Abstract
The unprecedented surge in Internet of Things (IoT) device deployment has brought forth significant security challenges, primarily arising from vulnerabilities within firmware that facilitate unauthorized access, data exfiltration, and network exploitation. This study undertakes a comprehensive static analysis of 1,520 IoT firmware samples using the Firmware Analysis and Comparison Tool (FACT) alongside metadata from the WikiDevi archive to systematically identify inherent security flaws. Among the key vulnerabilities discovered are improper
handling of format strings (CWE-134, 10.07%), memory mismanagement issues
CWE-416, 10.06%; CWE-415, 10.03%), and the presence of exposed debugging interfaces (CWE-782, 10.07%). These results highlight enduring risks in critical domains such as healthcare and industrial IoT, often magnified by insecure coding
practices and reliance on outdated software components. To address these systemic shortcomings, this study proposes the Risk Mitigation Modeling for IoT Development Lifecycle (RMMIDL), a secure-by-design framework that embeds proactive security measures throughout each phase of IoT development. RMMIDL
offers a systematic and well-defined framework for addressing pervasive risks,
enhancing the resilience of IoT ecosystems, and promoting the implementation of robust security measures. Furthermore, this study outlines prospective research directions, emphasizing the potential of integrating large language models (LLMs), broadening the scope of firmware datasets, and fostering industry-wide collaboration to drive advancements in IoT security.
handling of format strings (CWE-134, 10.07%), memory mismanagement issues
CWE-416, 10.06%; CWE-415, 10.03%), and the presence of exposed debugging interfaces (CWE-782, 10.07%). These results highlight enduring risks in critical domains such as healthcare and industrial IoT, often magnified by insecure coding
practices and reliance on outdated software components. To address these systemic shortcomings, this study proposes the Risk Mitigation Modeling for IoT Development Lifecycle (RMMIDL), a secure-by-design framework that embeds proactive security measures throughout each phase of IoT development. RMMIDL
offers a systematic and well-defined framework for addressing pervasive risks,
enhancing the resilience of IoT ecosystems, and promoting the implementation of robust security measures. Furthermore, this study outlines prospective research directions, emphasizing the potential of integrating large language models (LLMs), broadening the scope of firmware datasets, and fostering industry-wide collaboration to drive advancements in IoT security.
Original language | English |
---|---|
Title of host publication | ICSE 2025, 47th International Conference on Software Engineering: proceedings |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Publication status | Accepted - 10 Dec 2024 |
Event | 6th Engineering and Cybersecurity of Critical Systems (EnCyCriS) - Rogers Center, Ottawa, Canada Duration: 27 Apr 2025 → 03 May 2025 https://conf.researchr.org/home/icse-2025/encycris-2025 |
Publication series
Name | International Conference on Software Engineering (ICSE): Proceedings |
---|---|
ISSN (Print) | 0270-5257 |
ISSN (Electronic) | 1558-1225 |
Conference
Conference | 6th Engineering and Cybersecurity of Critical Systems (EnCyCriS) |
---|---|
Abbreviated title | EnCyCriS |
Country/Territory | Canada |
City | Ottawa |
Period | 27/04/2025 → 03/05/2025 |
Internet address |