The Internet of Things (IoT) market is rapidly growing and is expected to double from 2020 to 2025. The increasing use of IoT devices, particularly in smart homes, raises crucial concerns about user privacy and security as these devices often handle sensitive and critical information. Inadequate security designs and implementations by IoT vendors can lead to significant vulnerabilities. To address these IoT device vulnerabilities, institutions, and organizations have published IoT security best practices (BPs) to guide manufacturers in ensuring the security of their products. However, there is currently no standardized approach for evaluating the effectiveness of individual BP recommendations. This leads to manufacturers investing effort in implementing less effective BPs while potentially neglecting measures with greater impact. In this paper, we propose a methodology for evaluating the security impact of IoT BPs and ranking them based on their effectiveness in protecting against security threats. Our approach involves translating identified BPs into concrete test cases that can be applied to real-world IoT devices to assess their effectiveness in mitigating vulnerabilities. We applied this methodology to evaluate the security impact of nine commodity IoT products, discovering 18 vulnerabilities. By empirically assessing the actual impact of BPs on device security, IoT designers and implementers can prioritize their security investments more effectively, improving security outcomes and optimizing limited security budgets.

翻译：物联网（IoT）市场正在快速增长，预计从2020年到2025年将翻一番。物联网设备的日益普及，特别是在智能家居领域，引发了关于用户隐私和安全的重大关切，因为这些设备通常处理敏感和关键信息。物联网供应商不充分的安全设计和实施可能导致严重漏洞。为解决这些物联网设备漏洞，各机构和组织已发布物联网安全最佳实践，以指导制造商确保其产品的安全性。然而，目前尚无标准化方法来评估单个最佳实践建议的有效性。这导致制造商投入精力实施效果较差的最佳实践，同时可能忽略影响更大的措施。在本文中，我们提出了一种评估物联网最佳实践安全影响的方法，并根据其在抵御安全威胁方面的有效性对其进行排序。我们的方法包括将识别出的最佳实践转化为可应用于真实物联网设备的具体测试用例，以评估其在缓解漏洞方面的有效性。我们应用该方法评估了九种商用物联网产品的安全影响，发现了18个漏洞。通过经验性评估最佳实践对设备安全的实际影响，物联网设计者和实施者可以更有效地优先安排其安全投资，从而改善安全结果并优化有限的安全预算。