VARIoT – IoT vulnerabilities and exploits databases
The information about vulnerabilities and exploits found over the Internet by the VARIoT project is now publicly available on the dedicated website: https://www.variotdbs.pl/. The website is displayed in English and Polish languages, which can be changed at the bottom of the page.
Data is organised in three independent sections:
- Vulnerabilities, which shows vulnerabilities that affect IoT devices,
- Exploits, with publicly available exploits that target IoT devices,
- News, an automatically generated news feed with the latest information about IoT vulnerabilities.
The feeds are generated using data obtained from publicly available sources. The vulnerability and exploit databases use curated lists of primary sources, while the news feed uses multiple Internet search engines to find relevant data over the Internet. Vulnerability and News feeds use ML/NLP techniques to enhance the obtained results: combine data from multiple sources for vulnerability descriptions, assign vulnerability types, affected products and trust values for News feed.
The Vulnerability section shows vulnerabilities affecting IoT devices. We are using a broad definition of IoT for the sake of selecting IoT related entries: “IoT device – an item (except a phone, PC, tablet and data center hardware) equipped with network connectivity and the ability to collect and exchange data”. The vulnerability section lets you browse latest IoT vulnerabilities and search them. Each entry consists of data about a given vulnerability found in different sources. The entries format is described in detail in vulnerability entry ontology: https://www.variotdbs.pl/ref/variotentry/.
Similarly, Exploit section is intended to show exploits that can threaten IoT devices. It is currently in a proof-of-concept state: the exploit list is not comprehensive, it is not filtered to show only IoT related exploits and the search functionality is not added yet. Some data fields may also be missing. When this section is finished, it will work in a similar fashion as the Vulnerability section. The exploit entry ontology will also be available on the website.
News section lists recent articles about IoT vulnerabilities, found automatically using search engines. An NLP mechanism helps assigning trust values and vulnerability types to each news item. Related IDs from external vulnerability and exploit databases are listed with each entry. If there is a VARIoT database entry related to the same vulnerability or exploit, its ID will also be displayed on the list.
Vulnerabilities and Exploits are additionally accessible using an API. The data may be received in a regular JSON format or as JSON-LD. Our data published in the latter will be also soon available on the data.europa.eu portal. We encourage you to register on our website and try our API out. Access instructions can be found on https://www.variotdbs.pl/api/.
Please note that the databases are still in development and their contents may receive significant changes without prior notice, including reassigning IDs for vulnerabilities and exploits. We will make a further announcement when the databases will be considered finished.
If you do have any questions or comments, please send them through our contact form on the variotdbs.pl website. We are open to your feedback and suggestions for improvements.