The End of Anarchy? Understanding the Life of HTTP Exploits Used in IoT Malware Infections

Conference Paper (2026)
Author(s)

Ryu Kuki (Yokohama National University)

Takayuki Sasaki (Yokohama National University)

Arwa Al Alsadi (TU Delft - Technology, Policy and Management)

Carlos Gañán (TU Delft - Technology, Policy and Management, Yokohama National University)

Katsunari Yoshioka (Yokohama National University)

Research Group
Organisation & Governance
DOI related publication
https://doi.org/10.1145/3779208.3785282 Final published version
More Info
expand_more
Publication Year
2026
Language
English
Research Group
Organisation & Governance
Pages (from-to)
128-143
Publisher
ACM
ISBN (electronic)
9798400723568
Event
21st ACM Asia Conference on Computer and Communications Security, AsiaCCS 2026 (2026-06-01 - 2026-06-05), Bangalore, India
Downloads counter
2
Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Abstract

In recent years, while the threat of cyber attacks and malware targeting the vulnerabilities of the Internet of Things (IoT) has become more serious, various efforts have been made to mitigate the spread of these threats and the damage they cause. This study aims to understand the mechanisms behind the increase and decrease in HTTP-based exploits targeting IoT devices, and to verify the effectiveness of current prevention and mitigation measures. By integrating attack analysis observed in honeypots, collecting malware samples, and publicly available vulnerability information, we visualize the temporal changes in the number of attacks over the lifetime of vulnerabilities, and identify the impact of life events such as the release of the proof-of-concept (PoC) or the weaponization into malware on changes in attack trends. Comparing attack volumes for vulnerabilities discovered from 2008 to 2024, we discover differences in attack trends depending on the age of the device and vulnerability. Our results show that attacks targeting new devices with adequate security measures tend to decrease relatively quickly, while attacks targeting older devices with inadequate measures often persist until the end of the device's life, by being weaponized in malware. These findings confirm that existing security measures are effective to a limited extent, but at the same time, they also show that continuous improvement and proactive measures are necessary to prevent the exploitation of vulnerabilities from continuing for long periods of time.