The Internet of Things (IoT) ecosystem is characterized by a wide range of devices, many of which are designed with a primary focus on low cost and functionality rather than robust security. Consequently, they suffer from multiple, well-documented vulnerabilities. These include a lack of strong authentication and access control, often shipping with default or hardcoded credentials. Furthermore, to conserve processing power and reduce costs, many devices employ weak or non-existent encryption for data in transit and at rest. Finally, since IoT devices are often deployed in physically accessible locations, they frequently lack sufficient physical hardening, making them vulnerable to tampering, side-channel attacks, or direct memory extraction. Therefore, all the listed options represent common and critical vulnerabilities.

B. While a valid vulnerability, this answer is incomplete as weak encryption and insufficient physical security are also common and critical IoT security flaws.

C. While a valid vulnerability, this answer is incomplete as poor access controls and insufficient physical security are also prevalent issues in IoT devices.

D. While a valid vulnerability, this answer is incomplete as weak authentication and a lack of strong encryption are also widespread problems in the IoT landscape.

1. National Institute of Standards and Technology (NIST). (2020). Foundational Cybersecurity Activities for IoT Device Manufacturers (NISTIR 8259).

Section 3.1, "Device Identification": Discusses the problem of non-unique or default device credentials, directly supporting the vulnerability of "Lack of user access controls and authentication mechanisms."

Section 3.3, "Data Protection": States that "IoT devices should use encryption to protect the data they store and transmit," highlighting that its absence or weakness is a key vulnerability, supporting "Weak encryption protocols."

Section 3.6, "Physical Security": Mentions the need for "a degree of physical access resistance," confirming that "Insufficient physical security measures" is a recognized concern.

2. Cisco. (2019). IoT Security Grand Challenges. Cisco White Paper.

Page 4, "Authentication and Identity": "Many IoT devices have weak or no authentication mechanisms, making them easy targets for unauthorized access." This supports option B.

Page 5, "Confidentiality and Encryption": "Data transmitted from IoT devices is often unencrypted... This lack of encryption exposes sensitive information to eavesdropping." This supports option C.

3. Hassija, V., Chamola, V., Saxena, V., Jain, D., Goyal, P., & Sikdar, B. (2019). A Survey on IoT Security: Application Areas, Security Threats, and Solution Architectures. IEEE Access, 7, 82721-82743.

Section IV.A, "Physical Attacks": "These attacks require the attacker to be in close physical proximity to the IoT nodes... An attacker can damage the node, tamper with it, or replace it with a malicious node." This directly supports option D.

DOI: https://doi.org/10.1109/ACCESS.2019.2924045