], while the static analysis involves symbolic execution [
], taint analysis, and
data-ﬂow analysis .
3.2.1. Dynamic Analysis Method
The dynamic analysis method needs tools of simulation ﬁrmware for dynamic debugging or
performs on-chip debugging on a physical device to obtain feedback information. It mainly adopts
fuzz testing to ﬁnd the trigger point of the vulnerability.
Technical requirements: The ability to dynamically debug on an IoT device.
In card security research, Alimi et al. [
] used a universal algorithm to generate test samples
and fuzz mobile phone cards or bank cards. For some modern smart cards containing web servers,
Kamel et al. 
have found some bugs based on the generated method of the HTTP protocol to fuzz
these web servers. In terms of car safety, Koscher [
] and Lee [
] can change the state of the car by
mutating the packets sent to the Controller Area Network (CAN) bus [
] to a fuzz smart system of
the car. Due to the difﬁculty of extracting ﬁrmware from the IoT device, IoTFuzzer [
] captures crash
information by the user side to avoid this problem. Firstly, it inserts a stub to the interaction protocol
code of the mobile application. Secondly, the authors of IoTFuzzer mutate data that are captured from
the stub and sent to the device. Finally, they judge the effect of fuzzing by heartbeat packets and
response. Because devices are difﬁcult to debug directly, researchers have begun to combine simulation
technology to ﬁnd the vulnerability. Costin et al. [
] implement the fully automated framework
that applies dynamic ﬁrmware analysis techniques to achieve automated vulnerability discovery of
Web interfaces within embedded ﬁrmware images. Recently, targets of Srivastava et al. [
] are no
longer limited to web interfaces. They present FirmFuzz [
], an automated device-independent
emulation and dynamic analysis framework for Linux-based ﬁrmware images (camera and router).
Zheng et al. 
proposed Firm-AFL, the ﬁrst high-throughput greybox fuzzer for IoT ﬁrmware. In
addition, they extended AFL [
], which is the currently popular fuzzer to the ﬁeld of IoT. For research
of fuzzing, Muench et al. [
] analyzed the universality of traditional anomaly state detection methods
for the IoT device, and they implemented a system based on Avatar [
] and Panda [
]. In addition,
Future Internet 2020,12, 27 8 of 23
they compare the throughput of a blackbox fuzzer under different conﬁgurations, including native
execution (directly sending inputs to the hardware), partial emulation (redirecting only hardware
requests to the hardware), and full emulation [
]. This is a performance evaluation of vulnerability
analysis techniques. In conclusion, the types of vulnerabilities discovered by the aforementioned
dynamic analysis techniques are diverse in Table 2. They are mainly memory issues such as buffer
overﬂow (OB) and null pointer dereference (NPD). There will also be some web server vulnerabilities
such as XSS, SQL injection because of the study of the web interface.
3.2.2. Static Analysis Method
The static analysis method can discover vulnerabilities in IoT devices without executing ﬁrmware.
The process provides an understanding of the program code to ﬁnd bugs. Thus, it is generally
Technical requirements: The ability to fetch ﬁrmware of IoT devices.
The analytical static analysis process is as follows: (1) Extract the ﬁrmware. (2) Reverse binary
program in ﬁrmware. (3) Find the security problem by manual audit. In academia, researchers mainly
explore automated static analysis methods to ﬁnd vulnerabilities. In Table 2, we summarize the
static analysis, including research targets, subdivided technology, and types of ﬁnding vulnerabilities.
Costin et al. [
] ﬁrst analyze the ﬁrmware of embedded devices on a large scale and automatically.
They automatically decompress and process ﬁrmware and use fuzzy hashes to match weak keys in
ﬁrmware. FIE [
] based on KLEE [
] constructs the symbolic execution engine of embedded devices.
It formulates memory speciﬁcation, interrupts speciﬁcation and chip speciﬁcation to ﬁnd out the
problem of violating custom security speciﬁcation in ﬁrmware. Firmalice [
] is also based on the
symbolic execution method, which ﬁnds the authentication bypass vulnerability through the input
determinism of the backdoor. For the taint analysis method, SainT [
] and DTaint [
] adopt static
methods to discover vulnerability on the basis of APP or binary code of devices, respectively.
This table is a summary of IoT device vulnerability discovery technology. BO = Buffer Overﬂow.
NPD = Null Pointer Dereference. CI = Command Injection. CSRF = Cross-site Request Forgery
Category Ref. Target Technology Types of Finding Vulnerabilities
Alimi  Smart Card Fuzzing Logic Vulnerability
Kamel  Smart Card Fuzzing Logic Vulnerability
Kosche  Smart Car Fuzzing Weak Access Control
Lee  Smart Car Fuzzing Weak Access Control
IoTFuzzer  Smart Home Fuzzing BO, NPD
Costin  Router Fuzzing CI, XSS, CSRF, SQL Injection
FirmFuzz  Smart Home Fuzzing BO, NPD, CI, XSS
Firm-AFL  Smart Home Fuzzing BO, NPD
Costin2014  Binary code Fuzzy hash Weak Authentication, Backdoor
FIE  Binary code Symbolic execution BO
Firmalice  Binary code Symbolic execution Backdoor
SainT  APP Static Taint analysis Data Leakage
DTaint  Binary code Static Taint analysis BO, CI
3.3. Research on Vulnerability Detection
The dynamic and static analysis techniques from the previous section can also be applied
to detect known vulnerabilities. In large-scale detection scenarios, the dynamic analysis relies
on architecture-speciﬁc tools to execute. In addition, the static analysis method detects known
vulnerabilities by way of mining zero-day, increasing performance, and time consumption. At present,
researchers mainly adopt the following two methods: network scanning and code similarity detection.
Future Internet 2020,12, 27 9 of 23
3.3.1. Network Scanning Method
The network scanning method detects known vulnerability by sending probe packets with
payload to services of online IoT devices. It is more versatile in the security ﬁeld. With the development
of IoT security, special topics for IoT devices of network scanning emerge.
The ability to know vulnerability information such as Proof of
Cui et al. [
] scan existing embedded devices on the Internet to discover a list of devices with
weak password and other types of vulnerabilities. After 2013, search engines such as Shodan [
], and Zoomeye [
] emerge, which identify and detect weak passwords, backdoor, and
known vulnerability. However, it is difﬁcult to ﬁnd most security vulnerabilities only by external
scanning. In addition, there are ethical issues with unauthorized analysis of devices on the Internet.
Thus, the vulnerability scanning is typically performed in laboratories and intranets. The advantage of
this method is that the detection from the service layer does not need to consider the structure of the
device. It is fast, effective, and suitable for large-scale testing. The current commercial vulnerability
detection systems are mainly based on this method.
3.3.2. Similarity Detection Method
Security researchers have introduced software code similarity detection methods to detect known
vulnerabilities due to a large number of unpatched known vulnerabilities in IoT devices. At this
stage, the research on similar detection is mainly aimed at the traditional software security ﬁeld and
gradually supports IoT devices by across-architectures. There is no research paper speciﬁcally for IoT
ﬁrmware similarity detection. In Figure 4, the basic idea of similarity detection method is to extract
the original features from the code such as strings, an instruction sequence, basic block, syntax tree,
function call graph, and so on. Then, these features are measured similarly by the algorithm. Finally,
it is determined whether there is a vulnerability in the corresponding code fragment. This section
is mainly divided into the following two points: similarity detection on source code and similarity
detection on binary code.
Figure 4. Similarity detection architecture.
Technical requirements: The ability to fetch ﬁrmware of IoT devices.
(1) Similarity Detection on Source Code
In terms of detecting known vulnerabilities based on source code, CP-Miner [
] adopts a
token-based method that uses a lexer to generate a token sequence and search for repeated token
sequences to measure similarity. ReDeBug [
] proposed a scalable method that can combine patch
code to determine features of the vulnerability code before repaired, and it provides detecting the
unpatched code clones. However, the above code-based approach does not apply to IoT. In most cases,
security researchers can not obtain the source code of ﬁrmware.
Future Internet 2020,12, 27 10 of 23
(2) Similarity Detection on Binary Code
In terms of detecting known vulnerabilities based on binary code, researchers mainly faced the
problem that it is difﬁcult to detect code similarity due to different compiler code generation algorithms,
different compiler optimization options, and different instruction sets. N-Grams [
] and N-Perms [
are early means for vulnerability search [
]. Karim et al. [
] use binary sequences or code in memory
to match algorithms without any understanding of code semantics. Thus, these kinds of methods
are difﬁcult to deal with the opcode reordering problem caused by different compilation options. To
improve the matching accuracy, the Tracelet-based [
] approach reconstructs the code into an execution
sequence and uses a solver to handle its constraints and data constraints. Thus, it solves the problem of
operation code disorder. Furthermore, TEDEM [
] adopts symbols to simplify binary programs and
judge the similarity of code by tree editing distance as the basic blocks. It can even ﬁnd vulnerabilities
on different operating systems.
Due to some common syntactic features, features of the basic block are difﬁcult to express
similarities between binary ﬁles. Researchers began to consider adopting the program of Control
Flow Graph (CFG) [
] to describe the behavior of the program. Therefore, the similarity comparison
can be performed by the graph. BinDiff [
] and Binslayer [
] check the similarity between the
two binaries based on the similarity measure of CFG isomorphism, but not speciﬁcally designed for
vulnerability detection. It is difﬁcult to ﬁnd cross-platform vulnerability code fragments by comparing
two completely different binaries of CFG. Egele et al. [
] proposed Blanket Execution and point out that
the research on establishing semantic similarity of binaries based on static analysis is easily affected
by compilation chain and compilation optimization level. Therefore, they suggested extracting the
dynamic run-time features of the program to counter the changes of CFG caused by the above reasons.
] and iBinHunt [
] use symbolic execution and theorem proving techniques to examine
the semantic equivalence between basic blocks and ﬁnd out which semantics are different.
However, the ﬁrmware of IoT devices is highly heterogeneous, including multiple architectures
such as MIPS, ARM, PPC, x86, and so on. Their opcodes, register names, and memory addressing
methods are different. Thus, the above methods are difﬁcult to be applied to cross-architecture code
vulnerability detection on a large scale. Until the last two or three years, researchers began to study
the issues of cross-architecture similarity detection based on binary code [
]. Multi-MH [
] is the
ﬁrst proposed binary-based method of similarity detection for cross-architecture. Above all, the binary
code is converted into intermediate code. Then, this method uses speciﬁc input to test the program and
captures the semantics of the base block based on the behavior of I/O. Finally, it adopts captured CFG
to detect vulnerabilities. However, its performance overhead is too expensive in the face of a large set of
functions. DiscovRE [
] checks whether the CFG of a set of function pairs is similar through the graph
matching algorithm and accelerates CFG matching by pre-ﬁltering. However, its pre-ﬁltering process
is not reliable and leads to too many under-reporting of vulnerabilities. BinGo [
] captures complete
functional semantics by introducing selective inline related library functions and user-deﬁned functions
for cross-platform code search. However, it is not designed speciﬁcally for IoT devices. The Genius [
uses a traditional method of machine learning to learn high-level feature representations from CFG.
In addition, it encodes graph embedding [
] as a high-dimensional numerical feature vector. Then,
the graph matching algorithm is used to measure the similarity between the objective function and a
set of function binaries, which can effectively improve the performance and scalability. Xu et al. [
ﬁrst adopt the deep learning method for cross-platform similarity detection on binary code, which is
graph embedding technology based on the neural network model. In cross-version code similarity
] has taken an important step. It extracts three semantic features, including function,
inter-function, and inter-module features, to detect based on the Deep Neural Networks (DNN) model.
Gao et al. also proposed VulSeeker [
] and VulSeeker-Pro [
], those vulnerability search methods
combined with a deep learning model to improve the accuracy of vulnerability detection. These two
methods were veriﬁed to be more accurate than existing methods such as Gemini .
Future Internet 2020,12, 27 11 of 23
3.4. Research on Vulnerability Mitigation
Based on vulnerability discovery and detection, mitigation is also a research issue of concern to
the industry. According to public literature of research, the main research hot-spots are automated
patch generation and access control. The former research aims to ﬁx vulnerabilities, while later research
can limit malicious behavior.
3.4.1. Automated Patch Generation
The technology of automated patch generation in this section is not speciﬁcally targeted at the IoT
ﬁeld but an extension of the traditional security ﬁeld. The vulnerability repair work is usually done at
the source level by the vendor development team. After obtaining the external vulnerability report,
they eliminate the vulnerability by reproducing the vulnerability trigger condition and analyzing
the vulnerability mechanism. Automatic patch generation holds out the promise of automatically
correcting software defects without the need for developers to diagnose, understand, and correct these
defects manually .
Technical requirements: The ability to fetch and update IoT device ﬁrmware.
The researchers in the ﬁeld of software engineering proposed to automatically generate the patch
by learning the correct code in the C language [
], Java language [
], and other source code levels,
which achieved the initial feasible effect. Another idea is to change the form of the program without
changing its function. GenProg [
] uses an extended form of genetic programming to evolve a
program variant that retains required functionality but is not susceptible to a given defect. However, it
can generate nonsensical patches due to the randomness of mutation operations.
Thus, Kim et al. 
proposed the Pattern-based Automatic program Repair (PAR) to solve the above problem. In terms
of the android platform, Zhang et al. [
] proposed AdaptKpatch, which is an adaptive kernel hotﬁx
framework and LuaKpatch which inserts a type-safe dynamic language engine into the kernel to
execute patches. These solutions solve the problem that the patch chain of the Android platform is
too long, the fragmentation and the ecological layout are not matched, and the subdivision repair
is not timely. However, they do not consider solving the problem of the automatic generation of
hotﬁxes in the cross-CPU architecture. They still need to be manually written based on the ﬁeld of
knowledge and experience. The Cyber Grand Challenge (CGC) [
] of DARPA drives researchers
to work on automated defense methods at the binary code level. However, these methods mainly
adopted generalized defense mechanisms such as binary code hardening [
], boundary checking,
and pointer patching .
3.4.2. Access Control Method
The access control method is to manage the IoT device’s permission for the user side or the
platform to restrict or stop the malicious behavior of attackers.
Technical requirements: Scalability for the user side or the cloud side.
Fernandes et al.’s [
] ﬁrst in-depth study of IoT security focused on a platform such as
SmartThings. They found that great majority applications are overprivileged due to the capabilities
being too coarse-grained, and devices used to communicate asynchronously with applications via
events, which do not sufﬁciently protect events that carry sensitive information such as lock codes [
Many devices in the smart home are excessive permissions and ambiguous permissions management
resulting in attacks on IoT devices and disclosure of privacy. Researchers at the University of Michigan
have come up with a series of solutions to solve these problems. In 2016, they proposed
a system based on data ﬂow to protect privacy leakage. The application is divided into two components:
(1) A set of Quarantined Modules that operate on sensitive data in sandboxes, and (2) Code that does
not operate on sensitive data but orchestrates execution by chaining Quarantined Modules together
via taint-tracked opaque handles—references to data that can only be dereferenced inside sandboxes.
Then, in 2017, they implemented ContexIoT  based on context information, which can help users
Future Internet 2020,12, 27 12 of 23
implement effective access control to prevent attackers from performing dangerous operations by
identifying sensitive operation context identiﬁcation and ensuring context integrity in runtime. Finally,
] was proposed in 2018, a risk-based permission model for smart homes to solve the problem
of excessive access permissions by building an Access Control Capabilities Lists (ACCLs) based on the
source code level. Smartauth [
] and FACT [
] are also based on the ACCLs. However, they build
the ACCLs in different ways. Smartauth builds by documents that are identiﬁed by natural language
processing (NLP) technology and APP source code, while FACT builds during the phase of device
In the previous section, we have investigated in-depth research on the technologies of IoT
vulnerability analysis at the present stage. In this section, ﬁrstly, we evaluate the vulnerability
analysis technology. Secondly, we point out the challenges of current research by evaluation. Finally,
we propose technological opportunities to deal with these challenges.
In Table 3, we evaluate from ﬁve aspects, including attack surface, technical requirement,
architecture support, operating system support, and combining with AI. During vulnerability analysis,
researchers need the support of technologies such as simulation, debugging interface, network trafﬁc,
Firmware, and APP. These technical requirements deﬁne the methodology and purpose of the study.
For example, the IoTFuzzer [
] uses the analysis method of peripheral systems by transferring the
target to the APP. The advantage of this method is its better generality to avoid the complexity of the
architecture. Its disadvantage is that the coarse-grained crash information hinders the further analysis
of the vulnerability. The assessment of these aspects makes it easy to analyze the technical challenges
and future development trends.
Future Internet 2020,12, 27 13 of 23
Table 3. This table is evaluation of vulnerability analysis techniques. √= Yes. S = Attack surface on software layer. P = Attack surface on protocol interface layer.
Technical Requirement Architecture Support OS Support
Avatar, 2014  S √ √ √ √ √
Prospect, 2014  S √ √ √ √
Surrogate, 2015  S √ √ √ √ √
Avatar2, 2018  S √ √ √ √ √
Firmadyne, 2016  S, P1 √ √ √ √ √
Alimi, 2014  P1 √ √
Kamel, 2013  P1 √ √
Koscher, 2010  S √ √
Lee, 2015  S √ √
IoTFuzzer, 2018  S, P1 √ √ √ √ √ √ √ √ √
Costin, 2016  P1 √ √ √ √ √
FirmFuzz, 2019  S, P1 √ √ √ √ √
FIRM-AFL, 2019  S, P1 √ √ √ √ √
Costin, 2014  S, P1 √ √ √ √ √
FIE, 2013  S √ √
Firmalice, 2015  S √ √ √ √
SainT, 2018  S, P1 √ √ √ √ √ √ √ √ √
DTaint, 2018  S √ √ √ √
Cui, 2010  S, P √ √ √ √ √ √ √ √ √
Shodan  S, P √ √ √ √ √ √ √ √ √
Censys, 2015  S, P √ √ √ √ √ √ √ √ √
Zoomeye  S, P √ √ √ √ √ √ √ √ √
Future Internet 2020,12, 27 14 of 23
Table 3. Cont.
Technical Requirement Architecture Support OS Support
CP-Miner, 2004  S √ √ √
ReDeBug, 2012  S √ √ √
Rendezvous, 2013  S √ √ √
Karim, 2005  S √ √ √
Tracelet-based, 2014  S √ √ √
TEDEM, 2014  S √ √ √ √
BinDiff, 2005  S √ √ √ √ √ √
Binslayer, 2013  S √ √ √
Egele, 2014  S √ √ √
BinHunt, 2008  S √ √ √
iBinHunt, 2012  S √ √ √
Multi-MH, 2015  S √ √ √ √ √
DiscovRE, 2016  S √ √ √ √ √ √ √
BinGo, 2016  S √ √ √ √ √ √
Genius, 2016  S √ √ √ √ √ √
Xu, 2017  S √ √ √ √ √ √
αDiff, 2018  S √ √ √ √ √ √
VulSeeker, 2018  S √ √ √ √ √ √
VulSeeker-Pro, 2018  S √ √ √ √ √ √
Automated Patch Generation
Long, 2015  S √ √
Long, 2016  S √ √
Long, 2017  S √ √
GenProg, 2011  S √ √
Kim, 2013  S √ √
AdaptKpatch, 2016  S √ √ √
Shoshitaishvili, 2017  S √ √ √
Shoshitaishvili, 2018  S √ √ √
Xandra, 2018  S √ √ √
Flowfence, 2016  P √ √ √ √ √ √ √ √ √
ContexIoT, 2017  P √ √ √ √ √ √ √ √ √
Tyche, 2018 [108,110] P √ √ √ √ √ √ √ √ √
Flowfence, 2016  P √ √ √ √ √ √ √ √ √
SmartAuth, 2017  P √ √ √ √ √ √ √ √ √ √
FACT, 2017  P √ √ √ √ √ √ √ √ √
Future Internet 2020,12, 27 15 of 23
The above evaluation reveals the challenges of current research of vulnerability analysis on IoT
devices. As shown in Table 4, the impact on various technical ﬁelds is different. For IoT device
vulnerability analysis technology, the challenges are as follows:
This table summarizes impact scope of challenges and opportunities. The scope of inﬂuence
includes four kinds such as basic framework of vulnerability analysis (T1), technology of vulnerability
discovery (T2), technology of vulnerability detection (T3), technology of vulnerability Mitigation (T4).
√= Challenge or opportunity affects this ﬁeld of technology.
Category Name T1 T2 T3 T4
Complexity and heterogeneity of device √ √ √ √
Limitations of device resources √√√
Closed-source measures √ √ √ √
Application of AI technology √ √ √
Dependency of third-party and open source code √ √ √
Development of peripheral systems √ √
(1) Complexity and Heterogeneity of Device
This issue has always been the biggest challenge of IoT device vulnerability analysis technology.
The IoT device is more heterogeneous than PC and mobile. It uses many CPU architectures such as
ARM, MIPS, x86, and different types of operating system platforms such as Linux, Windows, and
Android. It usually customizes ﬁrmware and memory usage. This makes it difﬁcult to directly apply
the industry’s automated detection and discovery of vulnerabilities to the IoT ﬁeld. The complexity of
IoT devices aggravates the difﬁculty of static and dynamic analysis techniques. We ﬁnd that arm-based
Linux devices such as routers are selected as research targets mostly at this stage. The research
on similarity detection expands cross-architecture scenarios [
]; others do not challenge
(2) Limitations of device resources
IoT devices generally run a reduced operating system or even run a single program on a
microcontroller due to the lightweight requirements of products. The above reasons create the
characteristics of limited devices resources. For the program of IoT device security testing, it is not very
easy to deploy related analysis modules to the target to implement monitoring analysis on the periphery
of the running program. Security researchers can not use traditional security analysis methods and
tools. They need to restructure the analysis platform. In addition, dynamic analysis performance is
reduced because the computing power of the device hardware is limited. In recent years, researchers
have built simulation systems to address this challenge in the ﬁeld of basic framework [
vulnerability discovery [
]. However, it has not been solved well, and this is still a long-term
(3) Closed-Source Measures
For general software, we can mine or detect source code or binary programs. For IoT device
manufacturers, these can not be applied due to their closed source strategy. Source code analysis
is no longer applicable to IoT vulnerability analysis, such as similarity detection on source code in
Section 3.3.2. They even encrypt the ﬁrmware and strengthen the authentication of the serial debugging
interface and think it is safer. For example, for the latest ﬁrmware of Dlink DIR-882(867, 878), 360
clear robots are all encrypted. Thus, vulnerability analysis based on source code, ﬁrmware, and the
debugging interface is becoming increasingly difﬁcult. Through previous evaluations, we ﬁnd that
vulnerability discovery and detection technology have avoided relying on these requirements, such as
debugging interface [
], and ﬁrmware [
] in the past two years. However, there are new problems
such as incomplete information.
Future Internet 2020,12, 27 16 of 23
The characteristics of IoT not only bring challenges to vulnerability analysis, but also new
(1) Application of AI Technology
In recent years, two technological waves of AI and IoT have emerged and integrated, promoting
society into the era of AIoT (AI + IoT). The development of AI technology has also brought new
solutions and methods to the security of IoT. At present, there are related studies using AI technology
for access control [
] and similarity detection [
]. With the development of IoT and
AI, new vulnerability discovery, detection, and mitigation technologies inevitably appear. When AI
technology is applied to IoT devices, it is also a new opportunity of AI adversarial attack and defense.
For example, the attacker pollutes the training set of the smart speaker and induces it to reply to a
question with some negative information (abusive words). Security researchers prevent these problems
by modifying AI algorithms.
(2) The Dependency of Third-Party and Open-Source Code
IoT ﬁrmware development relies heavily on third-party and open-source code. The manufacturers
usually take new features, high performance, and low power consumption as the main targets of their
products and shorten the development cycle as much as possible to enhance market competitiveness.
Therefore, they adopt the agile development model. Many IoT manufacturers directly reuse open
source code, refer to public code implementation, cross-compile PC platform code and rely on
third-party libraries. Cui et al. [
] found that 80.4% of printer ﬁrmware contained multiple known
vulnerabilities at the time of release, and many of the latest released ﬁrmware updates still contained
third-party library vulnerabilities that were announced eight years ago. Although this has exposed
a large number of security issues, it has led to unique vulnerability discovery technologies. It is
possible to mine homology vulnerabilities through the similarity of different levels of information. The
similarity detection will also advance the application in the IoT ﬁeld.
(3) Development of Peripheral Systems
IoT devices are becoming more interactive. It tends to improve to promote the development of
IoT peripheral systems. IoT devices usually interact with terminals (mobile and PC), cloud endpoint,
and other systems because of the characteristics of IoT. It not only adds new attack surfaces but also
helps the development of peripheral analysis technology to solve the problem of difﬁcult ﬁrmware
acquisition and analysis. For example, the current research of IoTFuzzer [
] and access control
framework [108–112] all have automated analysis and protection by peripheral systems.
5. Research Directions
In the previous sections, we have introduced challenges and opportunities. We ﬁnd that IoT
vulnerability discovery, detection, and mitigation technologies continue the trajectory of traditional
security research but also have their different research directions.
•AI-based vulnerability discovery and detection technology
. Whether function or security, IoT
and AI technologies are rapidly converging. The current AI technology is successfully used in
vulnerability detection. As research progresses, it will expand to other vulnerability analysis
techniques. For example, Generative Adversarial Networks (GANs) [
] have been applied
in abnormal detection of IoT system behavior [
]. In the future, GANs may have a potential
application in IoT vulnerability discovery because they may learn different attack scenarios to
generate samples similar to a zero-day attack and provide algorithms with a set of samples beyond
the existing attacks .
•Large-scale vulnerability analysis techniques
. Complexity and heterogeneity of IoT devices
hinder automation and large-scale analysis research in Section 4.2. However, this demand has
been urgent in the IoT security industry. Security researchers need a cross-platform approach to
overcome this problem, which is a long-term research direction.
Future Internet 2020,12, 27 17 of 23
•Automated vulnerability exploiting
. To exploit the vulnerability in IoT devices and protect the
device from intrusion, we need to generate PoC in an automated way. It helps to understand the
hazards and causes of vulnerabilities better. With the development of the IoT ﬁeld, the automation
attack and defense will also become a hotspot.
•Vulnerability analysis based on a peripheral system
. Through the above challenges, we found
that it is aggravatingly difﬁcult to analyze devices by static and dynamic methods directly. IoT
devices are becoming more interactive. Not only will there be more and more vulnerabilities in
combination with peripheral systems, but also study on peripheral system analysis methods will
•Automatic generation patch of multi-platform on binary code
. For some IoT vendors’
closed-source and security inaction, device ﬁrmware can not be patched in time. To this
end, we need an automated repair method for cross-platform binary code vulnerabilities. The
automated patch generation on the binary code level requires fully understanding the formation
mechanism and the elimination condition. There will be thousands of security vulnerability
templates if we rely entirely on expert domain knowledge. Thus, it is difﬁcult to achieve a
scaled and feasible solution. At the same time, the variety of operating systems and hardware
architecture brings technical challenges. It is a long-term goal of the whole security ﬁeld to solve
the problem of the automatic generation of multi-platform binary code patches.
With the rapid development of the IoT, users’ security and privacy protection bring signiﬁcant
impact and challenge. Although the research on the security of IoT devices has gradually risen,
it is still in the start-up stage in the information security ﬁeld. Thus, a comprehensive summary
of current research is needed to guide the development of IoT security. This paper analyzes IoT
architecture and attack surfaces from the consumer-level and industry-level. It reveals the background
of current research. We ﬁrst reﬁned the classiﬁcation from four aspects: analysis tool, discovering,
detecting, and mitigating vulnerability. Based on the above aspects, we review the technologies of
vulnerability analysis. Moreover, we summarize targets, features, and research directions. Then,
we evaluate vulnerability analysis techniques and ﬁnd that the current research faces challenges,
including complexity and heterogeneity of devices, limitations of device resources, and closed-source
measures for a long time. Opportunities also accompany by challenges. The technologies about AI and
peripheral system analysis will appear widely in the ﬁeld of IoT security. In the future, there will be
more and more technologies combined with new ﬁelds to implement automated vulnerability analysis
on large-scale and cross-architecture.
Conceptualization, J.Z.; Funding acquisition, J.Z. and Z. S.; Investigation, M.Y.; Project
administration, J.Z. and Z.S.; Writing—original draft, M.Y.; Writing—review and editing, J.Z. and Z.S.; M.C.
and L.J. All authors have read and agreed to the published version of the manuscript.
Conﬂicts of Interest: The authors declare no conﬂict of interest.
Lueth, K.L. State of the IoT 2018: Number of IoT Devices Now at 7B—Market Accelerating. Available online:
on 6 December 2019).
Rawlinson, K. Internet of Things Research Study. Available online: https://www8.hp.com/us/en/hp-
news/press-release.html?id=1744676 (accessed on 6 December 2019).
Wikipedia. Mirai(malware). Available online: https://en.wikipedia.org/wiki/Mirai_(malware) (accessed
on 6 December 2019).
Trevor, H. Internet of Things (IoT) History. Available online: https://www.postscapes.com/iot-history/
(accessed on 6 December 2019).
Future Internet 2020,12, 27 18 of 23
Gan, G.; Lu, Z.; Jiang, J. Internet of things security analysis. In Proceedings of the International Conference
on Internet Technology and Applications, Wuhan, China, 16–18 August 2011.
Suo, H.; Wan, J.; Zou, C.; Liu, J. Security in the internet of things: A review. In Proceeding of the International
Conference on Computer Science and Electronics Engineering, Hangzhou, China, 23–25 March 2012.
Zhao, K., Ge; L. A survey on the internet of things security. In Proceedings of the 2013 Ninth International
Conference on Computational Intelligence and Security, Leshan, China, 14–15 December 2013.
Pescatore, J.; Shpantzer, G. Securing the Internet of Things Survey; SANS Institute: Bethesda, MD, USA, 2014;
Balte, A.; Kashid, A.; Patil, B. Security issues in Internet of things (IoT): A survey. Int. J. Adv. Res. Comput.
Sci. Softw. Eng. 2018,5, 450–455.
Ngu, A.H.; Gutierrez, M.; Metsis, V.; Nepal, S.; Sheng, Q.Z. IoT middleware: A survey on issues and enabling
technologies. IEEE Int. Things J. 2016,4, 1–20, doi:10.1109/JIOT.2016.2615180.
Yang, Y.; Wu, L.; Yin, G.; Li, L.; Zhao, H. A survey on security and privacy issues in Internet-of-Things. IEEE
Int. Things J. 2017,4, 1250–1258, doi:10.1109/JIOT.2017.2694844.
Alaba, F.A.; Othman, M.; Hashem, I.A.T.; Alotaibi, F. Internet of Things security: A survey. J. Net. Comput.
Appl. 2017,88, 10–28, doi:10.1016/j.jnca.2017.04.002.
Zhang, Z.K.; Cho, M.C.Y.; Wang, C.W.; Hsu, C.W.; Chen, C.K.; Shieh, S. IoT security: ongoing challenges
and research opportunities. In Proceedings of the 7th IEEE International Conference on Service-Oriented
Computing and Applications, Matsue, Japan, 17–19 November 2014.
Mahmoud, R.; Yousuf, T.; Aloul, F.; Zualkernan, I. Internet of things (IoT) security: Current status, challenges
and prospective measures. In Proceedings of the 10th International Conference for Internet Technology and
Secured Transactions (ICITST), London, UK, 14–16 December 2015.
Fernandes, E.; Rahmati, A.; Eykholt, K.; Prakash, A. Internet of things security research: A rehash of old
ideas or new intellectual challenges. IEEE Secur. Priv. 2017,15, 79–84, doi:10.1109/MSP.2017.3151346.
Al-Garadi, M.A.; Mohamed, A.; Al-Ali, A.; Du, X.; Guizani, M. A survey of machine and deep learning
methods for internet of things (IoT) security. arXiv
, arXiv:1807.11023. Available online: https://arxiv.
org/abs/1807.11023 (accessed on 6 December 2019).
Alrawi, O.; Lever, C.; Antonakakis, M.; Monrose, F. Sok: Security evaluation of home-based iot deployments.
In Proceedings of the IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 19–23
Xie, W.; Jiang, Y.; Tang, Y.; Ding, N.; Gao, Y. Vulnerability detection in iot ﬁrmware: A survey. In Proceedings
of the IEEE 23rd International Conference on Parallel and Distributed Systems (ICPADS), Shenzhen, China,
15–17 December 2017.
Zheng, Y.; Wen, H.; Cheng, K.; Song, Z.W.; Zhu, H.S.; Sun, L.M. A Survey of IoT Device Vulnerability Mining
Techniques. J. Cyber Secur. 2019,4, 61–75, doi:10.19363/J.cnki.cn10-1380/tn.2019.09.06.
Samsung. Samsung SmartThings. Available online: https://www.smartthings.com/ (accessed on 6
Google. Google Weave Project. Available online: https://developers.google.com/weave/ (accessed on 6
Apple Inc. Apple HomeKit. Available online: http://www.apple.com/ios/home/ (accessed on 6
Home, A. Home Assistant. Available online: https://www.home-assistant.io (accessed on 6 December 2019).
24. Mi Inc. IoT Developer Platform. Available online: https://iot.mi.com/ (accessed on 6 December 2019).
25. WiFi, A. WiFi. Available online: https://www.wi-ﬁ.org/ (accessed on 6 December 2019).
26. Zigbee, A. Zigbee. Available online: https://zigbee.org/ (accessed on 6 December 2019).
Bluetooth Technology Website. Available online: https://www.bluetooth.com/ (accessed on 6
Liu, X.; Zhou, Z.; Diao, W.; Li, Z.; hang, K. When good becomes evil: Keystroke inference with smartwatch.
In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver,
CO, USA, 12–16 October 2015.
Das, A.; Borisov, N.; Caesar M. Do you hear what i hear?: Fingerprinting smart devices through embedded
acoustic components. In Proceedings of the ACM SIGSAC Conference on Computer and Communications
Security, Scottsdale, AZ, USA, 3–7 November 2014.
Future Internet 2020,12, 27 19 of 23
Vasyltsov, I.; Lee, S. Entropy extraction from bio-signals in healthcare IoT. In Proceedings of the 1st ACM
Workshop on IoT Privacy, Trust, and Security, Singapore, 14 April 2015.
McCann, D.; Eder, K.; Oswald, E. Characterising and comparing the energy consumption of side channel
attack countermeasures and lightweight cryptography on embedded device. In Proceedings of the
International Workshop on Secure Internet of Things (SIoT), Vienna, Austria, 21–25 September 2015.
Stokes, P., SentinelOne. Checkm8: 5 Things You Should Know about the New Ios Boot Rom Exploit.
Available online: https://www.sentinelone.com/blog/checkm8-5-things- you-should-know-new-ios-boot-
rom-exploit/ (accessed on 6 December 2019).
MITRE Corp. Marvell WiFi. Available online: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=
+Marvell+WiFi (accessed on 6 December 2019).
Paganini, P. Million of Telestar Digital GmbH IoT Radio Devices Can Be Remotely Hacked. Available online:
https://securityaffairs.co/wordpress/91069/hacking/telestar-iot-radio-devices-hack.html (accessed on 6
MITRE Corp. CVE-2019-13473. Available online: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-
2019-13473 (accessed on 6 December 2019).
MITRE Corp. CVE-2019-13474. Available online: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-
2019-13474 (accessed on 6 December 2019).
Costa Gondim, J.J.; de Oliveira Albuquerque, R.; Clayton Alves Nascimento, A.; García Villalba, L.J.;
A methodological approach for assessing ampliﬁed reﬂection distributed denial of service on the
internet of things. Sensors 2016,16, 1855, doi:10.3390/s16111855.
Wikipedia. Constrained Application Protocol. Available online: https://en.wikipedia.org/wiki/
Constrained_Application_Protocol (accessed on 6 December 2019).
UPnP Corp. UPnP Device Architecture 1.0. Available online: http://www.upnp.org/specs/arch/UPnP-
arch-DeviceArchitecture-v1.0-20080424.pdf (accessed on 6 December 2019).
Li, C.; Cai, Q.; Li, J.; Liu, H.; Zhang, Y.; Gu, D.; Yu, Y. Passwords in the Air: Harvesting Wi-Fi Credentials
from SmartCfg Provisioning. In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless
and Mobile Networks, Stockholm, Sweden, 18–20 June 2018.
Zhou, W.; Jia, Y.; Yao, Y.; Zhu, L.; Guan, L.; Mao, Y.; Zhang, Y. Phantom Device Attack: Uncovering
the Security Implications of the Interactions among Devices, IoT Cloud, and Mobile Apps. arXiv
Vasile, S.; Oswald, D.; Chothia, T. Breaking All the Things—A Systematic Survey of Firmware Extraction
Techniques for IoT Devices. In Proceedings of the International Conference on Smart Card Research and
Advanced Applications, Montpellier, France, 12–14 November 2018.
Zaddach, J.; Bruno, L.; Francillon, A.; Balzarotti, D. AVATAR: A Framework to Support Dynamic Security
Analysis of Embedded Systems’ Firmwares. In Proceedings of the Network and Distributed System Security
(NDSS) Symposium, San Diego, CA, USA, 23–26 February 2014.
Kammerstetter, M.; Platzer, C.; Kastner, W. Prospect: peripheral proxying supported embedded code testing.
In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, Kyoto,
Japan, 3–6 June 2014.
Koscher, K.; Kohno, T.; Molnar, D. SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded
Systems. In Proceedings of the 9th USENIX Workshop on Offensive Technologies (WOOT 15), Washington,
DC, USA, 10–11 August 2015.
Muench, M.; Nisi, D.; Francillon, A.; Balzarotti, D. Avatar 2: A Multi-target Orchestration Platform.
In Proceedings of the Workshop on Binary Analysis Research (colocated with NDSS Symposium), San Diego,
CA, USA, 18 February 2018.
Chen, D.D.; Woo, M.; Brumley, D.; Egele, M. Towards Automated Dynamic Analysis for Linux-based
Embedded Firmware. In Proceedings of the Network and Distributed System Security (NDSS) Symposium,
San Diego, CA, USA, 21–24 February 2016.
Bellard, F. QEMU, a fast and portable dynamic translator. In Proceedings of the USENIX Annual Technical
Conference, Anaheim, CA, USA, 10–15 April 2005.
Wikipedia. Fuzzing. Available online: https://en.wikipedia.org/wiki/Fuzzing (accessed on 6
Future Internet 2020,12, 27 20 of 23
Wikipedia. Taint Checking. Available online: https://en.wikipedia.org/wiki/Taint_checking (accessed on 6
51. King, J.C. Symbolic execution and program testing. Commun. ACM 1976,19; 385–394.
Alimi, V.; Vernois, S.; Rosenberger, C. Analysis of embedded applications by evolutionary fuzzing.
In Proceedings the 2014 International Conference on High Performance Computing & Simulation (HPCS),
Bologna, Italy, 21–25 July 2014.
Kamel, N.; Lanet, J.L. Analysis of HTTP protocol implementation in smart card embedded web server. Int. J.
Inf. Netw. Security (IJINS) 2013,2, 417.
Koscher, K.; Czeskis, A.; Roesner, F.; Patel, S.; Kohno, T.; Checkoway, S.; McCoy, D.; Kantor, B.; Anderson, D;
Shacham, H.; et al. Experimental security analysis of a modern automobile. In Proceedings of the IEEE
Symposium on Security and Privacy (SP), Berkeley, CA, USA, 16–19 May 2010.
Lee, H.; Choi, K.; Chung, K.; Kim, J.; Yim, K. Fuzzing can packets into automobiles. In Proceedings of the
29th International Conference on Advanced Information Networking and Applications, Gwangiu, Korea,
24–27 March 2015.
Wikipedia. CAN bus. Available online: https://en.wikipedia.org/wiki/CAN_bus (accessed on 6
Chen, J.; Diao, W.; Zhao, Q.; Zuo, C.; Lin, Z.; Wang, X.; Lau, W.C.; Sun, M.; Yang, R.; Zhang, K. Iotfuzzer:
Discovering Memory Corruptions in Iot through App-Based Fuzzing. In Proceedings of the Network and
Distributed System Security (NDSS) Symposium, San Diego, CA, USA, 18–21 February 2018.
Costin, A.; Zarras, A.; Francillon, A. Automated dynamic ﬁrmware analysis at scale: A case study
on embedded web interfaces. In Proceedings of the 11th ACM on Asia Conference on Computer and
Communications Security, Xi’an, China, 30 May–3 June 2016.
Srivastava, P.; Peng, H.; Li, J.; Okhravi, H.; Shrobe, H.; Payer, M. FirmFuzz: Automated IoT Firmware
Introspection and Analysis. In Proceedings of the 2nd International ACM Workshop on Security and Privacy
for the Internet-of-Things, London, UK, 15 November 2019.
Zheng, Y.; Davanian, A.; Yin, H.; Song, C.; Zhu, H.; Sun, L. FIRM-AFL: high-throughput greybox fuzzing of
iot ﬁrmware via augmented process emulation. In Proceedings of the 28th USENIX Security Symposium
(USENIX Security 19), Santa Clara, CA, USA, 14–16 August 2019.
Zalewski, M. American Fuzzy Lop. Available online: http://lcamtuf.coredump.cx/aﬂ (accessed on 6
Muench, M.; Stijohann, J.; Kargl, F.; Francillon, A.; Balzarotti, D. What You Corrupt Is Not What You Crash:
Challenges in Fuzzing Embedded Devices. In Proceedings of the Network and Distributed System Security
(NDSS) Symposium, San Diego, CA, USA, 18–21 February 2018.
Dolan-Gavitt, B.; Hodosh, J.; Hulin, P.; Leek, T.; Whelan, R. Repeatable reverse engineering with PANDA.
In Proceedings of the 5th Program Protection and Reverse Engineering Workshop, Los Angeles, CA, USA,
15 December 2015.
Costin, A.; Zaddach, J.; Francillon, A.; Balzarotti, D. A large-scale analysis of the security of embedded
ﬁrmwares. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA,
USA, 20–22 August 2014.
Davidson, D.; Moench, B.; Ristenpart, T.; Jha, S. FIE on Firmware: Finding Vulnerabilities in Embedded
Systems Using Symbolic Execution. In Proceedings of the 22nd USENIX Security Symposium (USENIX
Security 13), Washington, DC, USA, 14–16 August 2013.
Celik, Z.B.; Babun, L.; Sikder, A.K.; Aksu, H.; Tan, G.; McDaniel, P.; Uluagac, A.S. KLEE: Unassisted and
Automatic Generation of High-Coverage Tests for Complex Systems Programs. In Proceedings of the 8th
USENIX Symposium on Operating Systems Design and Implementation(OSDI 2008), San Diego, CA, USA,
8–10 December 2008.
Shoshitaishvili, Y.; Wang, R.; Hauser, C.; Kruegel, C.; Vigna, G. Firmalice-Automatic Detection of
Authentication Bypass Vulnerabilities in Binary Firmware. In Proceedings of the Network and Distributed
System Security (NDSS) Symposium, San Diego, CA, USA, 8–11 February 2015.
Celik, Z.B.; Babun, L.; Sikder, A.K.; Aksu, H.; Tan, G.; McDaniel, P.; Uluagac, A.S. Sensitive information
tracking in commodity IoT. In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18),
Baltimore, MD, USA, 15–17 August 2018.
Future Internet 2020,12, 27 21 of 23
Cheng, K.; Li, Q.; Wang, L.; Chen, Q.; Zheng, Y.; Sun, L.; Liang, Z. DTaint: detecting the taint-style
vulnerability in embedded device ﬁrmware. In Proceedings of the 48th Annual IEEE/IFIP International
Conference on Dependable Systems and Networks (DSN), Luxembourg, 25–28 June 2018.
Cui, A.; Stolfo, S.J. A quantitative analysis of the insecurity of embedded network devices: results of a
wide-area scan. In Proceedings of the 26th Annual Computer Security Applications Conference, Austin, TX,
USA, 6–10 December 2010.
Al-Alami, H;, Ali, H.; Hussein, A.B. Vulnerability scanning of IoT devices in Jordan using Shodan.
In Proceedings of the 2nd International Conference on the Applications of Information Technology in
Developing Renewable Energy Processes & Systems (IT-DREPS), Amman, Jordan, 6–7 December 2017.
Durumeric, Z.; Adrian, D.; Mirian, A.; Bailey, M.; Halderman, J.A. A search engine backed by Internet-wide
scanning. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security,
Denver, CO, USA, 12–16 October 2015.
73. Knownsec, Inc. Zoomeye. Available online: https://www.zoomeye.org/ (accessed on 6 December 2019).
Li, Z.; Lu, S.; Myagmar, S.; Zhou, Y. CP-Miner: A Tool for Finding Copy-paste and Related Bugs in Operating
System Code. In Proceedings of the 6th Symposium on Operating System Design and Implementation
(OSDI 2004), San Francisco, CA, USA, 6–8 December 2004.
Jang, J.; Agrawal, A.; Brumley, D. ReDeBug: ﬁnding unpatched code clones in entire os distributions.
In Proceedings of the IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 20–23
Wikipedia. N-gram. Available online: https://en.wikipedia.org/wiki/N-gram (accessed on 6
Myles, G.; Christian, C. K-gram based software birthmarks. In Proceedings of the 2005 ACM Symposium on
Applied Computing, Santa Fe, NM, USA, 13–17 March 2005.
Khoo, W.M.; Mycroft, A.; Anderson R. Rendezvous: A search engine for binary code. In Proceedings of the
10th Working Conference on Mining Software Repositories, San Francisco, CA, USA, 18–19 May 2013.
Karim, M.E.; Walenstein, A.; Lakhotia, A.; Parida, L. Malware phylogeny generation using permutations of
code. J. Comput. Virol. 2005,1, 13–23, doi:10.1007/s11416-005-0002-9.
David, Y.; Yahav, E. Tracelet-based code search in executables. Acm Sigplan Notices
Pewny, J.; Schuster, F.; Bernhard, L.; Holz, T.; Rossow, C. Leveraging semantic signatures for bug search
in binary programs. In Proceedings of the 30th Annual Computer Security Applications Conference,
New Orleans, LA, USA, 8–12 December 2014.
82. Allen, F.E. Control ﬂow analysis. ACM Sigplan Notices 1970, 55, 7, doi:10.1145/390013.808479.
Dullien, T.; Rolles, R. Graph-based comparison of executable objects. In Proceedings of the SSTIC’05, Rennes,
France, 1–3 July 2005.
Bourquin, M.; King, A.; Robbins, E. Binslayer: accurate comparison of binary executables. In Proceedings
of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop, Rome, Italy, 26
Egele, M.; Woo, M.; Chapman, P.; Brumley, D. Blanket execution: Dynamic similarity testing for program
binaries and components. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security 14),
San Diego, CA, USA, 20–22 August 2014.
Gao, D.; Reiter, M.K.;Song, D. Binhunt: Automatically ﬁnding semantic differences in binary programs.
In Proceedings of the International Conference on Information and Communications Security, Birmingham,
UK, 20–22 October 2008.
Ming, J.; Pan, M.; Gao, D. iBinHunt: Binary hunting with inter-procedural control ﬂow. In Proceedings of
the International Conference on Information Security and Cryptology, Seoul, Korea, 28–30 November 2012.
Pewny, J.; Garmany, B.; Gawlik, R.; Rossow, C.; Holz, T. Cross-architecture bug search in binary executables.
In Proceedings of the IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 17–21 May 2015.
Eschweiler, S.; Yakdan, K.; Gerhards-Padilla, E. discovRE: Efﬁcient Cross-Architecture Identiﬁcation of
Bugs in Binary Code. In Proceedings of the Network and Distributed System Security (NDSS) Symposium,
San Diego, CA, USA, 21–24 February 2016.
Future Internet 2020,12, 27 22 of 23
Chandramohan, M.; Xue, Y.; Xu, Z.; Liu, Y.; Cho, C.Y.; Tan, H.B.K. Bingo: Cross-architecture cross-os binary
search. In Proceedings of the 24th ACM SIGSOFT International Symposium on Foundations of Software
Engineering, Seattle, WA, USA, 13–18 November 2016.
Feng, Q.; Zhou, R.; Xu, C.; Cheng, Y.; Testa, B.; Yin, H. Scalable graph-based bug search for ﬁrmware
images. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security,
Vienna, Austria, 24–28 October 2016.
Yan, S.; Xu, D.; Zhang, B.; Zhang, H.J.; Yang, Q.; Lin, S. Graph embedding and extensions: A general
framework for dimensionality reduction. IEEE Transact. Pattern Anal. Mach. Intell.
Xu, X.; Liu, C.; Feng, Q.; Yin, H.; Song, L.; Song, D. Neural network-based graph embedding for
cross-platform binary code similarity detection. In Proceedings of the ACM SIGSAC Conference on
Computer and Communications Security, Dallas, TX, USA, 30 October–3 November 2017.
Liu, B.; Huo, W.; Zhang, C.; Li, W.; Li, F.; Piao, A.; Zou, W.
Diff: cross-version binary code similarity
detection with DNN. In Proceedings of the 33rd ACM/IEEE International Conference on Automated
Software Engineering, Montpellier, France, 3–7 September 2018.
Gao, J.; Yang, X.; Fu, Y.; Jiang, Y.; Sun, J. Vulseeker: a semantic learning based vulnerability seeker for
cross-platform binary. In Proceedings of the 33rd ACM/IEEE International Conference on Automated
Software Engineering, Montpellier, France, 3–7 September 2018.
Gao, J.; Yang, X.; Fu, Y.; Jiang, Y.; Shi, H.; Sun, J. Vulseeker-pro: enhanced semantic learning based binary
vulnerability seeker with emulation. In Proceedings of the 26th ACM Joint Meeting on European Software
Engineering Conference and Symposium on the Foundations of Software Engineering, Tallinn, Estonia,
26–30 August 2019.
Long, F.; Rinard, M. Prophet: Automatic Patch Generation via Learning from Successful Patches. https:
//core.ac.uk/download/pdf/78062945.pdf (accessed on 6 December 2019).
Long, F.; Rinard, M. Automatic patch generation by learning correct code. In Proceedings of the 43rd Annual
ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, St. Petersburg, FL, USA,
20–22 January 2016.
Long, F.; Amidon, P.; Rinard, M. Automatic inference of code transforms for patch generation. In Proceedings
of the 11th Joint Meeting on Foundations of Software Engineering, Paderborn, Germany, 4–8 September 2017.
Le Goues, C.; Nguyen, T.; Forrest, S.; Weimer, W. Genprog: A generic method for automatic software repair.
IEEE Trans. Soft. Eng. 2011,38, 54–72, doi:10.1109/TSE.2011.104.
Kim, D.; Nam, J.; Song, J.; Kim, S. Automatic patch generation learned from human-written patches.
In Proceedings of the International Conference on Software Engineering, San Francisco, CA, USA, 18–26
Zhang, Y.; Chen, Y.; Bao, C.; Xia, L.; Zhen, L.; Lu, Y.; Wei, T. Adaptive kernel live patching: An open
collaborative effort to ameliorate android n-day root exploits. In Proceedings of Black Hat USA, Las Vegas,
NA, USA, 30 July–4 August 2016.
DARPA. Cyber Grand Challenge. Available online: https://www.darpa.mil/program/cyber-grand-
challenge (accessed on 6 December 2019).
Shoshitaishvili, Y.; Bianchi, A.; Borgolte, K.; Cama, A.; Corbetta, J.; Disperati, F.; Dutcher, A.; Grosen, J.;
Grosen, P.;Machiry, A.; etc. Mechanical phish: Resilient autonomous hacking. IEEE Secur. Priv.
Shoshitaishvili, Y.; Weissbacher, M.; Dresel, L.; Salls, C.; Wang, R.; Kruegel, C.; Vigna, G. Rise of the
hacrs: Augmenting autonomous cyber reasoning systems with human assistance. In Proceedings of the
ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, 30 October–3
Nguyen-Tuong, A.; Melski, D.; Davidson, J.W.; Co, M.; Hawkins, W.; Hiser, J.D.;Morris, D.; Nguyen, D.;
Rizzi, E. Xandra: An Autonomous Cyber Battle System for the Cyber Grand Challenge. IEEE Secur. Priv.
2018,16, 42–51, doi:10.1109/MSP.2018.1870876.
Fernandes, E.; Jung, J.; Prakash, A. Security analysis of emerging smart home applications. In Proceedings of
the IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 22–26 May 2016.
Future Internet 2020,12, 27 23 of 23
Fernandes, E.; Paupore, J.; Rahmati, A.; Simionato, D.; Conti, M.; Prakash, A. Flowfence: Practical data
protection for emerging iot application frameworks. In Proceedings of the 25th USENIX Security Symposium
(USENIX Security 16), Austin, TX, USA, 10–12 August 2016.
Jia, Y.J.; Chen, Q.A.; Wang, S.; Rahmati, A.; Fernandes, E.; Mao, Z.M.; Prakash, A. ContexloT: Towards
Providing Contextual Integrity to Appiﬁed IoT Platforms. In Proceedings of the Network and Distributed
System Security (NDSS) Symposium, San Diego, CA, USA, 26 February–1 March 2017.
Rahmati, A.; Fernandes, E.; Eykholt, K.; Prakash, A. Tyche: A risk-based permission model for smart homes.
In Proceedings of the IEEE Cybersecurity Development (SecDev), Cambridge, MA, USA, 30 September–2
Tian, Y.; Zhang, N.; Lin, Y.H.; Wang, X.; Ur, B.; Guo, X.; Tague, P. Smartauth: User-centered authorization
for the internet of things. In proceedings of the 26th USENIX Security Symposium (USENIX Security 17),
Vancouver, BC, Canada, 16–18 August 2017.
Lee, S.; Choi, J.; Kim, J.; Cho, B.; Lee, S.; Kim, H.; Kim, J. FACT: Functionality-centric access control system
for IoT programming frameworks. In Proceedings of the 22nd ACM on Symposium on Access Control
Models and Technologies, Indianapolis, IN, USA, 21–23 June 2017.
Cui, A.; Costello, M.; Stolfo, S. When ﬁrmware modiﬁcations attack: A case study of embedded exploitation.
In Proceedings of the Network and Distributed System Security (NDSS) Symposium, San Diego, CA, USA,
24–27 February 2013.
Goodfellow, I.; Pouget-Abadie, J.; Mirza, M.; Xu, B.; Warde-Farley, D.; Ozair, S.; Courville, A.; Bengio, Y.
Generative adversarial nets. In Proceedings of the Advances in Neural Information Processing Systems 27
(NIPS 2014), Montreal, QC, Canada, 8–13 December 2014.
Hiromoto, R.E.; Haney, M.; Vakanski, A. A secure architecture for IoT with supply chain risk management.
In Proceedings of the 9th IEEE International Conference on Intelligent Data Acquisition and Advanced
Computing Systems: Technology and Applications (IDAACS), Bucharest, Romania, 21–23 September 2017.
2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access
article distributed under the terms and conditions of the Creative Commons Attribution
(CC BY) license (http://creativecommons.org/licenses/by/4.0/).