{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T10:04:48Z","timestamp":1767261888816,"version":"3.41.0"},"reference-count":50,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2025,1,20]],"date-time":"2025-01-20T00:00:00Z","timestamp":1737331200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2025,2,28]]},"abstract":"Internet of Things (IoT) is defined as the connection between places and physical objects (i.e., things) over the internet\/network via smart computing devices. IoT is a rapidly emerging paradigm that now encompasses almost every aspect of our modern life. As these devices differ from traditional computing, it is important to understand the challenges IoT developers face while implementing proper security measures in their IoT devices. We observed that IoT software developers share solutions to programming questions as code examples on three Stack Exchange Q & A sites: Stack Overflow (SO), Arduino, and Raspberry Pi. Previous research studies found vulnerabilities\/weaknesses in C\/C++ code examples shared in SO. However, the studies did not investigate C\/C++ code examples related to IoT. The studies investigated SO code examples only. In this article, we conduct a large-scale empirical study of all IoT C\/C++ code examples shared in the three Stack Exchange sites, i.e., SO, Arduino, and Raspberry Pi. From the 11,329 obtained code snippets from the three sites, we identify 29 distinct Common Weakness Enumeration (CWE) types in 609 snippets. These CWE types can be categorized into eight general weakness categories, and we observe that evaluation, memory, and initialization-related weaknesses are the most common to be introduced by users when posting programming solutions. Furthermore, we find that 39.58% of the vulnerable code snippets contain instances of CWE types that can be mapped to real-world occurrences of those CWE types (i.e., CVE instances). The most number vulnerable IoT code examples was found in Arduino, followed by SO, and Raspberry Pi. Memory type vulnerabilities are on the rise in the sites. For example, from the 3,595 mapped CVE instances, we find that 28.99% result in Denial of Service (DoS) errors, which is particularly harmful for network reliant IoT devices such as smart cars. Our study results can guide various IoT stakeholders to be aware of such vulnerable IoT code examples and to inform IoT researchers during their development of tools that can help prevent developers the sharing of such vulnerable code examples in the sites.<\/jats:p>","DOI":"10.1145\/3691628","type":"journal-article","created":{"date-parts":[[2024,9,4]],"date-time":"2024-09-04T18:23:09Z","timestamp":1725474189000},"page":"1-40","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":7,"title":["A Large-Scale Study of IoT Security Weaknesses and Vulnerabilities in the Wild"],"prefix":"10.1145","volume":"34","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9179-7902","authenticated-orcid":false,"given":"Madhu","family":"Selvaraj","sequence":"first","affiliation":[{"name":"DISA Lab, University of Calgary, Alberta, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1376-095X","authenticated-orcid":false,"given":"Gias","family":"Uddin","sequence":"additional","affiliation":[{"name":"DISA Lab, University of Calgary, Alberta, Canada"}]}],"member":"320","published-online":{"date-parts":[[2025,1,20]]},"reference":[{"key":"e_1_3_1_2_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2017.04.005"},{"key":"e_1_3_1_3_2","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387472"},{"key":"e_1_3_1_4_2","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2015.2444095"},{"key":"e_1_3_1_5_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2017.7884629"},{"key":"e_1_3_1_6_2","unstructured":"Archive.org. 2021. Stack Exchange Data Dump. Retrieved from https:\/\/archive.org\/details\/stackexchange\/"},{"key":"e_1_3_1_7_2","unstructured":"Arduino. 2019. Announcing the Arduino IoT Cloud Public Beta. Retrieved 14 November 2021 from https:\/\/blog.arduino.cc\/2019\/02\/06\/announcing-the-arduino-iot-cloud-public-beta\/"},{"key":"e_1_3_1_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/SYNASC.2017.00035"},{"key":"e_1_3_1_9_2","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338939"},{"key":"e_1_3_1_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196430"},{"key":"e_1_3_1_11_2","first-page":"147","volume-title":"Proceedings of the USENIX Conference on Usenix Annual Technical Conference","author":"Celik Z. Berkay","year":"2018","unstructured":"Z. Berkay Celik, Patrick Drew McDaniel, and Gang Tan. 2018. SOTERIA: Automated IoT Safety and Security Analysis. In Proceedings of the USENIX Conference on Usenix Annual Technical Conference, 147\u2013158."},{"key":"e_1_3_1_12_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23326"},{"key":"e_1_3_1_13_2","doi-asserted-by":"crossref","first-page":"21","DOI":"10.1109\/CTS.2012.6261022","volume-title":"Proceedings of the International Conference on Collaboration Technologies and Systems (CTS \u201912)","author":"Chaqfeh Moumena A.","year":"2012","unstructured":"Moumena A. Chaqfeh and Nader Mohamed. 2012. Challenges in Middleware Solutions for the Internet of Things. In Proceedings of the International Conference on Collaboration Technologies and Systems (CTS \u201912), 21\u201326."},{"key":"e_1_3_1_14_2","first-page":"411","volume-title":"Proceedings of the 50th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks","author":"Chi Haotian","year":"2020","unstructured":"Haotian Chi, Qiang Zeng, Xiaojiang Du, and Jiaping Yu. 2020. Cross-App Interference Threats in Smart Homes: Categorization, Detection and Handling. In Proceedings of the 50th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks, 411\u2013423."},{"key":"e_1_3_1_15_2","unstructured":"TIOBE Company. 2019. TIOBE Index for January 2019. Retrieved 19 January 2019 from https:\/\/www.tiobe.com\/tiobe-index\/"},{"key":"e_1_3_1_16_2","unstructured":"Cppcheck. 2024. Cppcheck. Retrieved from https:\/\/cppcheck.sourceforge.io\/"},{"key":"e_1_3_1_17_2","doi-asserted-by":"crossref","unstructured":"Jide Edu Jose Such and Guillermo Suarez-Tangil. 2019. Smart Home Personal Assistants: A Security and Privacy Review. 53 6 (Mar. 2019) 7\u201312.","DOI":"10.1145\/3412383"},{"key":"e_1_3_1_18_2","volume-title":"Cyber Security and Resilience of Smart Cars","author":"ENISA","year":"2016","unstructured":"ENISA. 2016. Cyber Security and Resilience of Smart Cars. Technical Report. ENISA."},{"key":"e_1_3_1_19_2","doi-asserted-by":"crossref","first-page":"121","DOI":"10.1109\/SP.2017.31","volume-title":"Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP \u201917)","author":"Fischer Felix","year":"2017","unstructured":"Felix Fischer, Konstantin B\u00f6ttinger, Huang Xiao, Christian Stransky, Yasemin Acar, Michael Backes, and Sascha Fahl. 2017. Stack Overflow Considered Harmful? The Impact of Copy & Paste on Android Application Security. In Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP \u201917). IEEE, 121\u2013136."},{"key":"e_1_3_1_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2017.2767291"},{"key":"e_1_3_1_21_2","unstructured":"David Fullerton. 2019. State of the Stack 2019: A Year in Review. Retrieved 21 December 2021 from https:\/\/stackoverflow.blog\/2019\/01\/18\/state-of-the-stack-2019-a-year-in-review\/"},{"key":"e_1_3_1_22_2","first-page":"2212","volume-title":"Proceedings of the 37th International Conference on Distributed Computing Systems","author":"Gong Neil Zhenqiang","year":"2017","unstructured":"Neil Zhenqiang Gong, Altay Ozen, Yu Wu, Xiaoyu Cao, Richard Shin, Dawn Song, Hongxia Jin, and Xuan Bao. 2017. PIANO: Proximity-Based User Authentication on Voice-Powered Internet-of-Things Devices. In Proceedings of the 37th International Conference on Distributed Computing Systems, 2212\u20132219."},{"key":"e_1_3_1_23_2","unstructured":"GuessLang. 2024. Guesslang Documentation. Retrieved 23 November 2021 from https:\/\/guesslang.readthedocs.io\/en\/latest\/#::text=Guesslang%20detects%20the%20programming%20language a%20million%20source%20code%20files"},{"key":"e_1_3_1_24_2","unstructured":"Fraser Hall Leandros Maglaras Theodoros Aivaliotis Loukas Xagoraris and Ioanna Kantzavelou. 2020. Smart Homes: Security Challenges and Privacy Concerns. (Oct. 2020) 1\u20133."},{"key":"e_1_3_1_25_2","doi-asserted-by":"publisher","DOI":"10.5555\/3277203.3277223"},{"key":"e_1_3_1_26_2","doi-asserted-by":"publisher","DOI":"10.14569\/IJACSA.2019.0100611"},{"key":"e_1_3_1_27_2","doi-asserted-by":"publisher","unstructured":"Iman Keivanloo Juergen Rilling and Ying Zou. 2014. Spotting Working Code Examples. (May 2014) 7. DOI: 10.1145\/2568225.2568292","DOI":"10.1145\/2568225.2568292"},{"key":"e_1_3_1_28_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2017.11.022"},{"issue":"1","key":"e_1_3_1_29_2","first-page":"5247","article-title":"Big IoT Data Analytics: Architecture, Opportunities, and Open Research Challenges","volume":"5","author":"Marjani Mohsen","year":"2017","unstructured":"Mohsen Marjani, Fariza Nasaruddin, Abdullah Gani, Ahmad Karim, Ibrahim Abaker Targio Hashem, Aisha Siddiqa, and Ibrar Yaqoob. 2017. Big IoT Data Analytics: Architecture, Opportunities, and Open Research Challenges. IEEE Access 5, 1 (2017), 5247\u20135261.","journal-title":"IEEE Access"},{"key":"e_1_3_1_30_2","unstructured":"Ron Miller. [n.d.]. Google\u2019s New IoT Core Service Helps Businesses Manage Their IoT Data and Devices. Retrieved 14 November 2021 from https:\/\/techcrunch.com\/2017\/05\/16\/google-launches-cloud-service-to-manage-internet-of-things-data\/?guccounter=1"},{"key":"e_1_3_1_31_2","doi-asserted-by":"publisher","DOI":"10.1109\/CHASE.2017.53"},{"key":"e_1_3_1_32_2","unstructured":"MITRE. 2024. About CWE. Retrieved 18 October 2021 from https:\/\/cwe.mitre.org\/about\/index.html"},{"key":"e_1_3_1_33_2","unstructured":"MITRE. 2024. CWE List Version 4.6. Retrieved 2 November 2021 from https:\/\/cwe.mitre.org\/data\/"},{"key":"e_1_3_1_34_2","unstructured":"MITRE. 2021. CVE \u2192 CWE Mapping Guidance. Retrieved 8 November 2021 from https:\/\/cwe.mitre.org\/documents\/cwe_usage\/guidance.html"},{"key":"e_1_3_1_35_2","unstructured":"MITRE. 2021. CWE VIEW: Weaknesses in Software Written in C. Retrieved 10 November 2021 from https:\/\/cwe.mitre.org\/data\/definitions\/658.html"},{"key":"e_1_3_1_36_2","unstructured":"MITRE. 2021. CWE VIEW: Weaknesses in Software Written in C++. Retrieved 10 November 2021 from https:\/\/cwe.mitre.org\/data\/definitions\/659.html"},{"key":"e_1_3_1_37_2","unstructured":"NVD. 2024. Vulnerability Metrics. Retrieved 8 November 2021 from https:\/\/nvd.nist.gov\/vuln-metrics\/cvss"},{"key":"e_1_3_1_38_2","unstructured":"Ben Popper. 2020. How the Pandemic Changed Traffic Trends from 400M Visitors across 172 Stack Exchange Sites. Retrieved 21 October 2021 from https:\/\/stackoverflow.blog\/2020\/04\/20\/pandemic-changed-traffic-trends-stack-exchange-sites\/"},{"key":"e_1_3_1_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2019.00040"},{"key":"e_1_3_1_40_2","first-page":"195","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy","author":"Ronen Eyal","year":"2017","unstructured":"Eyal Ronen, Adi Shamir, Achi-Or Weingarten, and Colin O\u2019Flynn. 2017. IoT Goes Nuclear: Creating a ZigBee Chain Reaction. In Proceedings of the IEEE Symposium on Security and Privacy, 195\u2013212."},{"key":"e_1_3_1_41_2","unstructured":"Satyajit Sinha. 2021. State of IoT 2021: Number of Connected IoT Devices Growing 9% to 12.3 Billion Globally Cellular IoT Now Surpassing 2 Billion. Retrieved from https:\/\/iot-analytics.com\/number-connected-iot-devices\/"},{"key":"e_1_3_1_42_2","doi-asserted-by":"publisher","DOI":"10.3390\/app10124102"},{"key":"e_1_3_1_43_2","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2019.2953549"},{"key":"e_1_3_1_44_2","doi-asserted-by":"publisher","DOI":"10.5555\/3155562.3155585"},{"key":"e_1_3_1_45_2","doi-asserted-by":"publisher","DOI":"10.1109\/SERP4IoT52556.2021.00013"},{"issue":"121","key":"e_1_3_1_46_2","first-page":"45","article-title":"An Empirical Study of IoT Topics in IoT Developer Discussions on Stack Overflow","volume":"26","author":"Uddin Gias","year":"2021","unstructured":"Gias Uddin, Fatima Sabir, Yann-Ga\u00ebl Gu\u00e9h\u00e9neuc, Omar Alam, and Foutse Khomh. 2021. An Empirical Study of IoT Topics in IoT Developer Discussions on Stack Overflow. Empirical Software Engineering 26, 121 (2021), 45.","journal-title":"Empirical Software Engineering"},{"key":"e_1_3_1_47_2","doi-asserted-by":"publisher","unstructured":"Morteza Verdi Ashkan Sami Jafar Akhondali Foutse Khomh Gias Uddin and Alireza Karami Motlagh. 2019. An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples. arXiv:1910.01321. DOI: 10.48550\/ARXIV.1910.01321","DOI":"10.48550\/ARXIV.1910.01321"},{"key":"e_1_3_1_48_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-018-9634-5"},{"key":"e_1_3_1_49_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2954319"},{"key":"e_1_3_1_50_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2021.3058985"},{"key":"e_1_3_1_51_2","doi-asserted-by":"publisher","DOI":"10.1109\/SOCA.2014.58"}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3691628","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3691628","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:09:40Z","timestamp":1750295380000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3691628"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,1,20]]},"references-count":50,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2025,2,28]]}},"alternative-id":["10.1145\/3691628"],"URL":"https:\/\/doi.org\/10.1145\/3691628","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"type":"print","value":"1049-331X"},{"type":"electronic","value":"1557-7392"}],"subject":[],"published":{"date-parts":[[2025,1,20]]},"assertion":[{"value":"2021-12-24","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-08-05","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-01-20","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}