Table 1: Relations between event categories, vulnerability categories and attack surfaces on IoT ecosystems.

IoT Vulnerabilities Event CategoriesIoT Attack Surfaces
E0E1E2E3E4E5E6E7E8E9E10S0S1S2S3S4S5S6S7S8

Lack of controls to avoid username enumeration

Lack of two-factor auth for critical functions

Lack of control against DoS attacks

IoT service contains Insecure 3r party components

Use of weak password

Lack of an account lockout after multiple failed attempts

Unencrypted network services allowing eavesdropping

Lack of controls against manipulation of the code execution flow

Storage location for updates files is writable

Lack of control for device console access

Update sent without encryption

Storage Media is physically unprotected

Possible Firmware and data extraction

Fail in the implementation of encryption mechanisms

Remote update is done without security controls

Lack of controls to avoid command injection

Acronym and event categories: E0, request exceptions; E1, authentication exceptions; E2, input exceptions; E3, access control exceptions; E4, session exceptions; E5, ecosystem member exceptions; E6, Device Access Events; E7, admin mode events; E8, honey trap exceptions; E9, command injection exceptions; E10, reputation exceptions. acronym and IoT attack surfaces: S0, mobile application; S1, cloud web interface; S2, device web interface; S3, admin interface; S4, local data storage; S5, Device firmware; S6, device network services; S7, update mechanism; S8, device physical interfaces.