FROM DISCLOSURE TO EXPLOITATION

Abstract

The rapid growth of Internet-of-Things (IoT) devices, such as smart cameras, home routers, and smart thermostats, has transformed the digital landscape while also introducing new cybersecurity risks. IoT systems are often targeted by attackers due to outdated software, long device lifespans, and fragmented security practices. Although many IoT vulnerabilities are discovered and disclosed, only a small fraction are actually exploited in the wild. This raises important questions about which vulnerabilities are targeted, why attackers choose them, and how long they remain in use.

This dissertation investigates how IoT vulnerabilities are selected for exploitation in practice, with a particular focus on attacker behavior, exploit development, and vulnerability characteristics. It systematically examines the interplay between these factors to understand how they collectively shape exploitation trends in IoT ecosystems. To answer the central research question on \textit{What factors shape the exploitation in IoT vulnerabilities, from target selection to exploit development and prediction?}, this dissertation presents four peer-reviewed studies.

Chapter 2 provides a longitudinal analysis of over 17,000 IoT malware samples, revealing that only a handful of IoT vulnerabilities are targeted and often exploited for years after their disclosure. The average time-to-exploit a vulnerability after disclosure was found to be 29 months, far longer than in traditional IT systems. This temporal persistence highlights the enduring value of certain vulnerabilities within the attacker ecosystem.

Chapter 3 examines factors influencing exploitation frequency in IoT vulnerabilities. It finds that attackers prefer vulnerabilities that are easy to exploit, affect widely deployed devices, and are difficult to patch. Technical severity scores, like CVSS, were less predictive than contextual factors such as device type and patch complexity.

Chapter 4 addresses the limitations of existing prediction systems, such as the Exploit Prediction Scoring System (EPSS), in assessing IoT-specific risk. By incorporating attacker community discussions from underground forums into a new predictive model, the study significantly improves accuracy and highlights the importance of behavioral and vendor-related features in anticipating exploitation for IoT devices.

Finally, Chapter 5 shifts focus to the human element through interviews with 16 Proof-of-Concept (PoC) exploit developers. It finds that disclosure decisions are shaped by individual motivations, ethical considerations, and vendor interactions. PoCs developers play a key role in making vulnerabilities exploitable and often act as gatekeepers in the vulnerability ecosystem. This qualitative study examines the socio-technical dynamics influencing PoC developers’ decisions to publish exploits, and how these choices can shape target selection and enable the weaponization of vulnerabilities.

Collectively, these findings show that targeting in IoT is not random but follows strategic patterns driven by cost, opportunity, and long-term exploit value. The dissertation argues that current governance mechanisms—market incentives, disclosure systems, and risk models, are misaligned with real-world exploitation practices and therefore fall short in addressing the distinct dynamics of IoT security. To address these gaps, it proposes a hybrid governance model that combines regulatory oversight, community collaboration, and market-based tools to more effectively manage the lifecycle of IoT vulnerability and exploitation.