The exponential growth of the Internet of Things (IoT) has integrated connected devices into various sectors like smart cities, digital health, and Industry 4.0, generating vast amounts of real-time data to support intelligent decision-making. However, this widespread adoption is fundamentally challenged by significant security risks, primarily due to the inherent computational limitations of devices, lack of standardization, and an expanding attack surface. Given that security is paramount to ensuring trust in these environments, this paper presents a comprehensive survey and a multi-dimensional analysis of the IoT threat landscape. It describes 28 common attacks, ranging from traditional threats, such as Man-in-the-Middle, to specialized IoT exploits, including node replication and skimming. To provide a structured understanding of these risks, we employ the STRIDE model for functional threat classification alongside the CVSS framework for quantitative criticality assessment. Furthermore, the research establishes a robust mapping between these threats and five foundational vulnerability classes (Process, Code, Communication, Operation, and Device), uncovering the specific technical entry points exploited by adversaries. Beyond threat identification, the survey presents state-of-the-art mitigation techniques and discusses emerging paradigms and research gaps, working as a roadmap for future investigation and providing a consolidated technical foundation for both researchers and practitioners aiming to build resilient and secure IoT ecosystems.

翻译：物联网（IoT）的指数级增长已将连接设备整合到智慧城市、数字健康与工业4.0等多个领域，产生海量实时数据以支持智能决策。然而，这种广泛部署面临显著安全风险的严峻挑战，主要源于设备固有的计算能力限制、标准化缺失以及不断扩大的攻击面。鉴于安全对确保此类环境可信性的关键作用，本文对物联网威胁态势进行了全面综述与多维度分析。系统描述了28种常见攻击，涵盖从中间人攻击等传统威胁到节点复制与掠读等物联网专属利用手段。为构建对这些风险的体系化理解，我们采用STRIDE模型进行功能威胁分类，同时借助CVSS框架进行定量关键性评估。进一步地，研究建立了这些威胁与五类基础漏洞（过程漏洞、代码漏洞、通信漏洞、操作漏洞与设备漏洞）之间的稳健映射关系，揭示了攻击者所利用的具体技术入口。除威胁识别外，本综述还呈现了最新缓解技术，并探讨了新兴范式与研究空白，为未来研究绘制路线图，同时为致力于构建弹性安全物联网生态系统的研究人员与从业者提供整合性技术基础。