Security Vulnerabilities in IoT Protocols: A Survey and Classification

Abstract

The proliferation of Internet of Things (IoT) devices across homes, industries, and cities introduces
unprecedented connectivity and data insights—but also significant security risks. Many IoT communication
protocols, such as MQTT, CoAP, and ZigBee, were not originally designed with strong security in mind. This
paper surveys and classifies the vulnerabilities present in widely adopted IoT protocols based on threat vectors
such as message interception, spoofing, replay attacks, and denial-of-service. We analyze protocol
specifications, vendor implementations, and reported CVEs to identify common weaknesses. For instance,
MQTT’s lack of default encryption and authentication mechanisms exposes it to man-in-the-middle attacks,
while CoAP’s use of UDP can lead to amplification attacks without proper rate limiting. ZigBee networks often
suffer from weak key exchange schemes that allow attackers to impersonate devices. The paper categorizes
these flaws into design-level and implementation-level vulnerabilities and discusses their impact on
confidentiality, integrity, and availability. Finally, we recommend best practices including TLS tunneling,
device authentication, and firmware update mechanisms. This survey serves as a foundational reference for
researchers and practitioners aiming to build or secure IoT systems, especially in critical sectors like
healthcare, manufacturing, and smart cities.