Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Weaknesses and risks of the Consumer Internet of Things
KTH, School of Electrical Engineering and Computer Science (EECS).
2019 (English)Independent thesis Basic level (degree of Bachelor), 10 credits / 15 HE creditsStudent thesisAlternative title
Svagheter och risker inom Consumer Internet of Things (Swedish)
Abstract [en]

 The Consumer Internet of Things (CIoT) is a term to describe everyday items connected to the internet. The number of CIoT devices is growing rapidly and with it comes a number of security problems. One way to tackle these security issues is by learning from mistakes and to be aware of the risks at hand at both production and consumer level.

This report examines vulnerabilities from the years 2008-2018 in the National Vulnerability Database (NVD). With the Common Vulnerability Scoring System (CVSS) and the Common Weakness Enumeration (CWE) the following questions are answered: Which are the most common types of vulnerabilities in CIoT products, what risks do they pose and is there evidence of a connection between type of product and type of vulnerability?

The study found that the most common weaknesses were CWE-119, CWE200 CWE-20 and CWE-264. However, the vulnerabilities of type CWE-119 turned out to be highly concentrated to Apple products and do not reflect the overall trends. The before mentioned weaknesses pose risks to users’ confidentiality, integrity and the availability of the software (CIA). The CWEs with the greatest risk of exploitation were CWE-264 with the highest percentage of complete impact on the CIA attributes, and CWE-119 with lower percentage of complete impact but with far more occurrences. The study found no conclusive answer whether there is a connection between products and weaknesses, but an indication of a relation between certain CWEs and the company Apple. Further intensive and recurring studies should be conducted in the field.

Abstract [sv]

Consumer Internet of Things (CIoT) är ett uttryck för vardagliga produkter med anslutning till internet. Antalet CIoT enheter ökar fort vilket har medfört ett antal olika säkerhetsutmaningar. Ett sätt att handskas med sådana säkerhetsproblem är att lära sig från tidigare misstag och att vara medveten om de involverade riskerna på både produktionsoch konsumentnivå.

Denna rapport undersöker sårbarheter från åren 2008-2018 i National Vulnerability Database (NVD). Med hjälp av Common Vulnerability Scoring System (CVSS) och Common Weakness Enumeration (CWE) har följande frågor besvarats: Vilka är de vanligaste typerna av sårbarheter i CIoT, vilka risker medför dessa och finns det belägg för ett samband mellan typ av produkt och typ av sårbarhet?

Studien fann att de vanligaste svagheterna var CWE-119, CWE-200, CWE20 och CWE-264. Sårbarheterna av typ CWE-119 visade sig dock vara ovanligt koncentrerade i Apple produkter och representerade inte fördelningen i i allmänhet. De ovan nämnda svagheter utgör risker för användarnas konfidentialitet, integritet och mjukvarans tillgänglighet (CIA). CWE:na som utgör störst risk är CWE-264 som med högst sannolikhet visade total inverkan på CIA aspekterna och CWE-119 som trots lägre sannolikhet för total inverkan, var den oftast uppträdande. Studien fann inget definitivt svar för huruvida det existerar ett samband mellan produkter och svagheter, däremot en antydan om ett samband mellan särskilda svagheter och företaget Apple. Det behövs utförligare och periodiska studier på området i helhet.

Place, publisher, year, edition, pages
2019. , p. 27
Series
TRITA-EECS-EX ; 2019:390
National Category
Computer and Information Sciences
Identifiers
URN: urn:nbn:se:kth:diva-259296OAI: oai:DiVA.org:kth-259296DiVA, id: diva2:1350873
Supervisors
Examiners
Available from: 2019-09-16 Created: 2019-09-12 Last updated: 2019-09-16Bibliographically approved

Open Access in DiVA

fulltext(556 kB)9 downloads
File information
File name FULLTEXT01.pdfFile size 556 kBChecksum SHA-512
807423a12a5e6169d1cc35aee45415445e7220c44c4c1c6a58ceba2fb7fc4e34657565454f831fb5ecf7a8d0feec56a38e9e212963ccafd980ce29b9856850db
Type fulltextMimetype application/pdf

By organisation
School of Electrical Engineering and Computer Science (EECS)
Computer and Information Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 9 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 44 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf