Scribd
Upload
86 views37 pages

Internet of Things Top Ten 2014-OWASP

This document discusses the OWASP Internet of Things Top Ten Project, which aims to provide a comprehensive review of security risks across all aspects of Internet of Things systems. It outlines 10 common categories of vulnerabilities, including insecure web interfaces, insufficient authentication, insecure network services, lack of transport encryption, privacy concerns, insecure cloud/mobile interfaces, insufficient security configurability, insecure software/firmware, and poor physical security. For each category, it describes ways to test for associated issues and provides recommendations for making systems more secure. The goal of the project is to evaluate security across entire IoT devices and systems, rather than focusing on single components.

Uploaded by

apiotaya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
86 views37 pages

Internet of Things Top Ten 2014-OWASP

This document discusses the OWASP Internet of Things Top Ten Project, which aims to provide a comprehensive review of security risks across all aspects of Internet of Things systems. It outlines 10 common categories of vulnerabilities, including insecure web interfaces, insufficient authentication, insecure network services, lack of transport encryption, privacy concerns, insecure cloud/mobile interfaces, insufficient security configurability, insecure software/firmware, and poor physical security. For each category, it describes ways to test for associated issues and provides recommendations for making systems more secure. The goal of the project is to evaluate security across entire IoT devices and systems, rather than focusing on single components.

Uploaded by

apiotaya
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

Internet of Things

Top Ten

Agenda
- Introduction
- Misconception
- Considerations
- The OWASP Internet of
Things Top 10 Project
- The Top 10 Walkthrough

26 Billion
by 2020

30 fold increase from 2009 in


Internet of Things install base

Revenue exceeding $300


billion in 2020

$1.9 trillion in global


economic impact

*Gartner Internet of Things


Report 2013

Misconception | Its all about the device


Its not just about the device, or
the network, or the clients
There are MANY surface areas
involved
Each of these need to be
evaluated

Considerations | A holistic approach is required


All elements need to be considered
The Internet of Things Device
The Cloud
The Mobile Application
The Network Interfaces
The Software
Use of Encryption
Use of Authentication
Physical Security
USB ports
Enter the OWASP Internet of Things Top Ten
Project

Internet of Things Top Ten Project | A complete IoT Review

Review all aspects of Internet of Things

Top Ten Categories

Covers the entire device

Without comprehensive coverage like this it


would be like getting your physical but only
checking one arm

We must cover all surface area to get a good


assessment of overall security

I1 | Insecure Web Interface

I1 | Insecure Web Interface | Testing

Account Enumeration
Weak Default Credentials
Credentials Exposed in Network Traffic
Cross-site Scripting (XSS)
SQL-Injection
Session Management
Account Lockout

I1 | Insecure Web Interface | Make It Secure

I2 | Insufficient Authentication/Authorization

I2 | Insufficient Authentication/Authorization | Testing

Lack of Password Complexity


Poorly Protected Credentials
Lack of Two Factor Authentication
Insecure Password Recovery
Privilege Escalation
Lack of Role Based Access Control

I2 | Insufficient Authentication/Authorization | Make It Secure

I3 | Insecure Network Services

I3 | Insecure Network Services | Testing

Vulnerable Services
Buffer Overflow
Open Ports via UPnP
Exploitable UDP Services
Denial-of-Service
DoS via Network Device Fuzzing

I3 | Insecure Network Services | Make It Secure

I4 | Lack of Transport Encryption

I4 | Lack of Transport Encryption | Testing

Unencrypted Services via the Internet


Unencrypted Services via the Local
Network
Poorly Implemented SSL/TLS
Misconfigured SSL/TLS

I4 | Lack of Transport Encryption | Make It Secure

I5 | Privacy Concerns

I5 | Privacy Concerns | Testing

Collection of Unnecessary Personal


Information

I5 | Privacy Concerns | Make It Secure

I6 | Insecure Cloud Interface

I6 | Insecure Cloud Interface | Testing

Account Enumeration
No Account Lockout
Credentials Exposed in Network
Traffic

I6 | Insecure Cloud Interface | Make It Secure

I7 | Insecure Mobile Interface

I7 | Insecure Mobile Interface | Testing

Account Enumeration
No Account Lockout
Credentials Exposed in Network
Traffic

I7 | Insecure Mobile Interface | Make It Secure

I8 | Insufficient Security Configurability

I8 | Insufficient Security Configurability | Testing

Lack of Granular Permission Model


Lack of Password Security Options
No Security Monitoring
No Security Logging

I8 | Insufficient Security Configurability | Make It Secure

I9 | Insecure Software/Firmware

I9 | Insecure Software/Firmware | Testing

Encryption Not Used to Fetch Updates


Update File not Encrypted
Update Not Verified before Upload
Firmware Contains Sensitive Information
No Obvious Update Functionality

I9 | Insecure Software/Firmware | Make It Secure

I10 | Poor Physical Security

I10 | Poor Physical Security | Testing

Access to Software via USB Ports


Removal of Storage Media

I10 | Poor Physical Security | Make It Secure

Resources

OWASP Internet of Things Top Ten

Email List

You might also like