← Ahmad B. Usman
SUITE

Security of Update-related IoT Traffic Evaluation

A network-level analysis of IoT software update traffic — combining entropy characterization, cipher-suite evaluation, and vulnerability assessment across heterogeneous smart home devices.

10 IoT Devices 34,586 Experiments (Retrospective) 92 CVEs Identified 3 Entropy Metrics Artifact

Abstract

Software updates are essential for maintaining the security and functionality of smart home Internet of Things (IoT) devices. However, the mechanisms and security of these updates introduce new attack surfaces, and the behavior by which updates are applied remains underexplored in the literature.

In this paper, we present a network-level analysis of IoT device update behavior. We investigate the frequency and patterns of updates, statistically examine the encryption mechanisms employed using entropy-based characterization, and assess their strength using cipher-suite-based evaluation. We evaluate our approach using both controlled experiments and retrospective analysis. The controlled evaluation involves ten heterogeneous smart IoT devices deployed in a laboratory environment, where network traffic generated during software update processes was captured and analyzed. The retrospective study analyzes previously collected real-world datasets to assess generalizability across software update scenarios.

Our analysis reveals heterogeneity in update behaviors across device categories, identifiable patterns in update-related traffic, and varying levels of encryption quality. Furthermore, our results show that the confidentiality of update-related traffic is highly compromised, with the severity increasing over the past five years.

Keywords: Software Update · Traffic Analysis · IoT · Entropy · Cipher-suites · Vulnerability

Key Findings at a Glance

92
CVEs linked to weak/insecure cipher-suites
6.1
Average CVSS base score (rising trend)
~38%
Update flows in cleartext (retrospective)
14
Countries contacted for updates
3
Entropy metrics (Shannon, Rényi, Tsallis)
Weak
Cipher-suites dominate TLS usage

1. Introduction

The rapid adoption of IoT devices in smart homes and industrial settings has raised significant security and privacy challenges. To address these issues, IoT devices rely on software or firmware updates, which can be applied when a vulnerability is discovered, either manually by the user or automatically. However, update mechanisms introduce a new attack surface, and the process for firmware and software updates in IoT is non-trivial.

Neglecting the importance of secure software updates can lead to severe consequences, such as the CrowdStrike outage and SolarWinds hack due to faulty updates in 2024 and 2020, respectively. Furthermore, studies show that despite the importance of software updates, several vendors are not adhering to the best security practices. Additionally, certificate deployments across vendors are often inconsistent, with mixed key sizes, long validity windows, and legacy cryptography still present in the traffic.

This research aims to explore the update practices in smart home IoT devices by: (i) identifying update-related patterns, (ii) statistically performing entropy-based characterization, and (iii) evaluating the cryptographic properties of the cipher-suites used.

In this paper, we employ traffic analysis to study update-related IoT communication. Traffic analysis is a group of techniques used to infer details about encrypted traffic by analyzing network-level patterns such as packet directions, timing, and sizes. Unlike deep packet inspection, it does not require decrypting the payload, making it particularly suitable for studying IoT updates where encrypted channels are common.

Contributions

3. Methodology

This section outlines the research questions, traffic analysis framework, and analytical methods. The evaluation combines controlled experiments on ten IoT devices capturing update traffic with retrospective dataset analysis, supporting both internal and external validity.

Research Questions

RQ1: What are the patterns with which modern household IoT devices retrieve software or firmware updates?
RQ2: How trustworthy is the encryption applied to update-related network traffic, statistically and cryptographically, across different IoT devices?
RQ3: What are the potential security implications when IoT vendors fail to adhere to best practices in cryptographic implementation?

3.1 Controlled Experiments

We conducted controlled experiments using ten heterogeneous smart IoT devices. For each device, software update processes were initiated under controlled laboratory conditions. During these update procedures, network traffic was captured using Wireshark and tcpdump to capture all update traffic communication.

The devices were selected to represent diverse IoT categories:

The controlled experiment setup consists of three main steps: (i) update initialization, (ii) acquisition and installation, and (iii) data collection. First, the user agent triggers the update via mobile apps or a computer. Then the software update is checked, downloaded and installed on the dedicated smart IoT device. During steps one and two, the traffic is recorded using a Raspberry Pi 4 configured as a bridged wireless access point.

3.2 Retrospective Experiments

In addition to controlled experiments, retrospective analysis was conducted using previously collected network traffic datasets containing IoT communication traffic. The dataset was generated from the Mon(IoT)r Testbed, a large-scale IoT experimentation platform comprising 81 IoT devices (26 unique models) deployed in the US and the UK, from which 34,586 manually controlled and automated experiments were conducted.

To identify update patterns from the retrospective experiments, we used keywords: software, firmware, update, and download.

3.3 System Model

We develop a system model for network traffic analysis consisting of three main phases: (i) data preprocessing, (ii) metadata extraction, and (iii) parallel execution.

Encrypted traffic is identified by extracting HTTPS protocol sessions that include the TLS handshake, while unencrypted traffic is identified by extracting HTTP protocol sessions. This process involves using and modifying PyShark to disassemble the client and server hello for the TLS handshake.

3.4 Entropy Analysis

To quantify the uncertainty or randomness in encrypted traffic payloads, we compute three types of entropy: Shannon, Rényi, and Tsallis. These measures provide different perspectives on the distribution of byte-level frequencies.

Shannon Entropy:
HShannon(X) = − Σ pi · logb(pi)

Rényi Entropy (α > 0, α ≠ 1):
HRényi(α)(X) = (1/(1−α)) · logb(Σ piα)

Tsallis Entropy (q > 0, q ≠ 1):
HTsallis(q)(X) = (1/(q−1)) · (1 − Σ piq)

Where pi is the probability of the i-th byte value in the packet payload, and b = 256 to match the byte range. We use α = 2 for Rényi entropy.

3.5 Certificate Analysis

We performed a multi-stage analysis of X.509 certificates across the selected IoT devices. Each X.509 certificate was parsed to extract cryptographic and lifecycle metadata (public key algorithm, key size, validity interval) following PKIX/X.509 specifications. Certificates were mapped to security-strength categories using NIST key-size-to-security-bit guidance.

3.6 Cipher-suite Identification

Each cipher-suite was represented in its raw 16-bit hexadecimal identifier as it appears in the handshake. These values were then normalized using the IANA TLS cipher-suite registry. For example: 0xC05CTLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256.

3.7 Vulnerability Analysis

To investigate the vulnerability implications of insecure and weak update-related traffic, we queried the CVE List database using results derived from insecure and weak cryptographic algorithm implementations. We searched for the keywords insecure and weak cipher-suites, following the methods used in prior work on update-related vulnerabilities.

4. Results

4.1 Update-related Traffic Patterns (RQ1)

Controlled Experiments — Devices Used

#DeviceCurrentUpdatedPacketsIP Address
1Apple TVv18.6v26.21,405,56610.42.0.25
2D-Link Camv1.05v1.05 (up to date)3,57410.42.0.152
3Eufy Camv2.1.0.2v2.3.1.633,54010.42.0.160
4Fire TVv7.7.0.8v7.7.0.8 (up to date)7,16310.42.0.23
5HomePodv18.6v26.2767,19610.42.0.79
6Riolink Camv3.0.0v3.1.071,56810.42.0.170
7Sony TVv3.10.79v3.10.79 (up to date)5110.42.0.157
8Tapo C100v1.0.11v1.4.35,92210.42.0.135
9Tapo C200v1.0.10v1.3.1670,52610.42.0.173
10Xiaomi Camv3.5.1v4.0.912,88510.42.0.207

All experiments were conducted within the same local wireless network (10.42.0.0/24). Firmware updates were manually triggered using an iPhone 13 via the wlan0 interface. Apple TV (1,405,566 packets) and HomePod (767,196 packets) generated significantly higher traffic volumes, while Sony TV (up to date) produced only 51 packets.

Contacted Countries

DeviceAUCNDEFRIEITJPNLNZSESGTWUKUS
Apple TV
D-Link Cam
Eufy Cam
Fire TV
HomePod
Riolink Cam
Sony TV
Tapo C100
Tapo C200
Xiaomi Cam

Update Service Providers

ProviderApple TVD-LinkEufyFire TVHomePodRiolinkSony TVTapo C1Tapo C2Xiaomi
Amazon
Apple
Akamai
Alibaba (Aliyun)
Cloudflare
Google
Microsoft
NIST
Netflix
A100 ROW

Update retrieval frequently involves third-party cloud and CDN platforms (Amazon, Akamai, Cloudflare, Microsoft, Google), suggesting that IoT vendors rely on external infrastructure for distributing firmware binaries and update metadata.

Protocols Used

LayerProtocolApple TVD-LinkEufyFire TVHomePodRiolinkSony TVTapo C1Tapo C2Xiaomi
ApplicationHTTP
HTTPS (TLS)
TLS 1.2
TLS 1.3
DNS / DHCP / mDNS / NTP
TransportTCP
QUIC
MPTCP

Retrospective Experiments

Across the 34,586 experiments, we identified 6,315 update-related traffic flows. Of these, 106 were observed in encrypted channels, 2,415 were observed in cleartext, and 3,794 had undetermined encryption status.

Encrypted (106 flows)

  • 71 occurrences of update
  • 32 of software
  • 3 of download

Top devices: apple-tv (11), echo-plus (11), invoke (10), fire-tv (8), samsung-tv (8)

Unencrypted (2,415 flows)

  • 1,569 occurrences of update
  • 735 of firmware
  • 89 of software
  • 22 of download

Top: wemo-plug (1,205), philips-hub (509), samsung-tv (250), roku-tv (80)

4.2 Entropy Analysis (RQ2a)

Controlled Experiments

Mean entropy (H) for the ten devices: 0.77 (Shannon), 0.74 (Rényi), 0.95 (Tsallis).

CategoryShannon RangeDevicesInterpretation
High Entropy> 0.85Apple TV, HomePod, Xiaomi Cam, Tapo C100Predominantly encrypted / unpredictable traffic
Moderate0.75 – 0.85Tapo C200, Fire TV, Eufy CamMixed encrypted and plaintext patterns
Low Entropy< 0.75D-Link Cam, Sony TV, Riolink CamWeaker encryption or significant plaintext

Retrospective Experiments

Mean entropy: 0.70 (Shannon), 0.65 (Rényi), 0.92 (Tsallis). Update-related traffic is comparatively less secure than overall traffic, since the average entropy did not exceed 80% for Shannon in both experiments.

Certificate Analysis

DeviceTotal CertsUniqueBrokenWeakStrongSelf-SignedAvg Validity (yr)Avg Security
Apple TV12316010239.9786.0
D-Link000000
Eufy3013030116.47112.0
Fire TV34445038214.85100.3
HomePod000000
Riolink000000
Sony TV7705109.9398.3
Tapo C100296130114.5169.3
Tapo C20067312291416.43108.0
Xiaomi60505008.12112.0

4.3 Cipher-suite Evaluation (RQ2b)

We extracted cipher-suites from our experiments, categorized into four security levels: secure, recommended, weak, and insecure.

  • Weak (dominant): Particularly eufy-cam, xiaomi-cam, tapo-c200, and sony-tv in controlled experiments. Echo-plus, LG TV, Roku TV, Philips TV, and Samsung TV in retrospective experiments.
  • Secure: Fire TV (13 suites) is most secure, followed by eufy-cam, tapo-c200, and xiaomi-cam. In retrospective: philips-hub (10), apple-tv (9), samsung-tv (8).
  • Recommended: Small but consistent count (~6) across devices in both experiments.
  • Insecure: Low or zero for most devices. Apple TV and HomePod have zero insecure suites, but non-zero values exist for other devices.

We also found Unknown cipher-suites — these are GREASE (Generate Random Extensions And Sustain Extensibility) values, which intentionally use invalid codes to prevent ossification. In retrospective TLS data, negotiated sessions are predominantly TLS 1.2, with no observed TLS 1.3 negotiation.

4.4 Vulnerability Implications (RQ3)

CVE Analysis

Our results show a total of 92 vulnerabilities associated with insecure and weak cipher-suites. Confidentiality is the most highly affected property, and most attack vectors are carried out over the network.

43
High confidentiality impact
22
High integrity impact
6.1
Average CVSS base score

CVSS base scores range from 2.6 to 9.8, with an upward trend in severity over the past five years — suggesting that vulnerabilities linked to weak and insecure cipher usage are becoming increasingly critical.

Top CWE Weaknesses

CWE-IDDescriptionExample CVEs
CWE-327Use of a Broken or Risky Cryptographic AlgorithmCVE-2025-3200, CVE-2020-36363, CVE-2024-10405, CVE-2022-34757
CWE-310Cryptographic IssuesCVE-2022-45453, CVE-2014-8531, CVE-2013-6169, CVE-2021-32496
CWE-326Inadequate Encryption StrengthCVE-2024-42177, CVE-2024-41681, CVE-2023-28021, CVE-2022-48193
CWE-295Improper Certificate ValidationCVE-2023-31486, CVE-2019-1590, CVE-2025-33142
CWE-757Selection of Less-Secure Algorithm During NegotiationCVE-2024-23656, CVE-2017-9267, CVE-2023-2974, CVE-2019-14887

These weaknesses enable attackers to: manipulate and intercept encrypted communications, execute arbitrary code, steal sensitive information, perform man-in-the-middle attacks, conduct brute-force attacks, and ultimately gain full control over system components.

5. Discussion, Limitations & Future Work

Discussion

Our network-level study shows clear heterogeneity in how smart IoT devices handle software and firmware updates. Entropy analysis (Shannon, Rényi, Tsallis) demonstrates that per-device entropy profiles are informative: Tsallis routinely produces the highest values and appears most robust as a discriminator of high-randomness (likely encrypted) payloads, while Shannon and Rényi provide complementary sensitivity.

A non-trivial fraction of update-related sessions are carried over plain-text channels, and many TLS sessions observe weak or legacy cipher-suites. The insecure and weak cipher-suites may not automatically grant an attacker arbitrary code execution, however negotiation through insecure and weak cipher-suites indicates that the underlying firmware does not use independent integrity checks (like RSA/EDDSA signatures on the binary itself).

By mapping weak/insecure cryptographic configurations to public vulnerability records, we identified 92 CVEs tied to weak cipher usage and an average CVSS base score of 6.1, with a rising trend in severity during the last five years.

Structural Visibility Gap

Our results indicate a structural visibility gap in IoT update ecosystems: update-related network exchanges frequently reveal device update behavior and potentially version state to passive network observers. In the retrospective experiments, 2,415 update-related flows are cleartext (~38.2%), while 3,794 (~60.1%) remain unclassified due to protocol/traffic ambiguity, leaving only a small fraction confidently encrypted.

A passive observer (transit adversary, on-path Wi-Fi attacker, or compromised gateway) can monitor update-check timing, endpoints, URIs, and metadata patterns to infer device model and likely firmware state. This enables pre-exploitation prioritization: attackers can identify devices likely lagging on patches and target known vulnerabilities before mitigation is applied.

Importantly, signed firmware does not eliminate this risk. Signature verification protects update integrity, but it does not protect confidentiality of updates. If update checks and version negotiation are observable, attackers gain actionable reconnaissance without needing to tamper with binaries.

Given that many affected devices are surveillance-oriented IoT systems, the persistence of cleartext or weakly protected update signaling in 2026 should be treated as a systemic supply-chain security failure rather than isolated vendor misconfiguration.

Two Practical Implications

  1. Entropy-based monitoring (using multiple metrics and device baselines) can be a low-cost, passive signal to flag sessions that merit further inspection, but it must be applied carefully because absolute thresholds vary by device and payload type.
  2. Transport security alone, especially when configured using legacy ciphers, cannot be relied upon as the sole guarantor of update integrity or confidentiality; analysis of the firmware can be leveraged to ensure higher security.

Limitations

Future Work

6. Conclusion

This paper presented a network-level analysis of update-related traffic of smart IoT devices, focusing on patterns, entropy characterization, and cipher-suite evaluation. By capturing and analyzing network traffic generated during controlled software update processes across ten IoT devices, and complementing this with retrospective dataset analysis, we provide both experimentally grounded and real-world validation of the proposed approach.

Our results show that update traffic is highly heterogeneous across devices. Entropy values were consistently lower than expected for robustly encrypted traffic, and cipher-suite analysis revealed that weak suites dominate TLS usage, while secure and recommended suites appear only rarely.

By linking these weaknesses to known vulnerability records, we identified 92 CVEs, with confidentiality being the most severely impacted, and attack vectors primarily occurring over the network. The severity of these vulnerabilities has increased in recent years, underscoring the risks posed by vendors' failure to follow best security practices to supply secure software updates for smart home IoT devices.

Appendix: Figures from the Experiments

This appendix contains additional figures from the controlled experiments showing the update processes of individual IoT devices.

A.1 Tapo C100 Update Process

The Tapo C100 update process involved three stages: device information display, firmware downloading/updating, and installation confirmation. The device updated from v1.0.11 to v1.4.3.

A.2 Tapo C200 Update Process

The Tapo C200 followed a similar three-stage update process, updating from v1.0.10 to v1.3.16. This device contacted the most countries (9) during the update process, and communicated with the most diverse set of service providers.

A.3 Xiaomi Camera Update Process

The Xiaomi camera update involved downloading the firmware, installing the update, and confirming successful installation. Updated from v3.5.1 to v4.0.9.

A.4 Eufy Camera Update Process

The Eufy camera attempted to update from v2.1.0.2 to v2.3.1.6. Notably, the update process experienced a failure during our experiments (approximately 3 minutes into the downloading phase), requiring investigation of the resulting network traffic patterns.

A.5 Apple TV Update

Apple TV generated the highest traffic volume (1,405,566 packets) during its update from v18.6 to v26.2. The update process included checking for updates and downloading the firmware through Apple's and Akamai's CDN infrastructure, contacting servers in DE, NZ, SE, and US.

A.6 Riolink Camera Update Process

The Riolink camera update process included firmware uploading, software updating, and completion confirmation. Updated from v3.0.0 to v3.1.0, generating 71,568 packets during the process.

A.7 HomePod Mini

The HomePod Mini updated from v18.6 to v26.2, generating 767,196 packets — the second-highest traffic volume. It contacted servers only in SE and US, using Apple and Akamai as service providers.

A.8 Certificate Issuers (Controlled Dataset)

Certificate Issuer (Verified by)Devices
Amazon Root CA 1 / RSA 2048 M01–M04Fire TV, Sony TV
Apple Public Server RSA CA 11 / Root CA / Server Auth CAApple TV
DigiCert Global CA G2 / Root CA / Root G2Fire TV, Tapo C100, Tapo C200
Go Daddy Root/Secure Certificate Authority G2Eufy, Xiaomi
GTS Root R1Fire TV, Sony TV
TP-Link / TP-Link Cloud Root CA / tp-link-CATapo C100, Tapo C200
COMODO ECC / USERTrust RSAApple TV
VeriSign Class 3 Public Primary CA G5Fire TV, Tapo C100
GlobalSign Root CAFire TV, Sony TV

References

  1. M. Nordahl et al., "Software Component Update for IoT Systems," IOTSMS, 2024.
  2. V. Prakash et al., "Inferring Software Update Practices on Smart Home IoT Devices Through User Agent Analysis," SCORED'22, ACM, 2022.
  3. C. Bradley and D. Barrera, "Towards Characterizing IoT Software Update Practices," FPS, Springer, 2023.
  4. L. Seitz et al., "Secure Software Updates for IoT Based on Industry Requirements," ICISSP, 2023.
  5. R. Tollefsen and O. Anshus, "Detecting the Arrival of an Update at Mostly Sleeping Cyber-Physical IoT Nodes," DCOSS, 2022.
  6. Y. Wu et al., "Your Firmware Has Arrived: A Study of Firmware Update Vulnerabilities," USENIX Security 24, 2024.
  7. A. B. Usman and M. Asplund, "Update at Your Own Risk: Analysis and Recommendations for Update-Related Vulnerabilities," IFIP SEC, Springer, 2025.
  8. J. Ren et al., "Information Exposure From Consumer IoT Devices," IMC '19, ACM, 2019.
  9. J. Bauwens et al., "Over-the-Air Software Updates in the IoT: An Overview of Key Principles," IEEE Commun. Mag., 2020.
  10. F. Bianchi et al., "Generalized Encrypted Traffic Classification Using Inter-flow Signals," ARES, Springer, 2025.
  11. H. Yu et al., "Renyi entropy-driven network traffic anomaly detection," Cybersecurity, 7(1), 2024.
  12. F. Lemos Lima et al., "A comparative study of use of Shannon, Rényi and Tsallis entropy for attribute selecting in network intrusion detection," IEEE M&N, 2011.
  13. N. Dejon et al., "Automated Security Analysis of IoT Software Updates," WISTP, Springer, 2020.
  14. R. E. Alsowaigh, "CrowdStrike Causes Global Microsoft Outage: A Case Study," JISCR, 8(1), 2025.
  15. S. Kapoor et al., "Predicting Video QoE from Encrypted Traffic," IFIP Networking, 2025.
  16. E. Barker, "Recommendation for Key Management: Part 1," NIST SP 800-57 Part 1 Rev. 5, 2020.
  17. D. Benjamin, "Applying GREASE to TLS Extensibility," IETF Internet-Draft, 2018.
  18. C. Wang et al., "Cybersecurity in Ophthalmology Practices," IOVS, 66(8), 2025.