Large-Scale Security Analysis of Real-World Backend Deployments Speaking IoT-Focused Protocols

PDF Paper Library link to paper


Carlotta Tagliaro, Martina Komsic, Andrea Continella, Kevin Borgolte, Martina Lindorfer


Preprint, May 2024


Internet-of-Things devices, ranging from smart home assistants to health devices, are pervasive: Forecasts estimate their number to reach 29 billion by 2030. Understanding the security of their machine-to-machine communication is crucial. Prior work focused on identifying devices’ vulnerabilities or proposed protocol-specific solutions. Instead, in this paper, we investigate the security of backends speaking Internet-of-Things (IoT) protocols at scale, that is, the backbone of the entire IoT ecosystem.

We focus on three real-world protocols used by IoT for our large-scale analysis: MQTT, CoAP, and XMPP. We gather a dataset of over 337,000 backends, augment it with geographical and provider data, and perform non-invasive active measurements to investigate three major security threats: information leakage, weak authentication, and denial of service. Our results provide quantitative evidence of a problematic immaturity in the IoT security ecosystem. Among other issues, we find that 9.44% backends expose information, 30.38% CoAP-speaking backends are vulnerable to denial of service attacks, and 99.84% of MQTT-speaking and XMPP-speaking backends use insecure transport protocols (only 0.16% adopt TLS, of which 70.93% adopt a vulnerable version).


  title       = {{Large-Scale Security Analysis of Real-World Backend Deployments Speaking IoT-Focused Protocols}},
  author      = {Tagliaro, Carlotta and Komsic, Martina and Continella, Andrea and Borgolte, Kevin and Lindorfer, Martina},
  date        = {2024-05-15},
  eprint      = {2405.09662},
  eprintclass = {cs.CY},
  eprinttype  = {arxiv},
  url         = {}