An open measurement problem in IoT security is whether scan-observable network configurations encode population-level exposure risk beyond individual devices. An analysis of internet-exposed IoT endpoints using a controlled multi-country sample from Shodan Search and Shodan InternetDB, selecting 100 hosts identified via TCP port 7547 (TR-069/CWMP) and evenly distributed across the ten most represented countries. Hosts are enriched with scan-derived metadata and analyzed using feature-relevance assessment, cross-country comparisons of open and risky port exposure, and supervised classification of higher-risk exposure profiles. The analysis reveals consistent cross-country differences in exposure structure, with mean risky-port counts ranging from 0.4 to 1.0 per host, and achieves balanced accuracy of approximately 0.61 when classifying higher-risk exposure profiles.

翻译：物联网安全领域一个开放的测量问题是：可扫描观测的网络配置是否编码了超越单个设备的群体级暴露风险。本文利用来自Shodan Search与Shodan InternetDB的受控多国样本，选取通过TCP 7547端口（TR-069/CWMP协议）识别的100台主机，并使其均匀分布在代表性最高的十个国家中。通过扫描衍生元数据对主机进行特征增强，采用特征相关性评估、开放端口与风险端口暴露的跨国比较，以及高风险暴露特征的有监督分类等方法进行分析。研究揭示了暴露结构存在持续的跨国差异，每台主机的平均风险端口数量在0.4至1.0之间波动，在对高风险暴露特征进行分类时达到约0.61的平衡准确率。