OWASP - User contributions [en]

OWASP Internet of Things Project

2018-12-19T23:58:19Z

Daniel Miessler: Updated contributors

= Main =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
== OWASP Internet of Things (IoT) Project ==
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

==Updated!==

The OWASP IoT Project for 2018 has just been released!

[[File:2018 IoT Top10.png|center|thumb|1290x1290px]]

== Philosophy ==
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.

This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.

The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.

The result is the 2018 OWASP IoT Top 10.

== Methodology ==
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.

The project was conducted in the following phases:
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.
# '''Release:''' release of the project to the public in December 2018.

== The Future of the OWASP IoT Top 10 ==
The team has a number of activities planned to continue improving on the project going forward.

Some of the items being discussed include:
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.

Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.

'''''The OWASP IoT Security Team, 2018'''''

==Licensing==
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the OWASP Internet of Things Project? ==

The OWASP Internet of Things Project provides information on:

* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]
* IoT Vulnerabilities
* Firmware Analysis
* ICS/SCADA Software Weaknesses
* Community Information
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]
* Developer, Consumer and Manufacturer Guidance
* Design Principles

== Project Leaders ==

* Daniel Miessler
* Craig Smith
* Vishruta Rudresh
* Aaron Guzman

== Contributors ==
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]
* Saša Zdjelar

== IoT Top 2018 Contributors ==
* Vijayamurugan Pushpanathan
* Alexander Lafrenz
* Masahiro Murashima
* Charlie Worrell
* José A. Rivas (jarv)
* Pablo Endres
* Ade Yoseman
* Cédric Levy-Bencheotn
* Jason Andress
* Amélie Didion - Designer

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]

| style="padding-left:25px;width:200px;" valign="top" |

== Collaboration ==
[https://owasp.slack.com The OWASP Slack Channel]

Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.

== Quick Download ==
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]

[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]

[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]

[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]

[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]

[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]

[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]

[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]

[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]

[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]

== News and Events ==
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]
* Added a [https://owasp-iot-security.slack.com/ Slack channel]
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]
* Migrating the IoT Top Ten to be under the IoT Project
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= IoT Top 10 =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

== Internet of Things (IoT) Top 10 2018 ==
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.
* I1 Weak Guessable, or Hardcoded Passwords

* I2 Insecure Network Services

* I3 Insecure Ecosystem Interfaces

* I4 Lack of Secure Update Mechanism

* I5 Use of Insecure or Outdated Components

* I6 Insufficient Privacy Protection

* I7 Insecure Data Transfer and Storage

* I8 Lack of Device Management

* I9 Insecure Default Settings

* I10 Lack of Physical Hardening
== Internet of Things (IoT) Top 10 2014 ==
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]

= IoT Attack Surface Areas =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Attack Surface Areas Project ==

The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

{| class="wikitable" style="text-align: left" border="1"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
** UART (Serial)
** JTAG / SWD
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)
* Security related function API exposure
* Firmware downgrade possibility
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Firmware loaded over insecure channel (no TLS)
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Check for insecure direct object references
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|

* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damage (Physicall)

|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Attack Surface Areas Project? ==

The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://owasp.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Vulnerabilities Project ==

{| class="wikitable" style="text-align: left" border="1"
! Vulnerability
! Attack Surface
! Summary
|-
| '''Username Enumeration'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to collect a set of valid usernames by interacting with the authentication mechanism
|-
| '''Weak Passwords'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to set account passwords to '1234' or '123456' for example.
* Usage of pre-programmed default passwords
|-
| '''Account Lockout'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts
|-
| '''Unencrypted Services'''
|
* Device Network Services
|
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers
|-
| '''Two-factor Authentication'''
|
* Administrative Interface
* Cloud Web Interface
* Mobile Application
|
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
|-
| '''Poorly Implemented Encryption'''
|
* Device Network Services
|
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
|-
| '''Update Sent Without Encryption'''
|
* Update Mechanism
|
* Updates are transmitted over the network without using TLS or encrypting the update file itself
|-
| '''Update Location Writable'''
|
* Update Mechanism
|
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
|-
| '''Denial of Service'''
|
* Device Network Services
|
* Service can be attacked in a way that denies service to that service or the entire device
|-
| '''Removal of Storage Media'''
|
* Device Physical Interfaces
|
* Ability to physically remove the storage media from the device
|-
| '''No Manual Update Mechanism'''
|
* Update Mechanism
|
* No ability to manually force an update check for the device
|-
| '''Missing Update Mechanism'''
|
* Update Mechanism
|
* No ability to update device
|-
| '''Firmware Version Display and/or Last Update Date'''
|
* Device Firmware
|
* Current firmware version is not displayed and/or the last update date is not displayed
|-
| '''Firmware and storage extraction'''
|
* JTAG / SWD interface
* [https://www.flashrom.org/Flashrom In-Situ dumping]
* Intercepting a OTA update
* Downloading from the manufacturers web page
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
|
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
|-
| '''Manipulating the code execution flow of the device'''
|
* JTAG / SWD interface
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]
|
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
|-
| '''Obtaining console access'''
|
* Serial interfaces (SPI / UART)
|
* By connecting to a serial interface, we will obtain full console access to a device
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.
|-
| '''Insecure 3rd party components'''
|
* Software
|
* Out of date versions of busybox, openssl, ssh, web servers, etc.
|-

|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Vulnerabilities Project? ==

The IoT Vulnerabilities Project provides:

* Information on the top IoT vulnerabilities
* The attack surface associated with the vulnerability
* A summary of the vulnerability

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Medical Devices =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Medical Device Testing ==

The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.

{| class="wikitable" style="text-align: left" border="1"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''HL7'''
|
* XML Parsing
** XSS
* Information Disclosure
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Data Flow'''
|
* What data is being captured?
* How does it move within the ecosystem?
* How is it protected in transit?
* How is it protected at rest?
* Who is that data shared with?
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)
* Failure state analysis
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the Medical Attack Surfaces project? ==

The Medical Attack Surfaces project provides:

* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.

|}

= Firmware Analysis =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Firmware Analysis Project ==

The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":

{| class="wikitable" style="text-align: left" border="1"
! Section
!
|-
|
Device Firmware Vulnerabilities
|
* Out-of-date core components
* Unsupported core components
* Expired and/or self-signed certificates
* Same certificate used on multiple devices
* Admin web interface concerns
* Hardcoded or easy to guess credentials
* Sensitive information disclosure
* Sensitive URL disclosure
* Encryption key exposure
* Backdoor accounts
* Vulnerable services (web, ssh, tftp, etc.)
|-
|
Manufacturer Recommendations
|
* Ensure that supported and up-to-date software is used by developers
* Ensure that robust update mechanisms are in place for devices
* Ensure that certificates are not duplicated across devices and product lines.
* Ensure supported and up-to-date software is used by developers
* Develop a mechanism to ensure a new certificate is installed when old ones expire
* Disable deprecated SSL versions
* Ensure developers do not code in easy to guess or common admin passwords
* Ensure services such as SSH have a secure password created
* Develop a mechanism that requires the user to create a secure admin password during initial device setup
* Ensure developers do not hard code passwords or hashes
* Have source code reviewed by a third party before releasing device to production
* Ensure industry standard encryption or strong hashing is used
|-
|
Device Firmware Guidance and Instruction
|
* Firmware file analysis
* Firmware extraction
* Dynamic binary analysis
* Static binary analysis
* Static code analysis
* Firmware emulation
* File system analysis
|-
|
Device Firmware Tools
|
* [https://github.com/craigz28/firmwalker Firmwalker]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://github.com/angr/angr Angr binary analysis framework]
* [http://binwalk.org/ Binwalk firmware analysis tool]
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
* [https://github.com/firmadyne/firmadyne Firmadyne]
|-
|
Vulnerable Firmware
|
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the Firmware Analysis Project? ==

The Firmware Analysis Project provides:

* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
* Steps for extracting file systems from various firmware files
* Guidance on searching a file systems for sensitive of interesting data
* Information on static analysis of firmware contents
* Information on dynamic analysis of emulated services (e.g. web admin interface)
* Testing tool links
* A site for pulling together existing information on firmware analysis

== Project Leaders ==

* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Coming Soon

|}

= IoT Event Logging Project=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Logging Events==

This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.

{| class="wikitable" style="text-align: left" border="1"
! Event Category
! Events
|-
| '''Request Exceptions'''
|
* Attempt to Invoke Unsupported HTTP Method
* Unexpected Quantity of Characters in Parameter
* Unexpected Type of Characters in Parameter
|-
| '''Authentication Exceptions'''
|
* Multiple Failed Passwords
* High Rate of Login Attempts
* Additional POST Variable
* Deviation from Normal GEO Location
|-
| '''Session Exceptions'''
|
* Modifying the Existing Cookie
* Substituting Another User's Valid SessionID or Cookie
* Source Location Changes During Session
|-
| '''Access Control Exceptions'''
|
* Modifying URL Argument Within a GET for Direct Object Access Attempt
* Modifying Parameter Within a POST for Direct Object Access Attempt
* Forced Browsing Attempt
|-
| '''Ecosystem Membership Exceptions'''
|
* Traffic Seen from Disenrolled System
* Traffic Seen from Unenrolled System
* Failed Attempt to Enroll in Ecosystem
* Multiple Attempts to Enroll in Ecosystem
|-
| '''Device Access Events'''
|
* Device Case Tampering Detected
* Device Logic Board Tampering Detected
|-
| '''Administrative Mode Events'''
|
* Device Entered Administrative Mode
* Device Accessed Using Default Administrative Credentials
|-
| '''Input Exceptions'''
|
* Double Encoded Character
* Unexpected Encoding Used
|-
| '''Command Injection Exceptions'''
|
* Blacklist Inspection for Common SQL Injection Values
* Abnormal Quantity of Returned Records
|-
| '''Honey Trap Exceptions'''
|
* Honey Trap Resource Requested
* Honey Trap Data Used
|-
| '''Reputation Exceptions'''
|
* Suspicious or Disallowed User Source Location

|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |

== What is the IoT Security Logging Project? ==

The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= ICS/SCADA =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== ICS/SCADA Project ==

The OWASP ICS/SCADA Top 10 software weaknesses are as follows:

{| class="wikitable" style="text-align: left" border="1"
! Rank and ID
! Title
|-
| '''1 - CWE-119'''
|
* Improper Restriction of Operations within the Bounds of a Memory Buffer
|-
| '''2 - CWE-20'''
|
* Improper Input Validation
|-
| '''3 - CWE-22'''
|
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|-
| '''4 - CWE-264'''
|
* Permissions, Privileges, and Access Controls
|-
| '''5 - CWE-200'''
|
* Information Exposure
|-
| '''6 - CWE-255'''
|
* Credentials Management
|-
| '''7 - CWE-287'''
|
* Improper Authentication
|-
| '''8 - CWE-399'''
|
* Resource Management Errors
|-
| '''9 - CWE-79'''
|
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|-
| '''10 - CWE-189'''
|
* Numeric Errors
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the ICS/SCADA Project? ==

The ICS/SCADA Project provides:

* A list of the Top 10 most dangerous software weaknesses

== Project Leaders ==

* NJ Ouchn

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/iot-this-week/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Internet of Things Project

2018-12-19T23:57:55Z

Daniel Miessler: Updated project leaders

= Main =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
== OWASP Internet of Things (IoT) Project ==
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

==Updated!==

The OWASP IoT Project for 2018 has just been released!

[[File:2018 IoT Top10.png|center|thumb|1290x1290px]]

== Philosophy ==
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.

This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.

The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.

The result is the 2018 OWASP IoT Top 10.

== Methodology ==
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.

The project was conducted in the following phases:
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.
# '''Release:''' release of the project to the public in December 2018.

== The Future of the OWASP IoT Top 10 ==
The team has a number of activities planned to continue improving on the project going forward.

Some of the items being discussed include:
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.

Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.

'''''The OWASP IoT Security Team, 2018'''''

==Licensing==
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the OWASP Internet of Things Project? ==

The OWASP Internet of Things Project provides information on:

* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]
* IoT Vulnerabilities
* Firmware Analysis
* ICS/SCADA Software Weaknesses
* Community Information
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]
* Developer, Consumer and Manufacturer Guidance
* Design Principles

== Project Leaders ==

* Daniel Miessler
* Craig Smith
* Vishruta Rudresh
* Aaron Guzman

== Contributors ==
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]
* Saša Zdjelar

== IoT Top 2018 Contributors ==
* Vishruta Rudresh
* Vijayamurugan Pushpanathan
* Aaron Guzman
* Alexander Lafrenz
* Masahiro Murashima
* Charlie Worrell
* José A. Rivas (jarv)
* Pablo Endres
* Ade Yoseman
* Cédric Levy-Bencheotn
* Jason Andress
* Amélie Didion - Designer

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]

| style="padding-left:25px;width:200px;" valign="top" |

== Collaboration ==
[https://owasp.slack.com The OWASP Slack Channel]

Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.

== Quick Download ==
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]

[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]

[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]

[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]

[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]

[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]

[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]

[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]

[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]

[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]

== News and Events ==
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]
* Added a [https://owasp-iot-security.slack.com/ Slack channel]
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]
* Migrating the IoT Top Ten to be under the IoT Project
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= IoT Top 10 =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

== Internet of Things (IoT) Top 10 2018 ==
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.
* I1 Weak Guessable, or Hardcoded Passwords

* I2 Insecure Network Services

* I3 Insecure Ecosystem Interfaces

* I4 Lack of Secure Update Mechanism

* I5 Use of Insecure or Outdated Components

* I6 Insufficient Privacy Protection

* I7 Insecure Data Transfer and Storage

* I8 Lack of Device Management

* I9 Insecure Default Settings

* I10 Lack of Physical Hardening
== Internet of Things (IoT) Top 10 2014 ==
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]

= IoT Attack Surface Areas =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Attack Surface Areas Project ==

The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

{| class="wikitable" style="text-align: left" border="1"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
** UART (Serial)
** JTAG / SWD
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)
* Security related function API exposure
* Firmware downgrade possibility
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Firmware loaded over insecure channel (no TLS)
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Check for insecure direct object references
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|

* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damage (Physicall)

|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Attack Surface Areas Project? ==

The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://owasp.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Vulnerabilities Project ==

{| class="wikitable" style="text-align: left" border="1"
! Vulnerability
! Attack Surface
! Summary
|-
| '''Username Enumeration'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to collect a set of valid usernames by interacting with the authentication mechanism
|-
| '''Weak Passwords'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to set account passwords to '1234' or '123456' for example.
* Usage of pre-programmed default passwords
|-
| '''Account Lockout'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts
|-
| '''Unencrypted Services'''
|
* Device Network Services
|
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers
|-
| '''Two-factor Authentication'''
|
* Administrative Interface
* Cloud Web Interface
* Mobile Application
|
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
|-
| '''Poorly Implemented Encryption'''
|
* Device Network Services
|
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
|-
| '''Update Sent Without Encryption'''
|
* Update Mechanism
|
* Updates are transmitted over the network without using TLS or encrypting the update file itself
|-
| '''Update Location Writable'''
|
* Update Mechanism
|
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
|-
| '''Denial of Service'''
|
* Device Network Services
|
* Service can be attacked in a way that denies service to that service or the entire device
|-
| '''Removal of Storage Media'''
|
* Device Physical Interfaces
|
* Ability to physically remove the storage media from the device
|-
| '''No Manual Update Mechanism'''
|
* Update Mechanism
|
* No ability to manually force an update check for the device
|-
| '''Missing Update Mechanism'''
|
* Update Mechanism
|
* No ability to update device
|-
| '''Firmware Version Display and/or Last Update Date'''
|
* Device Firmware
|
* Current firmware version is not displayed and/or the last update date is not displayed
|-
| '''Firmware and storage extraction'''
|
* JTAG / SWD interface
* [https://www.flashrom.org/Flashrom In-Situ dumping]
* Intercepting a OTA update
* Downloading from the manufacturers web page
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
|
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
|-
| '''Manipulating the code execution flow of the device'''
|
* JTAG / SWD interface
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]
|
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
|-
| '''Obtaining console access'''
|
* Serial interfaces (SPI / UART)
|
* By connecting to a serial interface, we will obtain full console access to a device
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.
|-
| '''Insecure 3rd party components'''
|
* Software
|
* Out of date versions of busybox, openssl, ssh, web servers, etc.
|-

|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Vulnerabilities Project? ==

The IoT Vulnerabilities Project provides:

* Information on the top IoT vulnerabilities
* The attack surface associated with the vulnerability
* A summary of the vulnerability

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Medical Devices =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Medical Device Testing ==

The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.

{| class="wikitable" style="text-align: left" border="1"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''HL7'''
|
* XML Parsing
** XSS
* Information Disclosure
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Data Flow'''
|
* What data is being captured?
* How does it move within the ecosystem?
* How is it protected in transit?
* How is it protected at rest?
* Who is that data shared with?
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)
* Failure state analysis
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the Medical Attack Surfaces project? ==

The Medical Attack Surfaces project provides:

* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.

|}

= Firmware Analysis =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Firmware Analysis Project ==

The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":

{| class="wikitable" style="text-align: left" border="1"
! Section
!
|-
|
Device Firmware Vulnerabilities
|
* Out-of-date core components
* Unsupported core components
* Expired and/or self-signed certificates
* Same certificate used on multiple devices
* Admin web interface concerns
* Hardcoded or easy to guess credentials
* Sensitive information disclosure
* Sensitive URL disclosure
* Encryption key exposure
* Backdoor accounts
* Vulnerable services (web, ssh, tftp, etc.)
|-
|
Manufacturer Recommendations
|
* Ensure that supported and up-to-date software is used by developers
* Ensure that robust update mechanisms are in place for devices
* Ensure that certificates are not duplicated across devices and product lines.
* Ensure supported and up-to-date software is used by developers
* Develop a mechanism to ensure a new certificate is installed when old ones expire
* Disable deprecated SSL versions
* Ensure developers do not code in easy to guess or common admin passwords
* Ensure services such as SSH have a secure password created
* Develop a mechanism that requires the user to create a secure admin password during initial device setup
* Ensure developers do not hard code passwords or hashes
* Have source code reviewed by a third party before releasing device to production
* Ensure industry standard encryption or strong hashing is used
|-
|
Device Firmware Guidance and Instruction
|
* Firmware file analysis
* Firmware extraction
* Dynamic binary analysis
* Static binary analysis
* Static code analysis
* Firmware emulation
* File system analysis
|-
|
Device Firmware Tools
|
* [https://github.com/craigz28/firmwalker Firmwalker]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://github.com/angr/angr Angr binary analysis framework]
* [http://binwalk.org/ Binwalk firmware analysis tool]
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
* [https://github.com/firmadyne/firmadyne Firmadyne]
|-
|
Vulnerable Firmware
|
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the Firmware Analysis Project? ==

The Firmware Analysis Project provides:

* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
* Steps for extracting file systems from various firmware files
* Guidance on searching a file systems for sensitive of interesting data
* Information on static analysis of firmware contents
* Information on dynamic analysis of emulated services (e.g. web admin interface)
* Testing tool links
* A site for pulling together existing information on firmware analysis

== Project Leaders ==

* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Coming Soon

|}

= IoT Event Logging Project=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Logging Events==

This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.

{| class="wikitable" style="text-align: left" border="1"
! Event Category
! Events
|-
| '''Request Exceptions'''
|
* Attempt to Invoke Unsupported HTTP Method
* Unexpected Quantity of Characters in Parameter
* Unexpected Type of Characters in Parameter
|-
| '''Authentication Exceptions'''
|
* Multiple Failed Passwords
* High Rate of Login Attempts
* Additional POST Variable
* Deviation from Normal GEO Location
|-
| '''Session Exceptions'''
|
* Modifying the Existing Cookie
* Substituting Another User's Valid SessionID or Cookie
* Source Location Changes During Session
|-
| '''Access Control Exceptions'''
|
* Modifying URL Argument Within a GET for Direct Object Access Attempt
* Modifying Parameter Within a POST for Direct Object Access Attempt
* Forced Browsing Attempt
|-
| '''Ecosystem Membership Exceptions'''
|
* Traffic Seen from Disenrolled System
* Traffic Seen from Unenrolled System
* Failed Attempt to Enroll in Ecosystem
* Multiple Attempts to Enroll in Ecosystem
|-
| '''Device Access Events'''
|
* Device Case Tampering Detected
* Device Logic Board Tampering Detected
|-
| '''Administrative Mode Events'''
|
* Device Entered Administrative Mode
* Device Accessed Using Default Administrative Credentials
|-
| '''Input Exceptions'''
|
* Double Encoded Character
* Unexpected Encoding Used
|-
| '''Command Injection Exceptions'''
|
* Blacklist Inspection for Common SQL Injection Values
* Abnormal Quantity of Returned Records
|-
| '''Honey Trap Exceptions'''
|
* Honey Trap Resource Requested
* Honey Trap Data Used
|-
| '''Reputation Exceptions'''
|
* Suspicious or Disallowed User Source Location

|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |

== What is the IoT Security Logging Project? ==

The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= ICS/SCADA =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== ICS/SCADA Project ==

The OWASP ICS/SCADA Top 10 software weaknesses are as follows:

{| class="wikitable" style="text-align: left" border="1"
! Rank and ID
! Title
|-
| '''1 - CWE-119'''
|
* Improper Restriction of Operations within the Bounds of a Memory Buffer
|-
| '''2 - CWE-20'''
|
* Improper Input Validation
|-
| '''3 - CWE-22'''
|
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|-
| '''4 - CWE-264'''
|
* Permissions, Privileges, and Access Controls
|-
| '''5 - CWE-200'''
|
* Information Exposure
|-
| '''6 - CWE-255'''
|
* Credentials Management
|-
| '''7 - CWE-287'''
|
* Improper Authentication
|-
| '''8 - CWE-399'''
|
* Resource Management Errors
|-
| '''9 - CWE-79'''
|
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|-
| '''10 - CWE-189'''
|
* Numeric Errors
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the ICS/SCADA Project? ==

The ICS/SCADA Project provides:

* A list of the Top 10 most dangerous software weaknesses

== Project Leaders ==

* NJ Ouchn

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/iot-this-week/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Internet of Things Project

2018-12-19T23:14:08Z

Daniel Miessler: Updated!

= Main =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==Updated!==

The OWASP IoT Project for 2018 has just been released!.

==OWASP Internet of Things (IoT) Project==

Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

==Licensing==
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the OWASP Internet of Things Project? ==

The OWASP Internet of Things Project provides information on:

* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]
* IoT Vulnerabilities
* Firmware Analysis
* ICS/SCADA Software Weaknesses
* Community Information
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]
* Developer, Consumer and Manufacturer Guidance
* Design Principles

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Contributors ==
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]
* Saša Zdjelar

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]

| style="padding-left:25px;width:200px;" valign="top" |

== Collaboration ==
[https://owasp.slack.com The OWASP Slack Channel]

Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.

== Quick Download ==
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]

[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]

[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]

[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]

[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]

[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]

[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]

[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]

[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]

== News and Events ==
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]
* Added a [https://owasp-iot-security.slack.com/ Slack channel]
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]
* Migrating the IoT Top Ten to be under the IoT Project
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= IoT Top 10 =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

== Internet of Things (IoT) Top 10 2018 ==
The OWASP IoT Project is currently reviewing the Top Ten list for 2018. The official launch date is December 2018. Provide your insight and expertise by joining the #iot-security channel meetups on Slack.
* I1 Weak Guessable, or Hardcoded Passwords

* I2 Insecure Network Services

* I3 Insecure Ecosystem Interfaces

* I4 Lack of Secure Update Mechanism

* I5 Use of Insecure or Outdated Components

* I6 Insufficient Privacy Protection

* I7 Insecure Data Transfer and Storage

* I8 Lack of Device Management

* I9 Insecure Default Settings

* I10 Lack of Physical Hardening
== Internet of Things (IoT) Top 10 2014 ==
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]

= IoT Attack Surface Areas =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Attack Surface Areas Project ==

The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

{| class="wikitable" style="text-align: left" border="1"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
** UART (Serial)
** JTAG / SWD
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)
* Security related function API exposure
* Firmware downgrade possibility
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Firmware loaded over insecure channel (no TLS)
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Check for insecure direct object references
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|

* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damage (Physicall)

|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Attack Surface Areas Project? ==

The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://owasp.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Vulnerabilities Project ==

{| class="wikitable" style="text-align: left" border="1"
! Vulnerability
! Attack Surface
! Summary
|-
| '''Username Enumeration'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to collect a set of valid usernames by interacting with the authentication mechanism
|-
| '''Weak Passwords'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to set account passwords to '1234' or '123456' for example.
* Usage of pre-programmed default passwords
|-
| '''Account Lockout'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts
|-
| '''Unencrypted Services'''
|
* Device Network Services
|
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers
|-
| '''Two-factor Authentication'''
|
* Administrative Interface
* Cloud Web Interface
* Mobile Application
|
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
|-
| '''Poorly Implemented Encryption'''
|
* Device Network Services
|
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
|-
| '''Update Sent Without Encryption'''
|
* Update Mechanism
|
* Updates are transmitted over the network without using TLS or encrypting the update file itself
|-
| '''Update Location Writable'''
|
* Update Mechanism
|
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
|-
| '''Denial of Service'''
|
* Device Network Services
|
* Service can be attacked in a way that denies service to that service or the entire device
|-
| '''Removal of Storage Media'''
|
* Device Physical Interfaces
|
* Ability to physically remove the storage media from the device
|-
| '''No Manual Update Mechanism'''
|
* Update Mechanism
|
* No ability to manually force an update check for the device
|-
| '''Missing Update Mechanism'''
|
* Update Mechanism
|
* No ability to update device
|-
| '''Firmware Version Display and/or Last Update Date'''
|
* Device Firmware
|
* Current firmware version is not displayed and/or the last update date is not displayed
|-
| '''Firmware and storage extraction'''
|
* JTAG / SWD interface
* [https://www.flashrom.org/Flashrom In-Situ dumping]
* Intercepting a OTA update
* Downloading from the manufacturers web page
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
|
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
|-
| '''Manipulating the code execution flow of the device'''
|
* JTAG / SWD interface
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]
|
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
|-
| '''Obtaining console access'''
|
* Serial interfaces (SPI / UART)
|
* By connecting to a serial interface, we will obtain full console access to a device
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.
|-
| '''Insecure 3rd party components'''
|
* Software
|
* Out of date versions of busybox, openssl, ssh, web servers, etc.
|-

|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Vulnerabilities Project? ==

The IoT Vulnerabilities Project provides:

* Information on the top IoT vulnerabilities
* The attack surface associated with the vulnerability
* A summary of the vulnerability

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Medical Devices =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Medical Device Testing ==

The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.

{| class="wikitable" style="text-align: left" border="1"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''HL7'''
|
* XML Parsing
** XSS
* Information Disclosure
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Data Flow'''
|
* What data is being captured?
* How does it move within the ecosystem?
* How is it protected in transit?
* How is it protected at rest?
* Who is that data shared with?
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)
* Failure state analysis
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the Medical Attack Surfaces project? ==

The Medical Attack Surfaces project provides:

* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.

|}

= Firmware Analysis =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Firmware Analysis Project ==

The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":

{| class="wikitable" style="text-align: left" border="1"
! Section
!
|-
|
Device Firmware Vulnerabilities
|
* Out-of-date core components
* Unsupported core components
* Expired and/or self-signed certificates
* Same certificate used on multiple devices
* Admin web interface concerns
* Hardcoded or easy to guess credentials
* Sensitive information disclosure
* Sensitive URL disclosure
* Encryption key exposure
* Backdoor accounts
* Vulnerable services (web, ssh, tftp, etc.)
|-
|
Manufacturer Recommendations
|
* Ensure that supported and up-to-date software is used by developers
* Ensure that robust update mechanisms are in place for devices
* Ensure that certificates are not duplicated across devices and product lines.
* Ensure supported and up-to-date software is used by developers
* Develop a mechanism to ensure a new certificate is installed when old ones expire
* Disable deprecated SSL versions
* Ensure developers do not code in easy to guess or common admin passwords
* Ensure services such as SSH have a secure password created
* Develop a mechanism that requires the user to create a secure admin password during initial device setup
* Ensure developers do not hard code passwords or hashes
* Have source code reviewed by a third party before releasing device to production
* Ensure industry standard encryption or strong hashing is used
|-
|
Device Firmware Guidance and Instruction
|
* Firmware file analysis
* Firmware extraction
* Dynamic binary analysis
* Static binary analysis
* Static code analysis
* Firmware emulation
* File system analysis
|-
|
Device Firmware Tools
|
* [https://github.com/craigz28/firmwalker Firmwalker]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://github.com/angr/angr Angr binary analysis framework]
* [http://binwalk.org/ Binwalk firmware analysis tool]
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
* [https://github.com/firmadyne/firmadyne Firmadyne]
|-
|
Vulnerable Firmware
|
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the Firmware Analysis Project? ==

The Firmware Analysis Project provides:

* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
* Steps for extracting file systems from various firmware files
* Guidance on searching a file systems for sensitive of interesting data
* Information on static analysis of firmware contents
* Information on dynamic analysis of emulated services (e.g. web admin interface)
* Testing tool links
* A site for pulling together existing information on firmware analysis

== Project Leaders ==

* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Coming Soon

|}

= IoT Event Logging Project=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Logging Events==

This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.

{| class="wikitable" style="text-align: left" border="1"
! Event Category
! Events
|-
| '''Request Exceptions'''
|
* Attempt to Invoke Unsupported HTTP Method
* Unexpected Quantity of Characters in Parameter
* Unexpected Type of Characters in Parameter
|-
| '''Authentication Exceptions'''
|
* Multiple Failed Passwords
* High Rate of Login Attempts
* Additional POST Variable
* Deviation from Normal GEO Location
|-
| '''Session Exceptions'''
|
* Modifying the Existing Cookie
* Substituting Another User's Valid SessionID or Cookie
* Source Location Changes During Session
|-
| '''Access Control Exceptions'''
|
* Modifying URL Argument Within a GET for Direct Object Access Attempt
* Modifying Parameter Within a POST for Direct Object Access Attempt
* Forced Browsing Attempt
|-
| '''Ecosystem Membership Exceptions'''
|
* Traffic Seen from Disenrolled System
* Traffic Seen from Unenrolled System
* Failed Attempt to Enroll in Ecosystem
* Multiple Attempts to Enroll in Ecosystem
|-
| '''Device Access Events'''
|
* Device Case Tampering Detected
* Device Logic Board Tampering Detected
|-
| '''Administrative Mode Events'''
|
* Device Entered Administrative Mode
* Device Accessed Using Default Administrative Credentials
|-
| '''Input Exceptions'''
|
* Double Encoded Character
* Unexpected Encoding Used
|-
| '''Command Injection Exceptions'''
|
* Blacklist Inspection for Common SQL Injection Values
* Abnormal Quantity of Returned Records
|-
| '''Honey Trap Exceptions'''
|
* Honey Trap Resource Requested
* Honey Trap Data Used
|-
| '''Reputation Exceptions'''
|
* Suspicious or Disallowed User Source Location

|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |

== What is the IoT Security Logging Project? ==

The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= ICS/SCADA =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== ICS/SCADA Project ==

The OWASP ICS/SCADA Top 10 software weaknesses are as follows:

{| class="wikitable" style="text-align: left" border="1"
! Rank and ID
! Title
|-
| '''1 - CWE-119'''
|
* Improper Restriction of Operations within the Bounds of a Memory Buffer
|-
| '''2 - CWE-20'''
|
* Improper Input Validation
|-
| '''3 - CWE-22'''
|
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|-
| '''4 - CWE-264'''
|
* Permissions, Privileges, and Access Controls
|-
| '''5 - CWE-200'''
|
* Information Exposure
|-
| '''6 - CWE-255'''
|
* Credentials Management
|-
| '''7 - CWE-287'''
|
* Improper Authentication
|-
| '''8 - CWE-399'''
|
* Resource Management Errors
|-
| '''9 - CWE-79'''
|
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|-
| '''10 - CWE-189'''
|
* Numeric Errors
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the ICS/SCADA Project? ==

The ICS/SCADA Project provides:

* A list of the Top 10 most dangerous software weaknesses

== Project Leaders ==

* NJ Ouchn

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/iot-this-week/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Internet of Things Project

2018-12-19T23:12:14Z

Daniel Miessler: /* Related Projects */ Fixed slack link

= Main =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==Get Involved!==

The OWASP IoT Project is currently reviewing the Top Ten list for 2018. Provide your insight and expertise by joining the #iot-security channel meetups on Slack.

==OWASP Internet of Things (IoT) Project==

Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

==Licensing==
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the OWASP Internet of Things Project? ==

The OWASP Internet of Things Project provides information on:

* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]
* IoT Vulnerabilities
* Firmware Analysis
* ICS/SCADA Software Weaknesses
* Community Information
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]
* Developer, Consumer and Manufacturer Guidance
* Design Principles

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Contributors ==
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]
* Saša Zdjelar

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]

| style="padding-left:25px;width:200px;" valign="top" |

== Collaboration ==
[https://owasp.slack.com The OWASP Slack Channel]

Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.

== Quick Download ==
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]

[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]

[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]

[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]

[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]

[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]

[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]

[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]

[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]

== News and Events ==
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]
* Added a [https://owasp-iot-security.slack.com/ Slack channel]
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]
* Migrating the IoT Top Ten to be under the IoT Project
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= IoT Top 10 =
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

== Internet of Things (IoT) Top 10 2018 ==
The OWASP IoT Project is currently reviewing the Top Ten list for 2018. The official launch date is December 2018. Provide your insight and expertise by joining the #iot-security channel meetups on Slack.
* I1 Weak Guessable, or Hardcoded Passwords

* I2 Insecure Network Services

* I3 Insecure Ecosystem Interfaces

* I4 Lack of Secure Update Mechanism

* I5 Use of Insecure or Outdated Components

* I6 Insufficient Privacy Protection

* I7 Insecure Data Transfer and Storage

* I8 Lack of Device Management

* I9 Insecure Default Settings

* I10 Lack of Physical Hardening
== Internet of Things (IoT) Top 10 2014 ==
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]

= IoT Attack Surface Areas =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Attack Surface Areas Project ==

The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

{| class="wikitable" style="text-align: left" border="1"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
** UART (Serial)
** JTAG / SWD
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)
* Security related function API exposure
* Firmware downgrade possibility
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Firmware loaded over insecure channel (no TLS)
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Check for insecure direct object references
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|

* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damage (Physicall)

|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Attack Surface Areas Project? ==

The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://owasp.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Vulnerabilities Project ==

{| class="wikitable" style="text-align: left" border="1"
! Vulnerability
! Attack Surface
! Summary
|-
| '''Username Enumeration'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to collect a set of valid usernames by interacting with the authentication mechanism
|-
| '''Weak Passwords'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to set account passwords to '1234' or '123456' for example.
* Usage of pre-programmed default passwords
|-
| '''Account Lockout'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts
|-
| '''Unencrypted Services'''
|
* Device Network Services
|
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers
|-
| '''Two-factor Authentication'''
|
* Administrative Interface
* Cloud Web Interface
* Mobile Application
|
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
|-
| '''Poorly Implemented Encryption'''
|
* Device Network Services
|
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
|-
| '''Update Sent Without Encryption'''
|
* Update Mechanism
|
* Updates are transmitted over the network without using TLS or encrypting the update file itself
|-
| '''Update Location Writable'''
|
* Update Mechanism
|
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
|-
| '''Denial of Service'''
|
* Device Network Services
|
* Service can be attacked in a way that denies service to that service or the entire device
|-
| '''Removal of Storage Media'''
|
* Device Physical Interfaces
|
* Ability to physically remove the storage media from the device
|-
| '''No Manual Update Mechanism'''
|
* Update Mechanism
|
* No ability to manually force an update check for the device
|-
| '''Missing Update Mechanism'''
|
* Update Mechanism
|
* No ability to update device
|-
| '''Firmware Version Display and/or Last Update Date'''
|
* Device Firmware
|
* Current firmware version is not displayed and/or the last update date is not displayed
|-
| '''Firmware and storage extraction'''
|
* JTAG / SWD interface
* [https://www.flashrom.org/Flashrom In-Situ dumping]
* Intercepting a OTA update
* Downloading from the manufacturers web page
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
|
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
|-
| '''Manipulating the code execution flow of the device'''
|
* JTAG / SWD interface
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]
|
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
|-
| '''Obtaining console access'''
|
* Serial interfaces (SPI / UART)
|
* By connecting to a serial interface, we will obtain full console access to a device
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.
|-
| '''Insecure 3rd party components'''
|
* Software
|
* Out of date versions of busybox, openssl, ssh, web servers, etc.
|-

|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Vulnerabilities Project? ==

The IoT Vulnerabilities Project provides:

* Information on the top IoT vulnerabilities
* The attack surface associated with the vulnerability
* A summary of the vulnerability

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Medical Devices =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Medical Device Testing ==

The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.

{| class="wikitable" style="text-align: left" border="1"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''HL7'''
|
* XML Parsing
** XSS
* Information Disclosure
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Data Flow'''
|
* What data is being captured?
* How does it move within the ecosystem?
* How is it protected in transit?
* How is it protected at rest?
* Who is that data shared with?
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)
* Failure state analysis
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the Medical Attack Surfaces project? ==

The Medical Attack Surfaces project provides:

* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.

|}

= Firmware Analysis =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Firmware Analysis Project ==

The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":

{| class="wikitable" style="text-align: left" border="1"
! Section
!
|-
|
Device Firmware Vulnerabilities
|
* Out-of-date core components
* Unsupported core components
* Expired and/or self-signed certificates
* Same certificate used on multiple devices
* Admin web interface concerns
* Hardcoded or easy to guess credentials
* Sensitive information disclosure
* Sensitive URL disclosure
* Encryption key exposure
* Backdoor accounts
* Vulnerable services (web, ssh, tftp, etc.)
|-
|
Manufacturer Recommendations
|
* Ensure that supported and up-to-date software is used by developers
* Ensure that robust update mechanisms are in place for devices
* Ensure that certificates are not duplicated across devices and product lines.
* Ensure supported and up-to-date software is used by developers
* Develop a mechanism to ensure a new certificate is installed when old ones expire
* Disable deprecated SSL versions
* Ensure developers do not code in easy to guess or common admin passwords
* Ensure services such as SSH have a secure password created
* Develop a mechanism that requires the user to create a secure admin password during initial device setup
* Ensure developers do not hard code passwords or hashes
* Have source code reviewed by a third party before releasing device to production
* Ensure industry standard encryption or strong hashing is used
|-
|
Device Firmware Guidance and Instruction
|
* Firmware file analysis
* Firmware extraction
* Dynamic binary analysis
* Static binary analysis
* Static code analysis
* Firmware emulation
* File system analysis
|-
|
Device Firmware Tools
|
* [https://github.com/craigz28/firmwalker Firmwalker]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://github.com/angr/angr Angr binary analysis framework]
* [http://binwalk.org/ Binwalk firmware analysis tool]
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
* [https://github.com/firmadyne/firmadyne Firmadyne]
|-
|
Vulnerable Firmware
|
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the Firmware Analysis Project? ==

The Firmware Analysis Project provides:

* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
* Steps for extracting file systems from various firmware files
* Guidance on searching a file systems for sensitive of interesting data
* Information on static analysis of firmware contents
* Information on dynamic analysis of emulated services (e.g. web admin interface)
* Testing tool links
* A site for pulling together existing information on firmware analysis

== Project Leaders ==

* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Coming Soon

|}

= IoT Event Logging Project=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Logging Events==

This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.

{| class="wikitable" style="text-align: left" border="1"
! Event Category
! Events
|-
| '''Request Exceptions'''
|
* Attempt to Invoke Unsupported HTTP Method
* Unexpected Quantity of Characters in Parameter
* Unexpected Type of Characters in Parameter
|-
| '''Authentication Exceptions'''
|
* Multiple Failed Passwords
* High Rate of Login Attempts
* Additional POST Variable
* Deviation from Normal GEO Location
|-
| '''Session Exceptions'''
|
* Modifying the Existing Cookie
* Substituting Another User's Valid SessionID or Cookie
* Source Location Changes During Session
|-
| '''Access Control Exceptions'''
|
* Modifying URL Argument Within a GET for Direct Object Access Attempt
* Modifying Parameter Within a POST for Direct Object Access Attempt
* Forced Browsing Attempt
|-
| '''Ecosystem Membership Exceptions'''
|
* Traffic Seen from Disenrolled System
* Traffic Seen from Unenrolled System
* Failed Attempt to Enroll in Ecosystem
* Multiple Attempts to Enroll in Ecosystem
|-
| '''Device Access Events'''
|
* Device Case Tampering Detected
* Device Logic Board Tampering Detected
|-
| '''Administrative Mode Events'''
|
* Device Entered Administrative Mode
* Device Accessed Using Default Administrative Credentials
|-
| '''Input Exceptions'''
|
* Double Encoded Character
* Unexpected Encoding Used
|-
| '''Command Injection Exceptions'''
|
* Blacklist Inspection for Common SQL Injection Values
* Abnormal Quantity of Returned Records
|-
| '''Honey Trap Exceptions'''
|
* Honey Trap Resource Requested
* Honey Trap Data Used
|-
| '''Reputation Exceptions'''
|
* Suspicious or Disallowed User Source Location

|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |

== What is the IoT Security Logging Project? ==

The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= ICS/SCADA =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== ICS/SCADA Project ==

The OWASP ICS/SCADA Top 10 software weaknesses are as follows:

{| class="wikitable" style="text-align: left" border="1"
! Rank and ID
! Title
|-
| '''1 - CWE-119'''
|
* Improper Restriction of Operations within the Bounds of a Memory Buffer
|-
| '''2 - CWE-20'''
|
* Improper Input Validation
|-
| '''3 - CWE-22'''
|
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|-
| '''4 - CWE-264'''
|
* Permissions, Privileges, and Access Controls
|-
| '''5 - CWE-200'''
|
* Information Exposure
|-
| '''6 - CWE-255'''
|
* Credentials Management
|-
| '''7 - CWE-287'''
|
* Improper Authentication
|-
| '''8 - CWE-399'''
|
* Resource Management Errors
|-
| '''9 - CWE-79'''
|
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|-
| '''10 - CWE-189'''
|
* Numeric Errors
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the ICS/SCADA Project? ==

The ICS/SCADA Project provides:

* A list of the Top 10 most dangerous software weaknesses

== Project Leaders ==

* NJ Ouchn

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/iot-this-week/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP SecLists Project

2018-06-13T11:39:20Z

Daniel Miessler: /* Main */

=Main=
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

=OWASP SecLists=

==About==
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

[https://github.com/danielmiessler/SecLists SecLists GitHub Repository]

==Licensing==
This project is licensed under the MIT license.

==Quick Download==
[https://github.com/danielmiessler/SecLists/archive/master.zip Download SecLists]

==Change Log==
* [https://github.com/danielmiessler/SecLists/releases SecLists (Releases)]
* [https://github.com/danielmiessler/SecLists/commits SecLists (Commits)]

==Code Repo==
* [https://github.com/danielmiessler/SecLists SecLists]

==Email List/Feedback/Log issues==
Questions? Problem? Please ask on the [https://github.com/danielmiessler/SecLists/issues GitHub Issue page]

==Feature Requests/Development==
* Have an idea of something to include? Please create a new requests (as enhancement) here: https://github.com/danielmiessler/SecLists/issues
* ...Better yet, open up a new pull request here: https://github.com/danielmiessler/SecLists/pulls (Note: We highly encourage you to include the source)

==Project Leaders==
Daniel Miessler ([https://twitter.com/danielmiessler @DanielMiessler]) and Jason Haddix ([https://twitter.com/Jhaddix @Jhaddix])

=Project About=
{{:Projects/OWASP_SecLists_Project}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Breakers]]
[[Category:OWASP_Document]]

OWASP Internet of Things Project

2018-03-09T16:27:17Z

Daniel Miessler: Updated slack information.

= Main =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==OWASP Internet of Things (IoT) Project==

Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

[[File:iot-project.png|400px|thumb|center]]

==Licensing==
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the OWASP Internet of Things Project? ==

The OWASP Internet of Things Project provides information on:

* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]
* IoT Vulnerabilities
* Firmware Analysis
* ICS/SCADA Software Weaknesses
* Community Information
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]
* Developer, Consumer and Manufacturer Guidance
* Design Principles

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Contributors ==
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]
* Saša Zdjelar

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_.NET_Project|OWASP .NET]]
* [[Java|OWASP Java and JVM]]
* [[C/C++|OWASP C/C++]]

| style="padding-left:25px;width:200px;" valign="top" |

== Collaboration ==
[https://owasp-iot-security.slack.com The OWASP Slack Channel]

Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.

== Quick Download ==
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]

[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]

[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]

[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]

[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]

[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]

[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]

[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]

== News and Events ==
* Added a [https://owasp-iot-security.slack.com/ Slack channel]
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]
* Migrating the IoT Top Ten to be under the IoT Project
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= IoT Attack Surface Areas =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Attack Surface Areas Project ==

The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

{| class="wikitable" style="text-align: left" border="1"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
** UART (Serial)
** JTAG / SWD
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)
* Security related function API exposure
* Firmware downgrade possibility
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Firmware loaded over insecure channel (no TLS)
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Check for insecure direct object references
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|

* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damage (Physicall)

|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Attack Surface Areas Project? ==

The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://owasp.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Vulnerabilities Project ==

{| class="wikitable" style="text-align: left" border="1"
! Vulnerability
! Attack Surface
! Summary
|-
| '''Username Enumeration'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to collect a set of valid usernames by interacting with the authentication mechanism
|-
| '''Weak Passwords'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to set account passwords to '1234' or '123456' for example.
* Usage of pre-programmed default passwords
|-
| '''Account Lockout'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts
|-
| '''Unencrypted Services'''
|
* Device Network Services
|
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers
|-
| '''Two-factor Authentication'''
|
* Administrative Interface
* Cloud Web Interface
* Mobile Application
|
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
|-
| '''Poorly Implemented Encryption'''
|
* Device Network Services
|
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
|-
| '''Update Sent Without Encryption'''
|
* Update Mechanism
|
* Updates are transmitted over the network without using TLS or encrypting the update file itself
|-
| '''Update Location Writable'''
|
* Update Mechanism
|
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
|-
| '''Denial of Service'''
|
* Device Network Services
|
* Service can be attacked in a way that denies service to that service or the entire device
|-
| '''Removal of Storage Media'''
|
* Device Physical Interfaces
|
* Ability to physically remove the storage media from the device
|-
| '''No Manual Update Mechanism'''
|
* Update Mechanism
|
* No ability to manually force an update check for the device
|-
| '''Missing Update Mechanism'''
|
* Update Mechanism
|
* No ability to update device
|-
| '''Firmware Version Display and/or Last Update Date'''
|
* Device Firmware
|
* Current firmware version is not displayed and/or the last update date is not displayed
|-
| '''Firmware and storage extraction'''
|
* JTAG / SWD interface
* [https://www.flashrom.org/Flashrom In-Situ dumping]
* Intercepting a OTA update
* Downloading from the manufacturers web page
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
|
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
|-
| '''Manipulating the code execution flow of the device'''
|
* JTAG / SWD interface
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]
|
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
|-
| '''Obtaining console access'''
|
* Serial interfaces (SPI / UART)
|
* By connecting to a serial interface, we will obtain full console access to a device
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.
|-
| '''Insecure 3rd party components'''
|
* Software
|
* Out of date versions of busybox, openssl, ssh, web servers, etc.
|-

|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Vulnerabilities Project? ==

The IoT Vulnerabilities Project provides:

* Information on the top IoT vulnerabilities
* The attack surface associated with the vulnerability
* A summary of the vulnerability

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Medical Devices =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Medical Device Testing ==

The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.

{| class="wikitable" style="text-align: left" border="1"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''HL7'''
|
* XML Parsing
** XSS
* Information Disclosure
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Data Flow'''
|
* What data is being captured?
* How does it move within the ecosystem?
* How is it protected in transit?
* How is it protected at rest?
* Who is that data shared with?
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)
* Failure state analysis
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the Medical Attack Surfaces project? ==

The Medical Attack Surfaces project provides:

* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.

|}

= Firmware Analysis =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Firmware Analysis Project ==

The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":

{| class="wikitable" style="text-align: left" border="1"
! Section
!
|-
|
Device Firmware Vulnerabilities
|
* Out-of-date core components
* Unsupported core components
* Expired and/or self-signed certificates
* Same certificate used on multiple devices
* Admin web interface concerns
* Hardcoded or easy to guess credentials
* Sensitive information disclosure
* Sensitive URL disclosure
* Encryption key exposure
* Backdoor accounts
* Vulnerable services (web, ssh, tftp, etc.)
|-
|
Manufacturer Recommendations
|
* Ensure that supported and up-to-date software is used by developers
* Ensure that robust update mechanisms are in place for devices
* Ensure that certificates are not duplicated across devices and product lines.
* Ensure supported and up-to-date software is used by developers
* Develop a mechanism to ensure a new certificate is installed when old ones expire
* Disable deprecated SSL versions
* Ensure developers do not code in easy to guess or common admin passwords
* Ensure services such as SSH have a secure password created
* Develop a mechanism that requires the user to create a secure admin password during initial device setup
* Ensure developers do not hard code passwords or hashes
* Have source code reviewed by a third party before releasing device to production
* Ensure industry standard encryption or strong hashing is used
|-
|
Device Firmware Guidance and Instruction
|
* Firmware file analysis
* Firmware extraction
* Dynamic binary analysis
* Static binary analysis
* Static code analysis
* Firmware emulation
* File system analysis
|-
|
Device Firmware Tools
|
* [https://github.com/craigz28/firmwalker Firmwalker]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://github.com/angr/angr Angr binary analysis framework]
* [http://binwalk.org/ Binwalk firmware analysis tool]
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
* [https://github.com/firmadyne/firmadyne Firmadyne]
|-
|
Vulnerable Firmware
|
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the Firmware Analysis Project? ==

The Firmware Analysis Project provides:

* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
* Steps for extracting file systems from various firmware files
* Guidance on searching a file systems for sensitive of interesting data
* Information on static analysis of firmware contents
* Information on dynamic analysis of emulated services (e.g. web admin interface)
* Testing tool links
* A site for pulling together existing information on firmware analysis

== Project Leaders ==

* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Coming Soon

|}

= IoT Event Logging Project=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Logging Events==

This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.

{| class="wikitable" style="text-align: left" border="1"
! Event Category
! Events
|-
| '''Request Exceptions'''
|
* Attempt to Invoke Unsupported HTTP Method
* Unexpected Quantity of Characters in Parameter
* Unexpected Type of Characters in Parameter
|-
| '''Authentication Exceptions'''
|
* Multiple Failed Passwords
* High Rate of Login Attempts
* Additional POST Variable
* Deviation from Normal GEO Location
|-
| '''Session Exceptions'''
|
* Modifying the Existing Cookie
* Substituting Another User's Valid SessionID or Cookie
* Source Location Changes During Session
|-
| '''Access Control Exceptions'''
|
* Modifying URL Argument Within a GET for Direct Object Access Attempt
* Modifying Parameter Within a POST for Direct Object Access Attempt
* Forced Browsing Attempt
|-
| '''Ecosystem Membership Exceptions'''
|
* Traffic Seen from Disenrolled System
* Traffic Seen from Unenrolled System
* Failed Attempt to Enroll in Ecosystem
* Multiple Attempts to Enroll in Ecosystem
|-
| '''Device Access Events'''
|
* Device Case Tampering Detected
* Device Logic Board Tampering Detected
|-
| '''Administrative Mode Events'''
|
* Device Entered Administrative Mode
* Device Accessed Using Default Administrative Credentials
|-
| '''Input Exceptions'''
|
* Double Encoded Character
* Unexpected Encoding Used
|-
| '''Command Injection Exceptions'''
|
* Blacklist Inspection for Common SQL Injection Values
* Abnormal Quantity of Returned Records
|-
| '''Honey Trap Exceptions'''
|
* Honey Trap Resource Requested
* Honey Trap Data Used
|-
| '''Reputation Exceptions'''
|
* Suspicious or Disallowed User Source Location

|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |

== What is the IoT Security Logging Project? ==

The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= ICS/SCADA =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== ICS/SCADA Project ==

The OWASP ICS/SCADA Top 10 software weaknesses are as follows:

{| class="wikitable" style="text-align: left" border="1"
! Rank and ID
! Title
|-
| '''1 - CWE-119'''
|
* Improper Restriction of Operations within the Bounds of a Memory Buffer
|-
| '''2 - CWE-20'''
|
* Improper Input Validation
|-
| '''3 - CWE-22'''
|
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|-
| '''4 - CWE-264'''
|
* Permissions, Privileges, and Access Controls
|-
| '''5 - CWE-200'''
|
* Information Exposure
|-
| '''6 - CWE-255'''
|
* Credentials Management
|-
| '''7 - CWE-287'''
|
* Improper Authentication
|-
| '''8 - CWE-399'''
|
* Resource Management Errors
|-
| '''9 - CWE-79'''
|
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|-
| '''10 - CWE-189'''
|
* Numeric Errors
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the ICS/SCADA Project? ==

The ICS/SCADA Project provides:

* A list of the Top 10 most dangerous software weaknesses

== Project Leaders ==

* NJ Ouchn

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Security Policy Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Security Policy Project ==

The OWASP IoT Security Policy Project provides:

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Security Policies Project? ==

The IoT Security Policy Project provides:

== Project Leaders ==

* Saša Zdjelar

== Related Projects ==

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/iot-this-week/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Internet of Things Project

2018-03-09T16:25:48Z

Daniel Miessler: /* Related Projects */

= Main =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

==OWASP Internet of Things (IoT) Project==

Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

[[File:iot-project.png|400px|thumb|center]]

==Licensing==
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the OWASP Internet of Things Project? ==

The OWASP Internet of Things Project provides information on:

* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]
* IoT Vulnerabilities
* Firmware Analysis
* ICS/SCADA Software Weaknesses
* Community Information
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]
* Developer, Consumer and Manufacturer Guidance
* Design Principles

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Contributors ==
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]
* Saša Zdjelar

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_.NET_Project|OWASP .NET]]
* [[Java|OWASP Java and JVM]]
* [[C/C++|OWASP C/C++]]

| style="padding-left:25px;width:200px;" valign="top" |

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.


== Quick Download ==
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]

[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]

[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]

[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]

[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]

[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]

[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]

[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]

== News and Events ==
* Added a [https://owasp-iot-security.slack.com/ Slack channel]
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]
* Migrating the IoT Top Ten to be under the IoT Project
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]]
|-
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= IoT Attack Surface Areas =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Attack Surface Areas Project ==

The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

{| class="wikitable" style="text-align: left" border="1"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
** UART (Serial)
** JTAG / SWD
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)
* Security related function API exposure
* Firmware downgrade possibility
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Firmware loaded over insecure channel (no TLS)
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Check for insecure direct object references
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|

* Standard set of web application vulnerabilities, see:
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
** [[:Category:OWASP Testing Project|OWASP Testing guide]]
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damage (Physicall)

|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Attack Surface Areas Project? ==

The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://owasp.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Vulnerabilities Project ==

{| class="wikitable" style="text-align: left" border="1"
! Vulnerability
! Attack Surface
! Summary
|-
| '''Username Enumeration'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to collect a set of valid usernames by interacting with the authentication mechanism
|-
| '''Weak Passwords'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to set account passwords to '1234' or '123456' for example.
* Usage of pre-programmed default passwords
|-
| '''Account Lockout'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts
|-
| '''Unencrypted Services'''
|
* Device Network Services
|
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers
|-
| '''Two-factor Authentication'''
|
* Administrative Interface
* Cloud Web Interface
* Mobile Application
|
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
|-
| '''Poorly Implemented Encryption'''
|
* Device Network Services
|
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
|-
| '''Update Sent Without Encryption'''
|
* Update Mechanism
|
* Updates are transmitted over the network without using TLS or encrypting the update file itself
|-
| '''Update Location Writable'''
|
* Update Mechanism
|
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
|-
| '''Denial of Service'''
|
* Device Network Services
|
* Service can be attacked in a way that denies service to that service or the entire device
|-
| '''Removal of Storage Media'''
|
* Device Physical Interfaces
|
* Ability to physically remove the storage media from the device
|-
| '''No Manual Update Mechanism'''
|
* Update Mechanism
|
* No ability to manually force an update check for the device
|-
| '''Missing Update Mechanism'''
|
* Update Mechanism
|
* No ability to update device
|-
| '''Firmware Version Display and/or Last Update Date'''
|
* Device Firmware
|
* Current firmware version is not displayed and/or the last update date is not displayed
|-
| '''Firmware and storage extraction'''
|
* JTAG / SWD interface
* [https://www.flashrom.org/Flashrom In-Situ dumping]
* Intercepting a OTA update
* Downloading from the manufacturers web page
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
|
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
|-
| '''Manipulating the code execution flow of the device'''
|
* JTAG / SWD interface
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]
|
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
|-
| '''Obtaining console access'''
|
* Serial interfaces (SPI / UART)
|
* By connecting to a serial interface, we will obtain full console access to a device
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.
|-
| '''Insecure 3rd party components'''
|
* Software
|
* Out of date versions of busybox, openssl, ssh, web servers, etc.
|-

|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Vulnerabilities Project? ==

The IoT Vulnerabilities Project provides:

* Information on the top IoT vulnerabilities
* The attack surface associated with the vulnerability
* A summary of the vulnerability

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Medical Devices =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Medical Device Testing ==

The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.

{| class="wikitable" style="text-align: left" border="1"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''HL7'''
|
* XML Parsing
** XSS
* Information Disclosure
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Data Flow'''
|
* What data is being captured?
* How does it move within the ecosystem?
* How is it protected in transit?
* How is it protected at rest?
* Who is that data shared with?
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)
* Failure state analysis
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the Medical Attack Surfaces project? ==

The Medical Attack Surfaces project provides:

* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.

|}

= Firmware Analysis =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== Firmware Analysis Project ==

The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":

{| class="wikitable" style="text-align: left" border="1"
! Section
!
|-
|
Device Firmware Vulnerabilities
|
* Out-of-date core components
* Unsupported core components
* Expired and/or self-signed certificates
* Same certificate used on multiple devices
* Admin web interface concerns
* Hardcoded or easy to guess credentials
* Sensitive information disclosure
* Sensitive URL disclosure
* Encryption key exposure
* Backdoor accounts
* Vulnerable services (web, ssh, tftp, etc.)
|-
|
Manufacturer Recommendations
|
* Ensure that supported and up-to-date software is used by developers
* Ensure that robust update mechanisms are in place for devices
* Ensure that certificates are not duplicated across devices and product lines.
* Ensure supported and up-to-date software is used by developers
* Develop a mechanism to ensure a new certificate is installed when old ones expire
* Disable deprecated SSL versions
* Ensure developers do not code in easy to guess or common admin passwords
* Ensure services such as SSH have a secure password created
* Develop a mechanism that requires the user to create a secure admin password during initial device setup
* Ensure developers do not hard code passwords or hashes
* Have source code reviewed by a third party before releasing device to production
* Ensure industry standard encryption or strong hashing is used
|-
|
Device Firmware Guidance and Instruction
|
* Firmware file analysis
* Firmware extraction
* Dynamic binary analysis
* Static binary analysis
* Static code analysis
* Firmware emulation
* File system analysis
|-
|
Device Firmware Tools
|
* [https://github.com/craigz28/firmwalker Firmwalker]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://github.com/angr/angr Angr binary analysis framework]
* [http://binwalk.org/ Binwalk firmware analysis tool]
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
* [https://github.com/firmadyne/firmadyne Firmadyne]
|-
|
Vulnerable Firmware
|
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the Firmware Analysis Project? ==

The Firmware Analysis Project provides:

* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
* Steps for extracting file systems from various firmware files
* Guidance on searching a file systems for sensitive of interesting data
* Information on static analysis of firmware contents
* Information on dynamic analysis of emulated services (e.g. web admin interface)
* Testing tool links
* A site for pulling together existing information on firmware analysis

== Project Leaders ==

* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Coming Soon

|}

= IoT Event Logging Project=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Logging Events==

This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.

{| class="wikitable" style="text-align: left" border="1"
! Event Category
! Events
|-
| '''Request Exceptions'''
|
* Attempt to Invoke Unsupported HTTP Method
* Unexpected Quantity of Characters in Parameter
* Unexpected Type of Characters in Parameter
|-
| '''Authentication Exceptions'''
|
* Multiple Failed Passwords
* High Rate of Login Attempts
* Additional POST Variable
* Deviation from Normal GEO Location
|-
| '''Session Exceptions'''
|
* Modifying the Existing Cookie
* Substituting Another User's Valid SessionID or Cookie
* Source Location Changes During Session
|-
| '''Access Control Exceptions'''
|
* Modifying URL Argument Within a GET for Direct Object Access Attempt
* Modifying Parameter Within a POST for Direct Object Access Attempt
* Forced Browsing Attempt
|-
| '''Ecosystem Membership Exceptions'''
|
* Traffic Seen from Disenrolled System
* Traffic Seen from Unenrolled System
* Failed Attempt to Enroll in Ecosystem
* Multiple Attempts to Enroll in Ecosystem
|-
| '''Device Access Events'''
|
* Device Case Tampering Detected
* Device Logic Board Tampering Detected
|-
| '''Administrative Mode Events'''
|
* Device Entered Administrative Mode
* Device Accessed Using Default Administrative Credentials
|-
| '''Input Exceptions'''
|
* Double Encoded Character
* Unexpected Encoding Used
|-
| '''Command Injection Exceptions'''
|
* Blacklist Inspection for Common SQL Injection Values
* Abnormal Quantity of Returned Records
|-
| '''Honey Trap Exceptions'''
|
* Honey Trap Resource Requested
* Honey Trap Data Used
|-
| '''Reputation Exceptions'''
|
* Suspicious or Disallowed User Source Location

|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |

== What is the IoT Security Logging Project? ==

The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= ICS/SCADA =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== ICS/SCADA Project ==

The OWASP ICS/SCADA Top 10 software weaknesses are as follows:

{| class="wikitable" style="text-align: left" border="1"
! Rank and ID
! Title
|-
| '''1 - CWE-119'''
|
* Improper Restriction of Operations within the Bounds of a Memory Buffer
|-
| '''2 - CWE-20'''
|
* Improper Input Validation
|-
| '''3 - CWE-22'''
|
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|-
| '''4 - CWE-264'''
|
* Permissions, Privileges, and Access Controls
|-
| '''5 - CWE-200'''
|
* Information Exposure
|-
| '''6 - CWE-255'''
|
* Credentials Management
|-
| '''7 - CWE-287'''
|
* Improper Authentication
|-
| '''8 - CWE-399'''
|
* Resource Management Errors
|-
| '''9 - CWE-79'''
|
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|-
| '''10 - CWE-189'''
|
* Numeric Errors
|-
|}

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the ICS/SCADA Project? ==

The ICS/SCADA Project provides:

* A list of the Top 10 most dangerous software weaknesses

== Project Leaders ==

* NJ Ouchn

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Security Policy Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== IoT Security Policy Project ==

The OWASP IoT Security Policy Project provides:

{{Social Media Links}}

| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

== What is the IoT Security Policies Project? ==

The IoT Security Policy Project provides:

== Project Leaders ==

* Saša Zdjelar

== Related Projects ==

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/iot-this-week/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

User:DanielMiessler

2017-07-14T13:25:09Z

Daniel Miessler:

User:DanielMiessler

2017-07-14T13:24:04Z

Daniel Miessler: /* Online Presence */

[[File:Daniel Miessler 2016.png|thumb]]

= Daniel Miessler =
Daniel is the Director of Advisory Services at IOActive, and is the leader of the [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project OWASP IoT Security Project] and a leader on the [https://www.owasp.org/index.php/OWASP_Game_Security_Framework_Project OWASP Game Security Framework Project].

=== OWASP Work ===
* Involved in OWASP for over 7 years
* Have lead multiple projects, including the OWASP Mobile Security Project, the Internet of Things Security Project, and the Game Security Project
* Regularly speak on Application Security at various conferences, including AppSec Cali in Santa Monica, CA

=== Writing ===
* Writing at [https://danielmiessler.com/ danielmiessler.com] about information security, with particular focus on application security, since 1999.
* Featured in hundreds of articles, including for the BBC, Wall Street Journal, Forbes, Information Week, CSO, Fortune, Dark Reading, Threatpost, CNet, and many more.
* Recently authored [https://www.amazon.com/Real-Internet-Things-Daniel-Miessler-ebook/dp/B01NCLUA5T/ref=asap_bc?ie=UTF8 The Real Internet of Things], published in January of 2017.

=== Podcast ===
* Produces the [https://danielmiessler.com/podcast/ Unsupervised Learning] podcast and newsletter, which has been voted one of the top three security podcasts multiple times.

=== Professional Profile ===
Daniel Miessler is the Director of Advisory Services at IOActive and has 17 years of experience in information security. His background is in technical security testing and enterprise defense, including network, web, application, mobile, IoT testing, and adversary-based risk management.

=== Online Presence ===
* [https://www.linkedin.com/in/danielmiessler/ Linkedin]
* [https://www.slideshare.net/danielmiessler/ Slideshare]
* [https://twitter.com/danielmiessler Twitter]
* [https://github.com/danielmiessler Github]

User:DanielMiessler

2017-07-14T13:23:26Z

Daniel Miessler:

[[File:Daniel Miessler 2016.png|thumb]]

= Daniel Miessler =
Daniel is the Director of Advisory Services at IOActive, and is the leader of the [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project OWASP IoT Security Project] and a leader on the [https://www.owasp.org/index.php/OWASP_Game_Security_Framework_Project OWASP Game Security Framework Project].

=== OWASP Work ===
* Involved in OWASP for over 7 years
* Have lead multiple projects, including the OWASP Mobile Security Project, the Internet of Things Security Project, and the Game Security Project
* Regularly speak on Application Security at various conferences, including AppSec Cali in Santa Monica, CA

=== Writing ===
* Writing at [https://danielmiessler.com/ danielmiessler.com] about information security, with particular focus on application security, since 1999.
* Featured in hundreds of articles, including for the BBC, Wall Street Journal, Forbes, Information Week, CSO, Fortune, Dark Reading, Threatpost, CNet, and many more.
* Recently authored [https://www.amazon.com/Real-Internet-Things-Daniel-Miessler-ebook/dp/B01NCLUA5T/ref=asap_bc?ie=UTF8 The Real Internet of Things], published in January of 2017.

=== Podcast ===
* Produces the [https://danielmiessler.com/podcast/ Unsupervised Learning] podcast and newsletter, which has been voted one of the top three security podcasts multiple times.

=== Professional Profile ===
Daniel Miessler is the Director of Advisory Services at IOActive and has 17 years of experience in information security. His background is in technical security testing and enterprise defense, including network, web, application, mobile, IoT testing, and adversary-based risk management.

=== Online Presence ===
* [http://linkd.in/danielmiessler Linkedin]
* [https://www.slideshare.net/danielmiessler/ Slideshare]
* [https://twitter.com/danielmiessler Twitter]
* [https://github.com/danielmiessler Github]

WASPY Awards 2017

2017-07-14T13:09:13Z

Daniel Miessler:

[[File:WASPY 2017 Banner.jpg]]

==Purpose of the Awards==

Each year there are many individuals who do amazing work, dedicating countless hours to share, improve, and strengthen the OWASP mission. Some of these individuals are well known to the community while others are not.

'''The purpose of these awards is to bring recognition to those who "FLY UNDER THE RADAR". These are the individuals who are passionate about OWASP, who contribute hours of their own free time to the organization to help improve the cyber-security world, yet seem to go unrecognized.'''

==Timeline==
Call for Nominees Opens June 7, 2017

Call for Nominees Closes June 30, 2017 - CLOSED

Announcement of Nominees per Category July 5, 2017 - DONE

Deadline for Nominee Profile Picture and Bio to be created and added to the Nominees section July 10, 2017

Voting for Board & Staff Members Opens July 17, 2017

Voting for Board & Staff Members Closes July 24, 2017

Winners are Notified July 25, 2017

Announcement of Winners to the Community July 25, 2017

Award Ceremony at AppSecUSA 2017 in Orlando, FL September 21-22, 2017

==Categories==
The WASPYs celebrate the actors in our community who grow OWASP and drive innovation to the safety and security of the world’s software. This year we are excited to offer three categories.
<br>

'''Best Community Supporter''' - The WASPY for COMMUNITY honors members who create dynamic INTERACTION and LEARNING opportunities for the OWASP Community. Nominees to the Community WASPY Award create collaborative and inclusive environments and grow the OWASP Community. WASPYs focus on the unsung heros of the OWASP community. Chapter Leaders and Community Members should especially consider leaders and volunteers who bring something extra to the environment, help the chapter reach out to new attendees, or carry out the tedious and repetitive tasks that make growing an OWASP Chapter possible.
<br>

'''Best Mission Outreach''' - The WASPY for Mission Outreach honors community members who help the community GROW. Growth can happen inside the larger OWASP community or outside it in the broader AppSec and development communities. Leaders and Members should especially consider volunteers who pushed the boundaries of the audience and reach of OWASP to provide new exposure for OWASP’s projects and chapters. New leaders and volunteers who help bring more people to your chapter, project, or actively represent OWASP at non-OWASP events, gatherings, and activities to build an active OWASP community are ideal candidates for the Mission Outreach WASPY award.
<br>

'''Best Innovator''' - The WASPY for Innovation is given to a community member who has contributed to the TECHNICAL advancement of OWASP in the past year. This advancement is usually through an [[:Category:OWASP Project|OWASP Project]] and can be in the form of code, an application, or anything that materially makes the AppSec community better in a unique way. WASPYs focus on the unsung heros of the OWASP community who quietly go about making the world a bit better for their work. Project Leaders and Community Members should especially consider nominating new projects, projects that have recently graduated, and project contributors for this WASPY.

==Rules==
'''Remember the purpose of these awards is to recognize the UNSUNG HEROS out there, that are barely recognized for their contributions to the OWASP Foundation.'''

1. [https://www.owasp.org/index.php/About_OWASP#2015_Global_Board_Members Board members] may not be nominated

2. [https://www.owasp.org/index.php/About_OWASP#Employees_and_Contractors_of_the_OWASP_Foundation Employees & Contractors] may not be nominated

3. All nominees will remain anonymous until July 3, 2017

4. Anyone can nominate an "unsung hero" who has contributed in some way to OWASP who they feel best fits each category

5. You may only nominate one person per category

=='''And the Nominees Are...'''==
{| cellpadding="2" border="1"
! width="150" align="center" scope="col" |Name
! width="800" align="center" scope="col" |Category & Citation
|-
| align="center" |Aatral Arasu
|'''''Best Community Supporter'''''
"A great leader always there to help responds to emails quickly loves his work works very hard every day very supportive never loses focus strong willed very technical and willing to do things himself to get the job done when asked for something he will get it to you ASAP constant learner open to suggestions and ideas on how to be better respectful honest caring and I am certain HRC will make it big very soon :)"
|-
|Sean Auriti
|'''''Best Community Supporter'''''
"Sean has not only worked as a volunteer in the local chapter building community, his code projects are useful to the mission and his outreach efforts have included funding requests for OWASP Foundation to grow its mission. Sean is a great example of a community member."
|-
|Nicole Becher
|<nowiki/>'''''Best Community Supporter'''''

"Nicole has been an amazing chapter leader. She brings knowledge and experience teaching cybersecurity to the Mentor Initiative, WIA Committee, and projects."
|-
|Ken Belva
|<nowiki/>'''''Best Community Supporter'''''

"Ken is a long time chapter leader of the NYC chapter and a former chapter leader of the Brooklyn Chapter. Ken is always willing to step in and volunteer to help with OWASP initiatives and is a frequent participant in OWASP events as both a volunteer and speaker. Ken has spoken at AppSec USA on XSS techniques (<nowiki>https://www.youtube.com/watch?v=G539NwvpL3I</nowiki>) and is the project lead for the Basic Expression and Lexicon Variation Algorithms project (<nowiki>https://www.owasp.org/index.php/OWASP_Basic_Expression_%26_Lexicon_Variation_Algorithms_(BELVA)_Project)</nowiki>."
|-
|Tony Clarke
|<nowiki/>'''''Best Community Supporter'''''
"Tony has selflessly brought the OWASP dublin chapter to great nights. He has nurtured the chapter to be inclusive and open whilst growing the average attendee count to hundreds. He has spread the word across both security industry and developer industry and has also managed to get various organisations to work together such as ISACA, IISF, ISSA and ISC2. He is a great leader and despite detractors has built the chapter and awareness of software security issues in a strong vendor neutral manner to a great place. Tony is a great example of OWASP and industry leadership."
|-
|Dinis Cruz
|<nowiki/>'''''Best Community Supporter'''''
"Diniz is a fantastic innovator and motivator. As the mastermind and organizer behind the OWASP Summit he has managed to re-energize the OWASP community - many interesting projects would not have happened (or at least, not been that successful) without his passionate work. Besides organizing the event, he also consistently supported project leaders with his experience and ideas."

'''2nd Citation:''' Dinis put ridiculous effort (<nowiki>https://github.com/OWASP/owasp-summit-2017/commits?author=DinisCruz</nowiki>) into the OWASP Summit 2017 and didn't tire promoting this event!
|-
|[[User:Dune73|Christian Folini]]
|'''''Best Community Supporter'''''

"Christian Folini is very active in the Core Rule Set project community. He responds to a ton of questions submitted by newcomers when they are stuck and he answers expert level questions with stunning detail. He joined Chaim and Walter when they revived the project in 2016 and I heard he had the idea for the famous CRS3 release poster <nowiki>https://modsecurity.org/crs/poster</nowiki> that was shared all over the net. I think it's people like him that give OWASP a human face."
|-
|[[User:Fuentes.joaquin|Joaquin Fuentes]]
|'''''Best Community Supporter'''''
"In 2015, Joaquin took it upon himself to revive the OWASP Phoenix Chapter. He created a meet-up group to gain broader visibility. Since 2015, the meeting attendance has grown from an average of 15 attendees to over 60! Joaquin dedicates a lot of time and effort into scheduling an impressive variety of presentation topics including safe hacking, vulnerability scanner deep dives, hands on web exploitation CTF, video game hacking and more. I learn something new and cool at every event.

More importantly, Joaquin works hard to foster a friendly, inclusive environment. During our hands-on web exploitation session, Joaquin recruited co-works to assist participants with the Security Shephard challenges so no one felt overwhelmed or impossibly stuck. He always takes the time meet and welcome new members. For example, my 17-year-old son attends meetings with me. He looks up to Joaquin as a mentor for a future information security career because Joaquin encourages his learning and offers career guidance.

I highly recommend Joaquin for a WASPY award!! He is a kind, soft spoken person with a passion for sharing information security and helping others!"

'''2nd Citation:''' "He resurrected the Phoenix chapter and has kept it going with great content."

'''3rd Citation:''' "For all he has done to build up the Phoenix OWASP community. Prior to Joaquin taking point the community in Phoenix was dead. Meetings weren't happening on a regular basis. The prior leaders had done a great job but I think they had burnt out. Joaquin started the community back up and got corporate support from his employer to facilitate not only regular meetings but great meetings with great content. He also implemented MeetUp. I'm not a consistent attendee because of my work/life schedule but I always know when the meetings are happening and what the subject matter will be because of Joaquin utilizing MeetUp."

'''4th Citation:''' "Put simply, due to the efforts of Joaquin Fuentes, the Phoenix chapter has risen from the ashes (some pun intended). Before Joaquin took over the chapter there were consistently between 5-10 persons in attendance, Joaquin himself being one of them, and the chapter only met about every 3 months or so. Since Joaquin took over the chapter, we have had fantastic presenters each month, paid for dinners, along with a collaborative, comfortable, and engaging environment to meet in. Even more impressive the attendance has grown to 60+ consistently. Joaquin isn't even done yet! He is more great ideas and plans for the chapter that will undoubtedly contribute to the continued growth and over all quality of this once fallen chapter. When he speaks of where this chapter has come from and his plans for the future, it is undeniable to all that he does so with the passion that a leader must possess to accomplish that which Joaquin has."

'''5th Citation:''' "I am sure someone else will write in with Joaquin's email, but I felt the need to second his name on the list. The events he puts together are top notch, have excellent speakers, always have things to eat, and are generally excellent. I almost never miss them. He is actually so gracious about the entire chapter that I am sure he does not get the credit he deserves... the whole show is put on by just him, I think. Yay Joaquin!"

'''6th Citation:''' "A few years ago, the Phoenix (AZ) OWASP group was basically defunct. As the leader of the Phoenix OWASP group, not only has Joaquin helped to resurrect the group, but we've had great presentations on reverse engineering, secure coding, a hands-on CTF contest with Security Shepherd, etc. Joaquin is a very visible member of the security community being an employee at Early Warning, which not only hosts the OWASP meetings, but also is a sponsor and makes a strong showing at CactusCon every year, the biggest security conference in Arizona.

Our local OWASP group is not strong, going from being non-existent a few years ago to now getting a regular attendance of 40-80 people. I've gotten to know Joaquin through OWASP meetings and other security events in the area I have crossed paths with him, and he is a fine representative and evangelist for the OWASP organization."

'''7th Citation:''' "Joaquin is the Phoenix OWASP Chapter leader and regularly plans amazing talks with great speakers for the Phoenix Community. Frequently, the Phoenix OWASP talks will have over 50 attendees which Joaquin manages without a problem! Joaquin also pushes for candidates he is interviewing to be familiar with OWASP before their interview."

'''8th Citation:''' "Joaquin is the leader for the Phoenix OWASP, and it is clear that through his leadership the Phoenix OWASP thrives. Joaquin organizes all the meetings, and is constantly working with folks to create an excellent sense of community in the Phoenix area."

'''9th Citation:''' "Joaquin has taken the Phoenix OWASP chapter that had not been managed for years and brought it back to life. We consistently see 50+ members coming to our Meetups to talk about AppSec related topics. Joaquin is well connected to the InfoSec groups and has had great success in pulling in new speakers, we have already had a few speakers who are prepping their BlackHat and DefCon talks by giving their presentations to our local chapter. Finally Joaquin does a great job by reaching out to the local colleges and supporting CTF activities to garner interest in pen-testing and the OWASP community. He is a true community supporter and fully deserves a WASPY for his efforts..."

'''10th Citation:''' "Joaquin has been leading the OWASP Phoenix chapter and due to his initiative, has placed Phoenix on the map as a hub for application security. I would like to nominate him because he is always bringing in new and interesting speakers that provide great content. The most recent OWASP chapter meeting had over 60 attendees!"

'''11th Citation:''' "As a leader of Phoenix OWASP chapter, Joaquin strives to organize talks and trainings to make people in the valley learn InfoSec and AppSec from experienced individuals. He has always gone a step ahead to conduct OWASP meetings that are informative and hands on. Right from giving Arizona State University (ASU) students an overview of basic InfoSec and career opportunities to organizing a hands on hacking workshop for people in the community, Joaquin has always demonstrated passion and determination to take Phoenix to a better place in the field of Cyber Security."

'''12th Citation:''' "I've attended and participated in three OWASP meetings lead by Joaquin. They are always well organized, offer a great learning experience and considerably contribute to the community. His continuous interest and dedication to the Phoenix chapter do not go unnoticed and are appreciated by all who attend."

'''13th Citation:''' "Joaquin restarted the OWASP chapter in Phoenix/Scottsdale. Chapter meetings have grown significantly to where there were about 65 attendees at the most recent meeting with hundreds more on the mailing list (I was at the meeting, but I've only heard about the mailing list). As someone who works with him, I know how dedicated he is to the work of IT security and he's been able to attract top-notch speakers for OWASP meetings.'

'''14th Citation:''' "Joaquin had successfully revived the Phoenix OWASP Chapter. Since, the chapter has excelled from zero to filled audience bringing security talent from all around to speak and educate to security professionals on the many facets of security domains.

Additionally, this has provided a great forum to network with the many security professionals around the community and share their knowledge and strengthen the security community.

Joaquin has provided his unselfish time as an OWASP Chapter leader, and has breathed new life into the Chapter."

'''15th Citation:''' "Joaquin does a bang up job of running the Phoenix OWASP chapter. He does a great job of raising awareness and bringing folks from the infosec community into the fold."

'''16th Citation:''' "Joaquin Fuentes has had a big impact in raising attendance at the Phoenix meetings to more than 100 people monthly. The quality has gotten significantly better under his leadership. He has organized many speakers, including recruiting speakers from out of the area that have significantly developed the knowledge base of the community. Joaquin is a pen testing manager at Early Warning and he shares his professional knowledge to help us all become better in the practice of information security."

'''17th Citation:''' No citation was submitted
|-
|[https://www.owasp.org/index.php/User:Brianglas Brian Glas]
|'''''Best Community Supporter'''''
"Brian has been paramount in 2 very strategic initiatives for OWASP. He is not only a Project Leader for the OWASP SAMM project but he has been instrumental in revamping the call for data and reorganizing the flagship OWASP Top Ten. Brian continues to support and speak about the benefits of supporting OWASP especially projects and participating in the Summit. Please consider Brian Glas as the Best Community Supporter for this year."
|-
|Brendan Gormley
|'''''Best Community Supporter'''''
"Throughout the Brendan has not only assisted in making the dublin chapter events happen but taken a lead role. Brendan has organised venues and speakers for these events often going above and beyond to ensure success. Brendan has also been involved in some of the outreach programs the Dublin chapter had been involved in. No task is too big or too small for Brendan and without him I don't believe the Dublin chapter would be what it is."
|-
|[https://www.owasp.org/index.php/User:Tanyajanca Tanya Janca]
|'''''Best Community Supporter'''''
"Tanya Janca has been performing “outreach” and “recruitment of women” as her main chapter leader responsibilities for the Ottawa chapter since 2015. The chapter has not only grown by over 500% in that time, but female membership has grown from 2 female members to over 70 (the chapter has grown for many reasons, some of which are her promotional efforts). Activities include starting a mentoring program that matches senior AppSec members of the community with juniors or people who are hoping to get into Application Security; attending all sorts of technology meetups (but especially female-centric ones) to talk about OWASP and personally invite them to attend; bringing OWASP products, concepts and resources to the Canadian Government (and is currently attempting to sway policy to be more application security focused as we speak); as well as performing over 40 public speaking engagements that describe OWASP as “Your new BFF” as part of the application security lesson she has taught. She has also begun speaking at conferences semi-regularly, singing OWASP’s praises as part of every presentation. She also forms female groups to attend events together, to make them more accessible, such as her all-female team for the Ottawa iHack CTP and “Learn by Breaking things” event in June 2017 and her all female CTF team for OWASP Ottawa’s first CTF in 2015. Her claim of being an “application security evangelist” certainly seems fitting."
|-
|[https://www.owasp.org/index.php/Jeremy_Long Jeremy Long]
|'''''Best Community Supporter'''''
"Jeremy is a dedicated security engineer who contributes to the community as a developer, mentor, contributor and leader. He's one of the smartest people I know - and one of the few who has patience with "the rest of us". He is generous with his time and knowledge, helping not only to contribute apps and resources, but to build up the community itself."
|-
|[[User:Makash|Akash Mahajan]]
|'''''Best Community Supporter'''''
"Akash has been backbone of OWASP bangalore chapter he has done lot of work for evangelizing OWASP. For more than 7 years now he has been working with the chapter and mentored lot of folks. No wonder he is called "the web app security guy"."
|-
|[https://www.owasp.org/index.php/Dhiraj_Mishra Dhiraj Mishra]
|'''''Best Community Supporter'''''
"Dhiraj Mishra - has been contributed and volunteered to, OWASP Mumbai Student chapter and Mumbai local chapter.

He has endorse students to be part of multiple open community, however been an Sudent Chapter leader for OWASP he has discussed and shared multiple Information Security topics start from the scratch and spreading the idea's and awareness via chapter Meets, he has taken multiple session in NULL as well which runs with OWASP local chapter Mumbai, recently he invited Mozilla Club Mumbai to student chapter so that students can go to their area of interest, he always pushup/boost women in infosec. Apart from this he has taken various sessions in different colleges and have shared knowledge about Cyber Security."
|-
|Denise Murtagh-Dunne
|'''''Best Community Supporter'''''
"Denise has been a hugely active member of the Dublin chapter and has been involved in all chapter meeting throughout the year and is ever keen to role up her sleeves and get stuck into work that others shy away from. This includes everything from setting up the meeting tools, organising venues, working with sponsors, getting speakers and assisting speakers in the run up and during events. She's been a very positively influence on the community and chapter and has encouraged other people to get involved. She's constantly updating and posting content on our social media accounts and making sure our members get relevant and interesting content. While in full time employment, Denise gives up family time to contribute to the chapter and ensure OWASP Dublin remains a vibrant and relevant group that engages the developer and security community locally."
|-
|[[User:Owen_Pendlebury|Owen Pendlebury]]
|'''''Best Community Supporter'''''
"Owen Pendlebury has been a key local OWASP volunteer over the last number of years. From being on the local Dublin chapter board to leading the Dublin chapter he regularly hosted and spoke at numerous collaborative and insightful security meetups.

He has also been involved in organising AppSec EU in Rome and more recently co-organised the Belfast conference which was the biggest ever EU conference. As part of organising the conference in Belfast he negotiated that all chapters within Ireland would benefit financially getting a percentage of the conference profits to allow the chapters to bring bigger, better and more collaborative meetings to the Irish OWASP community and grow the communities across the country.

I don’t know where he has found the time but has also been part of the Women in AppSec committee mentoring a number of individuals throughout the year. He took part in the Women in AppSec events in Belfast giving some insightful opinions into how improve attendees career. Owen is an asset that helps to improve Ireland's security community’s capabilities with a real can-do attitude."
|-
|Mick Ryan
|'''''Best Community Supporter'''''
"Mick always assists with chapter meetings and works to ensure we give the community good quality sessions. Mick assists will all areas including reaching out to potential speakers, getting info and bios from them, arranging dates and venues, posting on social media and the logistics of the meetings and ensuring speakers have the right cables, meetings run to time, that speakers are happy with everything, taking photos to promote the chapter on social media, encouraging people to speak, printing the chapter and getting people to events! Thanks Mick for your contribution in 2017!"
|-
|[https://www.owasp.org/index.php/Sriram Sriram]
|'''''Best Community Supporter'''''
"[https://www.owasp.org/index.php/Sriram Sriram] has been conducting awareness program to the college students. Sriram has created awareness among 12000 Students without the support of anyone. Sriram has been tremendously supporting the OWASP Chapter by giving trainings to various college student, corporates and various chapters.."
|-
|Michelle Simpson
|'''''Best Community Supporter'''''
"Michelle has done an amazing job with the Belfast chapter and works tirelessly to improve the OWASP community and advocate strong app sec practices. This is very evident from the people attending the chapter events, organisations participating and the very successful AppSecEU conference that was held in Belfast in 2017. Michelle put a huge amount of work and effort into planning and preparation for AppSecEU to ensure the conference was of a high calibre. This was a sustained commitment over the majority of 2017 on top of local chapter commitments. I'd like to nominate Michelle for all the hard work and effort she puts into the chapter. Thanks Michelle!"
|-
|Steve Springett
|'''''Best Community Supporter'''''

"Steve has been a tremendous supporter of the OWASP dependency-check project and leader on the related dependency-track platform. He is quick to respond to community question, answering with insightful and accurate responses assisting the community in their use of the dependency-check suite of tools."
|-
|[https://www.owasp.org/index.php/John_Vargas John Vargas]
|'''''Best Community Supporter'''''

"During the last 9 years John, together with a very small group of volunteers, has been making efforts to keep the chapter of Lima, Peru. Performing activities such as monthly meetings, internal trainings and participating actively in the OWASP Latam Tour. For the chapters in Latin America to keep afloat these activities with few resources is something very complicated and deserves recognition."
|-
|Tara Williams
|'''''Best Community Supporter'''''

"Tara cares about integrity, inclusion and transparency, she is passionate about making OWASP a better place for all members of the community. With her talents in communications, she is getting the word out about OWASP's benefits to community members and attracting new members to chapter meetings, especially identifying successful pathways to transition meetup members to full members."
|-
|Aatral Arasu
|'''''Best Mission Outreach'''''
'''"'''A great leader always there to help responds to emails quickly loves his work works very hard every day very supportive never loses focus strong willed very technical and willing to do things himself to get the job done when asked for something he will get it to you ASAP constant learner open to suggestions and ideas on how to be better respectful honest caring and I am certain HRC will make it big very soon :)"
|-
|Sean Auriti
|'''''Best Mission Outreach'''''
"Sean mentors, is a speaker, leads projects, is an active chapter leader and chapter Treasurer, participating in meetup events and a great representative at global, regional and external events."
|-
|Tony Clarke
|'''''Best Mission Outreach'''''
"Tony has grown the chapter over the last year to a point where hundreds of people are attending meetings. The meetings are organised in advance now and have a theme. There were some really interesting people speaking at the chapter meetings including Simon Singh, James Lyne, Brian Honan and Jane Franklin. He has also engaged support from local companies with a lot more attending and sponsoring the chapter. There is a real buzz at chapter meetings and they're not just death by PowerPoint which they had been in the past."
|-
|[[User:cfrenz|Christopher Frenz]]
|'''''Best Mission Outreach'''''

'''"'''Christopher Frenz should be nominated for the Best Mission Outreach WASPY for his work as the Project Lead for the OWASP Anti-Ransomware Guide Project and the OWASP Secure Medical Device Deployment Standard Project. In the wake of WannaCry, anti-ransomware guidance has become more pertinent than ever and the project is regularly updated to keep abreast of the latest ransomware adaptations. Chris regularly shares his anti-ransomware knowledge with the security and healthcare communities and is an advocate for organizations conducting mock ransomware incidents. Chris has shared his knowledge of ransomware protections and of pertinent OWASP resources in numerous venues including articles (<nowiki>https://iapp.org/news/a/why-the-wannacry-outbreak-should-be-a-wake-up-call/</nowiki>) and conference presentations at both the local and international level (<nowiki>https://iapp.org/conference/iapp-canada-privacy-symposium/sessions/?id=a191a000000zrqPAAQ</nowiki>). A Spanish version of the guidance is also available. In addition, he has worked to call attention to the need for healthcare facilities to improve the security of their medical device implementations and is responsible for authoring version 1 of the OWASP Secure Medical Device Deployment Standard. The project has really worked to raise awareness of these issues and has been covered by CSO magazine (<nowiki>http://www.csoonline.com/article/3188230/security/how-to-securely-deploy-medical-devices.html</nowiki>) and other news sources. Chris has given interviews on medical device security for the Cloud Security Alliance and others and will be speaking on medical device security at the Defcon BioHacking Village. Chris is always willing to share his knowledge with all who ask and is an active member of the NYC and Brooklyn OWASP chapters."
|-
|[[User:Fuentes.joaquin|Joaquin Fuentes]]
|'''''Best Mission Outreach'''''
"For all he has done to build up the Phoenix OWASP community. Prior to Joaquin taking point the community in Phoenix was dead. Meetings weren't happening on a regular basis. The prior leaders had done a great job but I think they had burnt out. Joaquin started the community back up and got corporate support from his employer to facilitate not only regular meetings but great meetings with great content. He also implemented MeetUp. I'm not a consistent attendee because of my work/life schedule but I always know when the meetings are happening and what the subject matter will be because of Joaquin utilizing MeetUp."

'''2nd Citation:''' "Joaquin has been leading the OWASP Phoenix chapter and due to his initiative, has placed Phoenix on the map as a hub for application security. I would like to nominate him because he is always bringing in new and interesting speakers that provide great content. The most recent OWASP chapter meeting had over 60 attendees!"

'''3rd Citation''': "Joaquin Fuentes has had a big impact in raising attendance at the Phoenix meetings to more than 100 people monthly. The quality has gotten significantly better under his leadership. He has organized many speakers, including recruiting speakers from out of the area that have significantly developed the knowledge base of the community. Joaquin is a pen testing manager at Early Warning and he shares his professional knowledge to help us all become better in the practice of information security."

'''4th Citation''': "My job takes me to many different OWASP Chapters, along with ISSA, CSA, ISACA, etc.
The Phoenix OWASP Chapter was DEAD before Joaquin volunteered to lead the Chapter a few years ago.
It is now consistently one of the BEST ITSec community gatherings, and I go out of my way to be in Phoenix for their meetings.
To put it a different way, at my first Phoenix OWASP meeting there were less than 12 attendees, including myself and the speaker. Last week it was standing room only (75+) *and* there would have been more if Interstate 17 hadn't been closed in both directions at the start of rush-hour.
Part of the reason Joaquin deserves this award is that he is EXTREMELY knowledgeable about AppSec and many other aspects of data security and he is ALWAYS friendly and willing to share. His day-job is no picnic, but he finds the time to put together great meetings and do it in a way that everybody has a good time."
|-
|[https://www.owasp.org/index.php/User:Tanyajanca Tanya Janca]
|'''''Best Mission Outreach'''''
"Tanya has been instrumental in outreach in the Ottawa Ontario Canada region building membership and participation in the local OWASP chapter, as well as building bridges with other local organizations (Python user group, Ruby Rails user group, WIA, etc.). Tanya has also been a driver in getting a mentoring program setup via the Ottawa chapter. She has also encouraged participation in local CTF events, presented at local conferences (BSides, etc). Tanya's enthusiasm, support, and interaction is often contagious (in a good way :) ). Lastly, Tanya is a strong advocate or evangelist for OWASP projects, promoting such as appropriate per audience/presentation (including, but not limited to: ZAP, Top 10, SKF)."

'''2nd Citation:''' "Tanya Janca is an excellent ambassador for OWASP. Since her entry into the lead team of the OWASP Ottawa chapter, she has doubled the size of the chapter and developed the chapter into a meeting place for dozens of women interested in Application Security.
Tanya Janca is an energetic speaker who held a fantastic presentation at AppSecEU in Belfast. <nowiki>https://www.youtube.com/watch?v=mPTmuaC2lOI</nowiki> She was subsequently invited to the Swiss Cyberstorm Conference where her addition to the rooster was explained in an admiring blogpost <nowiki>https://swisscyberstorm.com/2017/05/23/Introducing_Tany_Janca.html</nowiki>
Tanya Janca has the ability to talk security to techies and management alike. She is pushing for the adoption of OWASP practices and project by the government of Canada her employer. Having been nominated for the Government of Canada’s CIO Award for “Excellent in Security” in 2016 she refused to move into the private sector, but continues to support the security community inside the public sector, where her excellent know-how is very important."

'''3rd Citation:''' "Tanya Janca has been performing “outreach” and “recruitment of women” as her main chapter leader responsibilities for the Ottawa chapter since 2015. The chapter has not only grown by over 500% in that time, but female membership has grown from 2 female members to over 70 (the chapter has grown for many reasons, some of which are her promotional efforts). Activities include starting a mentoring program that matches senior AppSec members of the community with juniors or people who are hoping to get into Application Security; attending all sorts of technology meetups (but especially female-centric ones) to talk about OWASP and personally invite them to attend; bringing OWASP products, concepts and resources to the Canadian Government (and is currently attempting to sway policy to be more application security focused as we speak); as well as performing over 40 public speaking engagements that describe OWASP as “Your new BFF” as part of the application security lesson she has taught. She has also begun speaking at conferences semi-regularly, singing OWASP’s praises as part of every presentation. She also forms female groups to attend events together, to make them more accessible, such as her all-female team for the Ottawa iHack CTP and “Learn by Breaking things” event in June 2017 and her all female CTF team for OWASP Ottawa’s first CTF in 2015. Her claim of being an “application security evangelist” certainly seems fitting."
|-
|Kitisak Jirawannakool
|'''''Best Mission Outreach'''''

"Web security is notoriously bad in Thailand, so an actives security community is sorely needed. Kitisak is a central figure in that community. He has worked on establishing the OWASP Bangkok chapter for the past six years, organizing meetups, community outreach and engaging with security experts internationally. His work has played a pivotal role in creating IT security awareness in the fast-growing South-East-Asian country."
|-
|James Manico
|'''''Best Mission Outreach'''''
"Jim's influence on OWASP materials (and therefore on application security) is amazing - he's cited on nearly every cheat sheet on OWASP Top 10 document. His name is synonymous with application security."

'''2nd Citation: "'''While Jim may not be the "unsung hero" - he is the first and foremost cheerleader/champion of OWASP. His efforts and contributions are innumerable. As anyone who knows Jim - he is not a reserved individual when touting the resources available via OWASP. He has likely done more then anyone else working with OWASP to bring together, motivate, and get individuals to contribute to OWASP. From the immensely popular checklists to motivating individuals to contribute. OWASP would not be nearly as successful as it has been without Jim."
|-
|Mateo Martinez
|'''''Best Mission Outreach'''''
"Mateo is one of the leaders in Latin America more recognized, during the last years his efforts to join the chapters chapter along with other leaders of Latam made that the community grew and that today the Latam Tour 2017 has more than 15 participating countries. He also managed to spread the spirit of owasp and help establish new chapters in the region.
The effort to maintain more communication between OWASP GLobal and local communities is reflected in each activity that encourages other leaders to ensure that they strive every day to spread Owasp projects and to grow the community."
|-
|Mark Miller
|'''''Best Mission Outreach'''''

"The OWASP Podcast is a effort that is in line with the mission of OWASP raising visability for software security. This is a VERY powerful voice in the community globally and Mark Miller should be applauded for his efforts on this
<nowiki>https://www.owasp.org/index.php/OWASP_Podcast</nowiki>"
|-
|[https://www.owasp.org/index.php/Dhiraj_Mishra Dhiraj Mishra]
|'''''Best Mission Outreach'''''

"Dhiraj was nominated for WASPY 2016, his contribution to the community is from past one 'n half year in various areas, start from the projects, local volunteering and what not, he was also listed in OWASP Hall Of Fame."
|-
|[[User:Owen_Pendlebury|Owen Pendlebury]]
|'''''Best Mission Outreach'''''
"Owen is an active participator in OWASP meetings and has been a great inspiration to me.
He has shown himself to be a great leader and OWASP advocate.
Owen has recommended other AppSec communities in which I have become involved in since moving to Dublin. He is an evangelist for women in technology and I have witnessed this first hand.
I don't hesitate to recommend Owen for this award."

'''2nd Citation:''' "Owen has introduced me to the OWASP Community in Ireland and EU. Help me to get involve with Women in AppSec and participate in the AppSec EU event in Belfast. He is a great leader, who enjoys talking about OWASP and the great community behind it.
I've moved to Ireland a couple of months ago, and getting to know Owen and the OWASP community has completely changed my life, both professionally and personally.
So, yes, I would like to nominate Owen Pendlebury because he the proof that Women in AppSec is not just a women matter. :)"
|-
|[https://www.owasp.org/index.php/Sriram Sriram Shyam]
|'''''Best Mission Outreach'''''
"Sriram has been conducting awareness program to the college students. Sriram has created awareness among 12000 Students without the support of anyone."
|-
|[[User:Nwhysel|Noreen Whysel]]
|'''''Best Mission Outreach'''''

"Noreen is helping each day to improve OWASP members' experiences bringing her expertise and knowledge as a mentor and projects as a Chapter Leader, one member at a time. She understands what members want, how to improve member benefits and is applying that knowledge to improving local and global member experiences from the ground up. Her efforts are multiplied by her sharing of knowledge and grassroots approach creating a membership groundswell."
|-
|Aatral Arasu
|'''''Best Innovator'''''
"A great leader always there to help responds to emails quickly loves his work works very hard every day very supportive never loses focus strong willed very technical and willing to do things himself to get the job done when asked for something he will get it to you ASAP constant learner open to suggestions and ideas on how to be better respectful honest caring and I am certain HRC will make it big very soon :)"
|-
|Sean Auriti
|'''''Best Innovator'''''
"Sean leads the BLT Project and is a Team Leader for the Learning Gateway project. He has helped improve the quality of web experiences, including OWASP.org ."
|-
|Glenn & Riccardo ten Cate
|'''''Best Innovator'''''
"I am hereby nominating the brothers Glenn & Riccardo ten Cate from the Netherlands for the WASPY award in this category. They are known for their work on the open-source project SKF (Security Knowledge Framework). These are two guys who are dedicated to spreading security knowledge trough the means OWASP has to offer. You might have encountered them talking at seminars, promoting their project and OWASP, or different companies where they teach development teams how to integrate the OWASP core principles in their workflow using their project. Not only professional development teams but also students of security can only be amazed at the sheer knowledge they gathered and contribute to the global OWASP community trough open source. The sheer effort they put in this project teaches, guides, structures and shows by example how to test and write secure applications by design. There is no other software out there that does this. And that is why they deserve this nomination for best innovator 2017."
|-
|Mark Deenihan
|'''''Best Innovator'''''
"Mark for his constant devotion and work on the OWASP security shepherd project and continuing to develop it and teach people globally about app sec."
|-
|Seba Deleersnyder
|'''''Best Innovator'''''
"One of the main projects to date is SAMM. Seba with the support of project colliders has made this a flagship project of OWASP. The level of maturity and the number of improvements obtained indicates that this project is one of the most mature and a great projection to the future."
|-
|[[User:cfrenz|Christopher Frenz]]
|'''''Best Innovator'''''
"Chris' projects are opening doors for OWASP in the standards development and getting the word out about important IoT with his Medical Device Deployment Standard: <nowiki>https://www.owasp.org/index.php/OWASP_Secure_Medical_Device_Deployment_Standard</nowiki> which already has a Turkish translation and attracted attention from the Turkish public health department. He has delivered presentations at meetups, and presenting to the IDESG, www.idesg.org in July. He has a "soup label" tool that gives simple guidance for the implementation of the OSMDDS. This is not Chris' first project but it is surely one of the best OWASP innovations of the year."
|-
|[[User:Fuentes.joaquin|Joaquin Fuentes]]
|'''''Best Innovator'''''
"Joaquin has been leading the OWASP Phoenix chapter and due to his initiative, has placed Phoenix on the map as a hub for application security. I would like to nominate him because he is always bringing in new and interesting speakers that provide great content. The most recent OWASP chapter meeting had over 60 attendees!"

'''2nd Citation:''' "Joaquin Fuentes has had a big impact in raising attendance at the Phoenix meetings to more than 100 people monthly. The quality has gotten significantly better under his leadership. He has organized many speakers, including recruiting speakers from out of the area that have significantly developed the knowledge base of the community. Joaquin is a pen testing manager at Early Warning and he shares his professional knowledge to help us all become better in the practice of information security."
|-
|Evin Hernandez
|'''''Best Innovator'''''
"Evins focus on the core of the information security platform with Virtual Village has provided the global community with a place to experiment and leverage for testing... <nowiki>https://www.owasp.org/index.php/OWASP_Virtual_Village_Project</nowiki>"
|-
|[https://www.owasp.org/index.php/Jeremy_Long Jeremy Long]
|'''''Best Innovator'''''
"Considering how often projects have a great start and plateau, we should recognize the ongoing effort and dedication given to one of the Flagship projects in our community.
Jeremy Long has continued to not only maintain the Dependency Check project but develop and improve it each year.
This year he added Improvements in the core dependency-check platform in terms of code quality, achieved 100% for the CII Best Practices for dependency-check, continued to develop the ODC community with several contributors submitting PRs, and over the last several months he's been working on platform maturity and will be releasing 2.0.0 in the first half of July 2017.
After 2.0 is released he has planned work on Python support and expanding the tool by integrating additional data-sources such as Artifactory, Redhat Victim's, OSS-Index, etc."

'''2nd Citation:''' "Jeremy has been an avid contributor/leader for the OWASP dependency-check project. Under his leadership the project has garnered substantial community support in terms of pull requests, improved code quality via Sonarcloud, Coverity, Codacy, and CII Best Practices. While the last six months have been primarily around code quality and bug fixes; these improvements are setting the dependency-check project up for major enhancements over the coming months!"
|-
|[[User:DanielMiessler|Daniel Miessler]]
|'''''Best Innovator'''''
"Daniel seems to be everywhere at once - despite have a full-time job, he is leading or co-leading several OWASP projects, has created ideas for groups out of thin air, and has performed work in much needed areas.
This year, Daniel has lead or co-lead the Internet of Things security project, completed an IoT: Medical Devices attack surface overview, and created the Game Security project."
|-
|[https://www.owasp.org/index.php/Dhiraj_Mishra Dhiraj Mishra]
|'''''Best Innovator'''''

"Dhiraj is one of the top contributor in OWASP Cheat Sheet Project, which have security guidance in an easy read format, his contribution for SQL Injection WAF Bypass and XSS Evasion - OWASP, was mostly recommended and used by Cyber Security professional, dhiraj has contributed to Benchmark project by contributing SQLi/XSS fuzz vectors as initial contribution towards adding support for WAF/RASP scoring and many such projects."
|-
|Bernhard Mueller
|'''''Best Innovator'''''
"During the last 18 months Bernhard has been spearheading the OWASP Mobile Testing Guide Project. He has invested several man-months of writing, editing, reviewing, rallying authors, and pushing the project into new directions. This also resulted in the novel agile book writing process and book production pipeline which enables OWASP to produce a professional tech book. The project has produced a security standard and early-release ebook, and is on track become one of OWASP's main flagship projects."
|-
|Steve Springett
|'''''Best Innovator'''''
"Steve's work on dependency-track is fantastic - he's moved forward to address the next round of issues, with an innovative solution all companies can leverage."
|-
|thc202
|'''''Best Innovator'''''
"Simon Bennets "wingman" in the ZAP project, by now even the top committer in the project! (<nowiki>https://github.com/zaproxy/zaproxy/graphs/contributors</nowiki>) So "unsung of" that I do not even know his real name!"
|}

==Results==
Coming July 25, 2017

==Sponsorship Opportunities==
The support from our sponsors, is what makes these awards truly successful!

Sponsorships coming soon!

==Communication==
# June 7, 2017 Email to the Leaders & Community list. Posted to the OWASP [https://owasp.blogspot.com/2017/06/nominations-are-now-being-accepted-for.html Blog]
# June 30, 2017 Email to the Leaders & Community list.
# July 5, 2017 Email to the Nominees
# July 5, 2017 Email to the Leaders & Community list, and Blog post announcing the nominees have been announced.

=='''Past WASPY Awards'''==
[https://www.owasp.org/index.php/WASPY_Awards_2016 2016]<br>
[https://www.owasp.org/index.php/WASPY_Awards_2015 2015] <br>
[https://www.owasp.org/index.php/WASPY_Awards_2014 2014] <br>
[https://www.owasp.org/index.php/WASPY_Awards_2013 2013] <br>
[https://www.owasp.org/index.php/WASPY_Awards_2012 2012] <br>

User:DanielMiessler

2017-07-14T13:08:44Z

Daniel Miessler:

[[File:Daniel Miessler 2016.png|thumb]]

= Daniel Miessler =
Daniel is the Director of Advisory Services at IOActive, and is the leader of the [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project OWASP IoT Security Project] and a leader on the [https://www.owasp.org/index.php/OWASP_Game_Security_Framework_Project OWASP Game Security Framework Project].

=== OWASP Bangalore Work ===
* Chapter lead for [[Bangalore|OWASP Bangalore]] since 2012
* Since then OWASP Bangalore has conducted a meet at least once a month with average attendance of 60-70 people
* Multiple special meets, hands-on sessions, collaboration with groups like [https://infosecgirls.in/ InfosecGirls] to further increase outreach and spread awareness

=== Talks and Evangelism for OWASP Bangalore ===
Gave talks at many technology companies around Application Security talking about OWASP Top 10, OWASP ASVS and other projects like
* Application Security in the time of Docker Containers at
** c0c0n 2016 Police Conference
** DevOpsDays Bangalore 2016
* Security Hardening with Ansible (Focus on A5 Security Misconfiguration) at
** All Day Dev Ops 2016
* How Attackers Work at
** Thoughtworks 2016
** SAP India 2015
** Phillips Innovation Campus 2015
* Building and Operating Secure Applications in The Cloud (Web and Mobile) at
** UNICOM
** Microsoft Accelerator
** ISACA
* OWASP ZAP Automation using Python APIs at
** Open Source Conference 2016
* Communities Need Participation at
** OWASP Kerala (Through Video)
** Infosec Girls Meet-up

=== Book Author - Burp Suite Essentials ===
Published by PacktPub November 2014, Listed as a reference by the creators of Burp Suite

=== Professional Profile ===
An accomplished security professional with over a decade’s experience of providing specialist application and infrastructure consulting services at the highest levels to companies, governments, and organisations around the world. Deep experience of working with clients to provide innovative security insight that truly reflects the commercial and operational needs of the organisation from strategic advice to testing and analysis to incident response and recovery. An active participant in the international security community and conference speaker both individually, as chapter lead of the Bangalore chapter of OWASP the global organisation responsible for defining the standards for web application security and as a co-founder of null India’s largest open security community.

== Online ==
* [http://linkd.in/webappsecguy Linkedin Profile]
* [http://www.slideshare.net/akashm/presentations Presentations on Slideshare]
* [https://twitter.com/makash @makash on Twitter]

User:DanielMiessler

2017-07-14T13:08:02Z

Daniel Miessler:

[[File:Akash-Mahajan.png|alt=Akash Mahajan - OWASP Bangalore Chapter Lead|thumb|275x275px|[[File:Daniel Miessler 2016.png|thumb]]]]

= Daniel Miessler =
Daniel is the Director of Advisory Services at IOActive, and is the leader of the [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project OWASP IoT Security Project] and a leader on the [https://www.owasp.org/index.php/OWASP_Game_Security_Framework_Project OWASP Game Security Framework Project].

=== OWASP Bangalore Work ===
* Chapter lead for [[Bangalore|OWASP Bangalore]] since 2012
* Since then OWASP Bangalore has conducted a meet at least once a month with average attendance of 60-70 people
* Multiple special meets, hands-on sessions, collaboration with groups like [https://infosecgirls.in/ InfosecGirls] to further increase outreach and spread awareness

=== Talks and Evangelism for OWASP Bangalore ===
Gave talks at many technology companies around Application Security talking about OWASP Top 10, OWASP ASVS and other projects like
* Application Security in the time of Docker Containers at
** c0c0n 2016 Police Conference
** DevOpsDays Bangalore 2016
* Security Hardening with Ansible (Focus on A5 Security Misconfiguration) at
** All Day Dev Ops 2016
* How Attackers Work at
** Thoughtworks 2016
** SAP India 2015
** Phillips Innovation Campus 2015
* Building and Operating Secure Applications in The Cloud (Web and Mobile) at
** UNICOM
** Microsoft Accelerator
** ISACA
* OWASP ZAP Automation using Python APIs at
** Open Source Conference 2016
* Communities Need Participation at
** OWASP Kerala (Through Video)
** Infosec Girls Meet-up

=== Book Author - Burp Suite Essentials ===
Published by PacktPub November 2014, Listed as a reference by the creators of Burp Suite

=== Professional Profile ===
An accomplished security professional with over a decade’s experience of providing specialist application and infrastructure consulting services at the highest levels to companies, governments, and organisations around the world. Deep experience of working with clients to provide innovative security insight that truly reflects the commercial and operational needs of the organisation from strategic advice to testing and analysis to incident response and recovery. An active participant in the international security community and conference speaker both individually, as chapter lead of the Bangalore chapter of OWASP the global organisation responsible for defining the standards for web application security and as a co-founder of null India’s largest open security community.

== Online ==
* [http://linkd.in/webappsecguy Linkedin Profile]
* [http://www.slideshare.net/akashm/presentations Presentations on Slideshare]
* [https://twitter.com/makash @makash on Twitter]

File:Daniel Miessler 2016.png

2017-07-14T13:06:26Z

Daniel Miessler:

Daniel Miessler 2016

User:DanielMiessler

2017-07-14T13:01:57Z

Daniel Miessler: Base of page.

[[File:Akash-Mahajan.png|alt=Akash Mahajan - OWASP Bangalore Chapter Lead|thumb|275x275px|Akash Mahajan - OWASP Bangalore Chapter Lead]]

= Akash Mahajan =
Akash is the founder and community Manager at ''null – The Open Security Group'' and ''Chapter Lead'' at [https://www.owasp.org/index.php/Bangalore OWASP Bangalore] while founding Appsecco a specialist application security company.

=== OWASP Bangalore Work ===
* Chapter lead for [[Bangalore|OWASP Bangalore]] since 2012
* Since then OWASP Bangalore has conducted a meet at least once a month with average attendance of 60-70 people
* Multiple special meets, hands-on sessions, collaboration with groups like [https://infosecgirls.in/ InfosecGirls] to further increase outreach and spread awareness

=== Talks and Evangelism for OWASP Bangalore ===
Gave talks at many technology companies around Application Security talking about OWASP Top 10, OWASP ASVS and other projects like
* Application Security in the time of Docker Containers at
** c0c0n 2016 Police Conference
** DevOpsDays Bangalore 2016
* Security Hardening with Ansible (Focus on A5 Security Misconfiguration) at
** All Day Dev Ops 2016
* How Attackers Work at
** Thoughtworks 2016
** SAP India 2015
** Phillips Innovation Campus 2015
* Building and Operating Secure Applications in The Cloud (Web and Mobile) at
** UNICOM
** Microsoft Accelerator
** ISACA
* OWASP ZAP Automation using Python APIs at
** Open Source Conference 2016
* Communities Need Participation at
** OWASP Kerala (Through Video)
** Infosec Girls Meet-up

=== Book Author - Burp Suite Essentials ===
Published by PacktPub November 2014, Listed as a reference by the creators of Burp Suite

=== Professional Profile ===
An accomplished security professional with over a decade’s experience of providing specialist application and infrastructure consulting services at the highest levels to companies, governments, and organisations around the world. Deep experience of working with clients to provide innovative security insight that truly reflects the commercial and operational needs of the organisation from strategic advice to testing and analysis to incident response and recovery. An active participant in the international security community and conference speaker both individually, as chapter lead of the Bangalore chapter of OWASP the global organisation responsible for defining the standards for web application security and as a co-founder of null India’s largest open security community.

== Online ==
* [http://linkd.in/webappsecguy Linkedin Profile]
* [http://www.slideshare.net/akashm/presentations Presentations on Slideshare]
* [https://twitter.com/makash @makash on Twitter]

OWASP Game Security Framework Project

2017-03-23T17:46:36Z

Daniel Miessler: /* Collaboration */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> , which could have been prevented by <code>DEFENSE.</code>”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|The economic system that exists within the game.
|-
|'''Game Mechanics'''
|The physics engine, logic, and other environmental components within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Exploits =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Exploits ==

This list refers to what a given attacker might use to take advantage of a given bug within the game.

{| class="wikitable" border="1" style="text-align: left"
! Exploit
! Description
|-
| '''DDoS'''
|Force a player to DC, or attack the game itself so that it cannot serve customers.
|-
| '''Client Modification'''
|Modify the client in a way that gives advantage.
|-
| '''Malicious Macros'''
|Implementation of macros that perform unwanted actions.
|-
| '''Social Engineering'''
|Getting a player, mod, or game staff member to perform an action that helps the attacker.
|-
| '''Use Physics Bug'''
|Interact with the world in a way that makes the physics engine do what the attacker wants.
|-
|'''Malform Network Traffic'''
|Send modified network traffic that tricks or disrupts an opposing player or the game itself.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== The Exploits Project ==

The Exploits provides information on what types of tools and techniques an attacker might use to accomplish his/her goal.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attacker Goals ==

This list refers to what a given attacker might be trying to accomplish within the game by performing a given attack. This could relate very closely (or not) with the technical impact or business impact cause by the behavior.

{| class="wikitable" border="1" style="text-align: left"
! Attacker Goal
! Description
|-
| '''Avoid Damage'''
|Allows the player to avoid being killed by other players or NPCs.
|-
| '''Gain Gear'''
|Improve the amount or quality of gear the player has.
|-
| '''Gain In-game Currency'''
|Gain more currency than would normally be allowed.
|-
| '''Enhance Gear'''
|Give weapons or other gear powers that they wouldn't normally have.
|-
| '''Take Opponent Offline'''
|Take a player out of the game so that the attacker's position is improved.
|-
|'''Skip Content'''
|Allows player to skip content resuting in a faster completion or objective time
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attacker Goals Project ==

The Attacker Goals Project provides information on what types of outcomes attackers might try to achieve within or outside of the game they're attacking.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Negative Outcomes ==

The following is a list of possible negative outcomes that can occur as the result of someone successfully attacking a given game.

{| class="wikitable" border="1" style="text-align: left"
! Outcomes
! Description
|-
| '''Currency Magnification'''
|A player ends up with more currency than they were supposed to have.
|-
| '''Player Anger'''
|Players become extremely agitated by one or more bugs.
|-
| '''Players Stop Playing the Game'''
|Players become so frustrated with the bugs and exploits that they stop playing and/or paying for the game.
|-
| '''Invulnerable Positions'''
|Locations on the map make bases or players unassailable and therefore invulnerable.
|-
| '''Item Multiplication'''
|Items are duplicated, multiplied, or otherwise increased in an unintended way.
|-
|'''Unfair Ladder Victory'''
|A victory is scored in favor of a player or team when they should not have won.
|-
|'''Unauthorized Admin Command Use'''
|Regular users are somehow able to execute administrative commands.
|-
|'''Lost Revenue'''
|The game company loses revenue due to bugs, hacks, and player anger.
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Negative Outcomes Project? ==

The Negative Outcomes Project provides information on what types of situations could manifest within the game if bugs or exploits are not successfully addressed.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Defenses ==
These are some of the common defenses that can be used to counter attacks against various components of a game.
{| class="wikitable" border="1" style="text-align: left"
! Outcomes
! Description
|-
| '''Cryptographic Validation of Client'''
|Ensure that the client will not run if it has been modified.
|-
| '''Enterprise-level DDoS Protection'''
|Implement protection against low to mid-tier DDoS attacks against the core gaming infrastructure.
|-
| '''Basic Application Security Defenses'''
|Code-based protections against common application security flaws, such as SQLi, XSS, CSRF, LFI/RFI, etc.
|-
|'''Authentication Lockouts'''
|Lock out a user's account after a certain number of failed attempts.
|-
|'''Two-factor Authentication'''
|Require use of 2FA on a given player's account.
|-
|'''Better Code'''
|Any fixes that can be done in code that aren't covered by other defenses. Could include net code, physics engine, logic fixes, etc.
|-
|'''Server-side Validation'''
|Ensure that validations are performed on the server and not (only) the client.
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Working Data Collection Spreadsheet:''

https://docs.google.com/spreadsheets/d/1Og08wyHsqtODBDkU_M2zHAvdxc63GSu-OmT8NjCc9Ak/edit#gid=0

:

{{Social Media Links}}

= Community =

We are actively looking for people to help in the following areas:
* Improving the framework schema, e.g., vulns, attack surfaces, technical impacts, business impacts, defenses, etc.
* Adding content to any of the various sections
* Input from avid gamers on how useful this is to them
* Input from app security experts
* Input from security types working at gaming companies
* Input from game company business types
If you have interest in helping, reach out to us and we'll make you a contributor.

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T17:40:17Z

Daniel Miessler:

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> , which could have been prevented by <code>DEFENSE.</code>”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|The economic system that exists within the game.
|-
|'''Game Mechanics'''
|The physics engine, logic, and other environmental components within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attacker Goals ==

This list refers to what a given attacker might be trying to accomplish within the game by performing a given attack. This could relate very closely (or not) with the technical impact or business impact cause by the behavior.

{| class="wikitable" border="1" style="text-align: left"
! Attacker Goal
! Description
|-
| '''Avoid Damage'''
|Allows the player to avoid being killed by other players or NPCs.
|-
| '''Gain Gear'''
|Improve the amount or quality of gear the player has.
|-
| '''Gain In-game Currency'''
|Gain more currency than would normally be allowed.
|-
| '''Enhance Gear'''
|Give weapons or other gear powers that they wouldn't normally have.
|-
| '''Take Opponent Offline'''
|Take a player out of the game so that the attacker's position is improved.
|-
|'''Skip Content'''
|Allows player to skip content resuting in a faster completion or objective time
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attacker Goals Project ==

The Attacker Goals Project provides information on what types of outcomes attackers might try to achieve within or outside of the game they're attacking.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attacker Goals ==

This list refers to what a given attacker might be trying to accomplish within the game by performing a given attack. This could relate very closely (or not) with the technical impact or business impact cause by the behavior.

{| class="wikitable" border="1" style="text-align: left"
! Attacker Goal
! Description
|-
| '''Avoid Damage'''
|Allows the player to avoid being killed by other players or NPCs.
|-
| '''Gain Gear'''
|Improve the amount or quality of gear the player has.
|-
| '''Gain In-game Currency'''
|Gain more currency than would normally be allowed.
|-
| '''Enhance Gear'''
|Give weapons or other gear powers that they wouldn't normally have.
|-
| '''Take Opponent Offline'''
|Take a player out of the game so that the attacker's position is improved.
|-
|'''Skip Content'''
|Allows player to skip content resuting in a faster completion or objective time
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attacker Goals Project ==

The Attacker Goals Project provides information on what types of outcomes attackers might try to achieve within or outside of the game they're attacking.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Negative Outcomes ==

The following is a list of possible negative outcomes that can occur as the result of someone successfully attacking a given game.

{| class="wikitable" border="1" style="text-align: left"
! Outcomes
! Description
|-
| '''Currency Magnification'''
|A player ends up with more currency than they were supposed to have.
|-
| '''Player Anger'''
|Players become extremely agitated by one or more bugs.
|-
| '''Players Stop Playing the Game'''
|Players become so frustrated with the bugs and exploits that they stop playing and/or paying for the game.
|-
| '''Invulnerable Positions'''
|Locations on the map make bases or players unassailable and therefore invulnerable.
|-
| '''Item Multiplication'''
|Items are duplicated, multiplied, or otherwise increased in an unintended way.
|-
|'''Unfair Ladder Victory'''
|A victory is scored in favor of a player or team when they should not have won.
|-
|'''Unauthorized Admin Command Use'''
|Regular users are somehow able to execute administrative commands.
|-
|'''Lost Revenue'''
|The game company loses revenue due to bugs, hacks, and player anger.
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Negative Outcomes Project? ==

The Negative Outcomes Project provides information on what types of situations could manifest within the game if bugs or exploits are not successfully addressed.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Defenses ==
These are some of the common defenses that can be used to counter attacks against various components of a game.
{| class="wikitable" border="1" style="text-align: left"
! Outcomes
! Description
|-
| '''Cryptographic Validation of Client'''
|Ensure that the client will not run if it has been modified.
|-
| '''Enterprise-level DDoS Protection'''
|Implement protection against low to mid-tier DDoS attacks against the core gaming infrastructure.
|-
| '''Basic Application Security Defenses'''
|Code-based protections against common application security flaws, such as SQLi, XSS, CSRF, LFI/RFI, etc.
|-
|'''Authentication Lockouts'''
|Lock out a user's account after a certain number of failed attempts.
|-
|'''Two-factor Authentication'''
|Require use of 2FA on a given player's account.
|-
|'''Better Code'''
|Any fixes that can be done in code that aren't covered by other defenses. Could include net code, physics engine, logic fixes, etc.
|-
|'''Server-side Validation'''
|Ensure that validations are performed on the server and not (only) the client.
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Working Data Collection Spreadsheet:''

https://docs.google.com/spreadsheets/d/1Og08wyHsqtODBDkU_M2zHAvdxc63GSu-OmT8NjCc9Ak/edit#gid=0

:

{{Social Media Links}}

= Community =

We are actively looking for people to help in the following areas:
* Improving the framework schema, e.g., vulns, attack surfaces, technical impacts, business impacts, defenses, etc.
* Adding content to any of the various sections
* Input from avid gamers on how useful this is to them
* Input from app security experts
* Input from security types working at gaming companies
* Input from game company business types
If you have interest in helping, reach out to us and we'll make you a contributor.

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T17:02:40Z

Daniel Miessler: /* Project Leader */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> , which could have been prevented by <code>DEFENSE.</code>”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|The economic system that exists within the game.
|-
|'''Game Mechanics'''
|The physics engine, logic, and other environmental components within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attacker Goals ==

This list refers to what a given attacker might be trying to accomplish within the game by performing a given attack. This could relate very closely (or not) with the technical impact or business impact cause by the behavior.

{| class="wikitable" border="1" style="text-align: left"
! Attacker Goal
! Description
|-
| '''Avoid Damage'''
|Allows the player to avoid being killed by other players or NPCs.
|-
| '''Gain Gear'''
|Improve the amount or quality of gear the player has.
|-
| '''Gain In-game Currency'''
|Gain more currency than would normally be allowed.
|-
| '''Enhance Gear'''
|Give weapons or other gear powers that they wouldn't normally have.
|-
| '''Take Opponent Offline'''
|Take a player out of the game so that the attacker's position is improved.
|-
|'''Skip Content'''
|Allows player to skip content resuting in a faster completion or objective time
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attacker Goals Project ==

The Attacker Goals Project provides information on what types of outcomes attackers might try to achieve within or outside of the game they're attacking.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Negative Outcomes ==

The following is a list of possible negative outcomes that can occur as the result of someone successfully attacking a given game.

{| class="wikitable" border="1" style="text-align: left"
! Outcomes
! Description
|-
| '''Currency Magnification'''
|A player ends up with more currency than they were supposed to have.
|-
| '''Player Anger'''
|Players become extremely agitated by one or more bugs.
|-
| '''Players Stop Playing the Game'''
|Players become so frustrated with the bugs and exploits that they stop playing and/or paying for the game.
|-
| '''Invulnerable Positions'''
|Locations on the map make bases or players unassailable and therefore invulnerable.
|-
| '''Item Multiplication'''
|Items are duplicated, multiplied, or otherwise increased in an unintended way.
|-
|'''Unfair Ladder Victory'''
|A victory is scored in favor of a player or team when they should not have won.
|-
|'''Unauthorized Admin Command Use'''
|Regular users are somehow able to execute administrative commands.
|-
|'''Lost Revenue'''
|The game company loses revenue due to bugs, hacks, and player anger.
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Negative Outcomes Project? ==

The Negative Outcomes Project provides information on what types of situations could manifest within the game if bugs or exploits are not successfully addressed.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Defenses ==
These are some of the common defenses that can be used to counter attacks against various components of a game.
{| class="wikitable" border="1" style="text-align: left"
! Outcomes
! Description
|-
| '''Cryptographic Validation of Client'''
|Ensure that the client will not run if it has been modified.
|-
| '''Enterprise-level DDoS Protection'''
|Implement protection against low to mid-tier DDoS attacks against the core gaming infrastructure.
|-
| '''Basic Application Security Defenses'''
|Code-based protections against common application security flaws, such as SQLi, XSS, CSRF, LFI/RFI, etc.
|-
|'''Authentication Lockouts'''
|Lock out a user's account after a certain number of failed attempts.
|-
|'''Two-factor Authentication'''
|Require use of 2FA on a given player's account.
|-
|'''Better Code'''
|Any fixes that can be done in code that aren't covered by other defenses. Could include net code, physics engine, logic fixes, etc.
|-
|'''Server-side Validation'''
|Ensure that validations are performed on the server and not (only) the client.
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Working Data Collection Spreadsheet:''

https://docs.google.com/spreadsheets/d/1Og08wyHsqtODBDkU_M2zHAvdxc63GSu-OmT8NjCc9Ak/edit#gid=0

:

{{Social Media Links}}

= Community =

We are actively looking for people to help in the following areas:
* Improving the framework schema, e.g., vulns, attack surfaces, technical impacts, business impacts, defenses, etc.
* Adding content to any of the various sections
* Input from avid gamers on how useful this is to them
* Input from app security experts
* Input from security types working at gaming companies
* Input from game company business types
If you have interest in helping, reach out to us and we'll make you a contributor.

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T15:04:36Z

Daniel Miessler: /* Common Game Security Defenses */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> , which could have been prevented by <code>DEFENSE.</code>”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|The economic system that exists within the game.
|-
|'''Game Mechanics'''
|The physics engine, logic, and other environmental components within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attacker Goals ==

This list refers to what a given attacker might be trying to accomplish within the game by performing a given attack. This could relate very closely (or not) with the technical impact or business impact cause by the behavior.

{| class="wikitable" border="1" style="text-align: left"
! Attacker Goal
! Description
|-
| '''Avoid Damage'''
|Allows the player to avoid being killed by other players or NPCs.
|-
| '''Gain Gear'''
|Improve the amount or quality of gear the player has.
|-
| '''Gain In-game Currency'''
|Gain more currency than would normally be allowed.
|-
| '''Enhance Gear'''
|Give weapons or other gear powers that they wouldn't normally have.
|-
| '''Take Opponent Offline'''
|Take a player out of the game so that the attacker's position is improved.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attacker Goals Project ==

The Attacker Goals Project provides information on what types of outcomes attackers might try to achieve within or outside of the game they're attacking.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Negative Outcomes ==

The following is a list of possible negative outcomes that can occur as the result of someone successfully attacking a given game.

{| class="wikitable" border="1" style="text-align: left"
! Outcomes
! Description
|-
| '''Currency Magnification'''
|A player ends up with more currency than they were supposed to have.
|-
| '''Player Anger'''
|Players become extremely agitated by one or more bugs.
|-
| '''Players Stop Playing the Game'''
|Players become so frustrated with the bugs and exploits that they stop playing and/or paying for the game.
|-
| '''Invulnerable Positions'''
|Locations on the map make bases or players unassailable and therefore invulnerable.
|-
| '''Item Multiplication'''
|Items are duplicated, multiplied, or otherwise increased in an unintended way.
|-
|'''Unfair Ladder Victory'''
|A victory is scored in favor of a player or team when they should not have won.
|-
|'''Unauthorized Admin Command Use'''
|Regular users are somehow able to execute administrative commands.
|-
|'''Lost Revenue'''
|The game company loses revenue due to bugs, hacks, and player anger.
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Negative Outcomes Project? ==

The Negative Outcomes Project provides information on what types of situations could manifest within the game if bugs or exploits are not successfully addressed.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

{| class="wikitable" border="1" style="text-align: left"
! Outcomes
! Description
|-
| '''Currency Magnification'''
|A player ends up with more currency than they were supposed to have.
|-
| '''Player Anger'''
|Players become extremely agitated by one or more bugs.
|-
| '''Players Stop Playing the Game'''
|Players become so frustrated with the bugs and exploits that they stop playing and/or paying for the game.
|-
| '''Invulnerable Positions'''
|Locations on the map make bases or players unassailable and therefore invulnerable.
|-
| '''Item Multiplication'''
|Items are duplicated, multiplied, or otherwise increased in an unintended way.
|-
|'''Unfair Ladder Victory'''
|A victory is scored in favor of a player or team when they should not have won.
|-
|'''Unauthorized Admin Command Use'''
|Regular users are somehow able to execute administrative commands.
|-
|'''Lost Revenue'''
|The game company loses revenue due to bugs, hacks, and player anger.
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Working Data Collection Spreadsheet:''

https://docs.google.com/spreadsheets/d/1Og08wyHsqtODBDkU_M2zHAvdxc63GSu-OmT8NjCc9Ak/edit#gid=0

:

{{Social Media Links}}

= Community =

We are actively looking for people to help in the following areas:
* Improving the framework schema, e.g., vulns, attack surfaces, technical impacts, business impacts, defenses, etc.
* Adding content to any of the various sections
* Input from avid gamers on how useful this is to them
* Input from app security experts
* Input from security types working at gaming companies
* Input from game company business types
If you have interest in helping, reach out to us and we'll make you a contributor.

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T15:03:24Z

Daniel Miessler: /* Related Projects */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> , which could have been prevented by <code>DEFENSE.</code>”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|The economic system that exists within the game.
|-
|'''Game Mechanics'''
|The physics engine, logic, and other environmental components within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attacker Goals ==

This list refers to what a given attacker might be trying to accomplish within the game by performing a given attack. This could relate very closely (or not) with the technical impact or business impact cause by the behavior.

{| class="wikitable" border="1" style="text-align: left"
! Attacker Goal
! Description
|-
| '''Avoid Damage'''
|Allows the player to avoid being killed by other players or NPCs.
|-
| '''Gain Gear'''
|Improve the amount or quality of gear the player has.
|-
| '''Gain In-game Currency'''
|Gain more currency than would normally be allowed.
|-
| '''Enhance Gear'''
|Give weapons or other gear powers that they wouldn't normally have.
|-
| '''Take Opponent Offline'''
|Take a player out of the game so that the attacker's position is improved.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attacker Goals Project ==

The Attacker Goals Project provides information on what types of outcomes attackers might try to achieve within or outside of the game they're attacking.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Negative Outcomes ==

The following is a list of possible negative outcomes that can occur as the result of someone successfully attacking a given game.

{| class="wikitable" border="1" style="text-align: left"
! Outcomes
! Description
|-
| '''Currency Magnification'''
|A player ends up with more currency than they were supposed to have.
|-
| '''Player Anger'''
|Players become extremely agitated by one or more bugs.
|-
| '''Players Stop Playing the Game'''
|Players become so frustrated with the bugs and exploits that they stop playing and/or paying for the game.
|-
| '''Invulnerable Positions'''
|Locations on the map make bases or players unassailable and therefore invulnerable.
|-
| '''Item Multiplication'''
|Items are duplicated, multiplied, or otherwise increased in an unintended way.
|-
|'''Unfair Ladder Victory'''
|A victory is scored in favor of a player or team when they should not have won.
|-
|'''Unauthorized Admin Command Use'''
|Regular users are somehow able to execute administrative commands.
|-
|'''Lost Revenue'''
|The game company loses revenue due to bugs, hacks, and player anger.
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Negative Outcomes Project? ==

The Negative Outcomes Project provides information on what types of situations could manifest within the game if bugs or exploits are not successfully addressed.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Working Data Collection Spreadsheet:''

https://docs.google.com/spreadsheets/d/1Og08wyHsqtODBDkU_M2zHAvdxc63GSu-OmT8NjCc9Ak/edit#gid=0

:

{{Social Media Links}}

= Community =

We are actively looking for people to help in the following areas:
* Improving the framework schema, e.g., vulns, attack surfaces, technical impacts, business impacts, defenses, etc.
* Adding content to any of the various sections
* Input from avid gamers on how useful this is to them
* Input from app security experts
* Input from security types working at gaming companies
* Input from game company business types
If you have interest in helping, reach out to us and we'll make you a contributor.

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T14:53:21Z

Daniel Miessler: /* Related Projects */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> , which could have been prevented by <code>DEFENSE.</code>”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|The economic system that exists within the game.
|-
|'''Game Mechanics'''
|The physics engine, logic, and other environmental components within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attacker Goals ==

This list refers to what a given attacker might be trying to accomplish within the game by performing a given attack. This could relate very closely (or not) with the technical impact or business impact cause by the behavior.

{| class="wikitable" border="1" style="text-align: left"
! Attacker Goal
! Description
|-
| '''Avoid Damage'''
|Allows the player to avoid being killed by other players or NPCs.
|-
| '''Gain Gear'''
|Improve the amount or quality of gear the player has.
|-
| '''Gain In-game Currency'''
|Gain more currency than would normally be allowed.
|-
| '''Enhance Gear'''
|Give weapons or other gear powers that they wouldn't normally have.
|-
| '''Take Opponent Offline'''
|Take a player out of the game so that the attacker's position is improved.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attacker Goals Project ==

The Attacker Goals Project provides information on what types of outcomes attackers might try to achieve within or outside of the game they're attacking.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Negative Outcomes ==

The following is a list of possible negative outcomes that can occur as the result of someone successfully attacking a given game.

{| class="wikitable" border="1" style="text-align: left"
! Technical Impact
! Description
|-
| '''Currency Magnification'''
|A player ends up with more currency than they were supposed to have.
|-
| '''Player Anger'''
|Players become extremely agitated by one or more bugs.
|-
| '''Players Stop Playing the Game'''
|Players become so frustrated with the bugs and exploits that they stop playing and/or paying for the game.
|-
| '''Invulnerable Positions'''
|Locations on the map make bases or players unassailable and therefore invulnerable.
|-
| '''Item Multiplication'''
|Items are duplicated, multiplied, or otherwise increased in an unintended way.
|-
|'''Unfair Ladder Victory'''
|A victory is scored in favor of a player or team when they should not have won.
|-
|'''Unauthorized Admin Command Use'''
|Regular users are somehow able to execute administrative commands.
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Negative Outcomes Project? ==

The Negative Outcomes Project provides information on what types of situations could manifest within the game if bugs or exploits are not successfully addressed.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Template''

:

{{Social Media Links}}

= Community =

We are actively looking for people to help in the following areas:
* Improving the framework schema, e.g., vulns, attack surfaces, technical impacts, business impacts, defenses, etc.
* Adding content to any of the various sections
* Input from avid gamers on how useful this is to them
* Input from app security experts
* Input from security types working at gaming companies
* Input from game company business types
If you have interest in helping, reach out to us and we'll make you a contributor.

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T07:54:07Z

Daniel Miessler: /* Related Projects */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> , which could have been prevented by <code>DEFENSE.</code>”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|The economic system that exists within the game.
|-
|'''Game Mechanics'''
|The physics engine, logic, and other environmental components within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attacker Goals ==

This list refers to what a given attacker might be trying to accomplish within the game by performing a given attack. This could relate very closely (or not) with the technical impact or business impact cause by the behavior.

{| class="wikitable" border="1" style="text-align: left"
! Attacker Goal
! Description
|-
| '''Avoid Damage'''
|Allows the player to avoid being killed by other players or NPCs.
|-
| '''Gain Gear'''
|Improve the amount or quality of gear the player has.
|-
| '''Gain In-game Currency'''
|Gain more currency than would normally be allowed.
|-
| '''Enhance Gear'''
|Give weapons or other gear powers that they wouldn't normally have.
|-
| '''Take Opponent Offline'''
|Take a player out of the game so that the attacker's position is improved.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attacker Goals Project ==

The Attacker Goals Project provides information on what types of outcomes attackers might try to achieve within or outside of the game they're attacking.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Negative Outcomes ==

The following is a list of possible negative outcomes that can occur as the result of someone successfully attacking a given game.

{| class="wikitable" border="1" style="text-align: left"
! Technical Impact
! Description
|-
| '''Currency Magnification'''
|A player ends up with more currency than they were supposed to have.
|-
| '''Player Anger'''
|Players become extremely agitated by one or more bugs.
|-
| '''Players Stop Playing the Game'''
|Players become so frustrated with the bugs and exploits that they stop playing and/or paying for the game.
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Negative Outcomes Project? ==

The Negative Outcomes Project provides information on what types of situations could manifest within the game if bugs or exploits are not successfully addressed.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Template''

:

{{Social Media Links}}

= Community =

We are actively looking for people to help in the following areas:
* Improving the framework schema, e.g., vulns, attack surfaces, technical impacts, business impacts, defenses, etc.
* Adding content to any of the various sections
* Input from avid gamers on how useful this is to them
* Input from app security experts
* Input from security types working at gaming companies
* Input from game company business types
If you have interest in helping, reach out to us and we'll make you a contributor.

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T07:42:35Z

Daniel Miessler:

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> , which could have been prevented by <code>DEFENSE.</code>”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|The economic system that exists within the game.
|-
|'''Game Mechanics'''
|The physics engine, logic, and other environmental components within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attacker Goals ==

This list refers to what a given attacker might be trying to accomplish within the game by performing a given attack. This could relate very closely (or not) with the technical impact or business impact cause by the behavior.

{| class="wikitable" border="1" style="text-align: left"
! Attacker Goal
! Description
|-
| '''Avoid Damage'''
|Allows the player to avoid being killed by other players or NPCs.
|-
| '''Gain Gear'''
|Improve the amount or quality of gear the player has.
|-
| '''Gain In-game Currency'''
|Gain more currency than would normally be allowed.
|-
| '''Enhance Gear'''
|Give weapons or other gear powers that they wouldn't normally have.
|-
| '''Take Opponent Offline'''
|Take a player out of the game so that the attacker's position is improved.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attacker Goals Project ==

The Attacker Goals Project provides information on what types of outcomes attackers might try to achieve within or outside of the game they're attacking.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Negative Outcomes ==

The following is a list of possible technical or tactical outcomes that can occur as the result of someone attacking a given game.

{| class="wikitable" border="1" style="text-align: left"
! Technical Impact
! Description
|-
| '''Currency Magnification'''
|A player ends up with more currency than they were supposed to have.
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Template''

:

{{Social Media Links}}

= Community =

We are actively looking for people to help in the following areas:
* Improving the framework schema, e.g., vulns, attack surfaces, technical impacts, business impacts, defenses, etc.
* Adding content to any of the various sections
* Input from avid gamers on how useful this is to them
* Input from app security experts
* Input from security types working at gaming companies
* Input from game company business types
If you have interest in helping, reach out to us and we'll make you a contributor.

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T07:40:37Z

Daniel Miessler:

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> , which could have been prevented by <code>DEFENSE.</code>”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|The economic system that exists within the game.
|-
|'''Game Mechanics'''
|The physics engine, logic, and other environmental components within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attacker Goals ==

This list refers to what a given attacker might be trying to accomplish within the game by performing a given attack. This could relate very closely (or not) with the technical impact or business impact cause by the behavior.

{| class="wikitable" border="1" style="text-align: left"
! Attacker Goal
! Description
|-
| '''Avoid Damage'''
|Allows the player to avoid being killed by other players or NPCs.
|-
| '''Gain Gear'''
|Improve the amount or quality of gear the player has.
|-
| '''Gain In-game Currency'''
|Gain more currency than would normally be allowed.
|-
| '''Enhance Gear'''
|Give weapons or other gear powers that they wouldn't normally have.
|-
| '''Take Opponent Offline'''
|Take a player out of the game so that the attacker's position is improved.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attacker Goals Project ==

The Attacker Goals Project provides information on what types of outcomes attackers might try to achieve within or outside of the game they're attacking.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Technical Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Technical Impacts ==

The following is a list of possible technical or tactical outcomes that can occur as the result of someone attacking a given game.

{| class="wikitable" border="1" style="text-align: left"
! Technical Impact
! Description
|-
| '''Currency Magnification'''
|A player ends up with more currency than they were supposed to have.
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Template''

:

{{Social Media Links}}

= Community =

We are actively looking for people to help in the following areas:
* Improving the framework schema, e.g., vulns, attack surfaces, technical impacts, business impacts, defenses, etc.
* Adding content to any of the various sections
* Input from avid gamers on how useful this is to them
* Input from app security experts
* Input from security types working at gaming companies
* Input from game company business types
If you have interest in helping, reach out to us and we'll make you a contributor.

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T07:39:15Z

Daniel Miessler: /* Classifications */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> , which could have been prevented by <code>DEFENSE.</code>”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|The economic system that exists within the game.
|-
|'''Game Mechanics'''
|The physics engine, logic, and other environmental components within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attacker Goals ==

This list refers to what a given attacker might be trying to accomplish within the game by performing a given attack. This could relate very closely (or not) with the technical impact or business impact cause by the behavior.

{| class="wikitable" border="1" style="text-align: left"
! Attacker Goal
! Description
|-
| '''Avoid Damage'''
|Allows the player to avoid being killed by other players or NPCs.
|-
| '''Gain Gear'''
|Improve the amount or quality of gear the player has.
|-
| '''Gain In-game Currency'''
|Gain more currency than would normally be allowed.
|-
| '''Enhance Gear'''
|Give weapons or other gear powers that they wouldn't normally have.
|-
| '''Take Opponent Offline'''
|Take a player out of the game so that the attacker's position is improved.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attacker Goals Project ==

The Attacker Goals Project provides information on what types of outcomes attackers might try to achieve within or outside of the game they're attacking.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Technical Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Technical Impacts ==

The following is a list of possible technical or tactical outcomes that can occur as the result of someone attacking a given game.

{| class="wikitable" border="1" style="text-align: left"
! Technical Impact
! Description
|-
| '''Currency Magnification'''
|A player ends up with more currency than they were supposed to have.
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Business Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Template''

:

{{Social Media Links}}

= Community =

We are actively looking for people to help in the following areas:
* Improving the framework schema, e.g., vulns, attack surfaces, technical impacts, business impacts, defenses, etc.
* Adding content to any of the various sections
* Input from avid gamers on how useful this is to them
* Input from app security experts
* Input from security types working at gaming companies
* Input from game company business types
If you have interest in helping, reach out to us and we'll make you a contributor.

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T05:15:04Z

Daniel Miessler: /* Related Projects */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attacker Goals ==

This list refers to what a given attacker might be trying to accomplish within the game by performing a given attack. This could relate very closely (or not) with the technical impact or business impact cause by the behavior.

{| class="wikitable" border="1" style="text-align: left"
! Attacker Goal
! Description
|-
| '''Avoid Damage'''
|Allows the player to avoid being killed by other players or NPCs.
|-
| '''Gain Gear'''
|Improve the amount or quality of gear the player has.
|-
| '''Gain In-game Currency'''
|Gain more currency than would normally be allowed.
|-
| '''Enhance Gear'''
|Give weapons or other gear powers that they wouldn't normally have.
|-
| '''Take Opponent Offline'''
|Take a player out of the game so that the attacker's position is improved.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attacker Goals Project ==

The Attacker Goals Project provides information on what types of outcomes attackers might try to achieve within or outside of the game they're attacking.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Technical Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Technical Impacts ==

The following is a list of possible technical or tactical outcomes that can occur as the result of someone attacking a given game.

{| class="wikitable" border="1" style="text-align: left"
! Technical Impact
! Description
|-
| '''Currency Magnification'''
|A player ends up with more currency than they were supposed to have.
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Business Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Template''

:

{{Social Media Links}}

= Community =

We are actively looking for people to help in the following areas:
* Improving the framework schema, e.g., vulns, attack surfaces, technical impacts, business impacts, defenses, etc.
* Adding content to any of the various sections
* Input from avid gamers on how useful this is to them
* Input from app security experts
* Input from security types working at gaming companies
* Input from game company business types
If you have interest in helping, reach out to us and we'll make you a contributor.

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T05:07:24Z

Daniel Miessler: /* Collaboration */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attacker Goals ==

This list refers to what a given attacker might be trying to accomplish within the game by performing a given attack. This could relate very closely (or not) with the technical impact or business impact cause by the behavior.

{| class="wikitable" border="1" style="text-align: left"
! Attacker Goal
! Description
|-
| '''Avoid Damage'''
|Allows the player to avoid being killed by other players or NPCs.
|-
| '''Gain Gear'''
|Improve the amount or quality of gear the player has.
|-
| '''Gain In-game Currency'''
|Gain more currency than would normally be allowed.
|-
| '''Enhance Gear'''
|Give weapons or other gear powers that they wouldn't normally have.
|-
| '''Take Opponent Offline'''
|Take a player out of the game so that the attacker's position is improved.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attacker Goals Project ==

The Attacker Goals Project provides information on what types of outcomes attackers might try to achieve within or outside of the game they're attacking.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Technical Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Business Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Template''

:

{{Social Media Links}}

= Community =

We are actively looking for people to help in the following areas:
* Improving the framework schema, e.g., vulns, attack surfaces, technical impacts, business impacts, defenses, etc.
* Adding content to any of the various sections
* Input from avid gamers on how useful this is to them
* Input from app security experts
* Input from security types working at gaming companies
* Input from game company business types
If you have interest in helping, reach out to us and we'll make you a contributor.

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T04:37:04Z

Daniel Miessler: /* Collaboration */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Technical Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Business Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Template''

:

{{Social Media Links}}

= Community =

We are actively looking for people to help in the following areas:
* Improving the framework schema, e.g., vulns, attack surfaces, technical impacts, business impacts, defenses, etc.
* Adding content to any of the various sections
* Input from avid gamers on how useful this is to them
* Input from app security experts
* Input from security types working at gaming companies
* Input from game company business types
If you have interest in helping, reach out to us and we'll make you a contributor.

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T04:32:17Z

Daniel Miessler: /* Resources */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Technical Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Business Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Template''

:

{{Social Media Links}}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T04:31:22Z

Daniel Miessler: /* News and Events */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Technical Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Business Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Template''

:

{{Social Media Links}}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T04:30:50Z

Daniel Miessler: /* Attack Surfaces */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Sub-project Leader ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Technical Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Business Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Template''

:

{{Social Media Links}}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-23T04:30:11Z

Daniel Miessler: /* Vulnerabilities */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Sub-project Leader ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Technical Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Business Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Template''

:

{{Social Media Links}}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-22T20:28:10Z

Daniel Miessler:

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Technical Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Business Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Template''

:

{{Social Media Links}}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-22T19:15:07Z

Daniel Miessler: /* Common Game Security Defenses */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Technical Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Business Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability''

{| class="wikitable"
!ID
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Goal
! style="font-weight: bold;" | Techical Impact
!Business Impact
! style="font-weight: bold;" | Defense
! Ref
!Game
! Genre
|-
|V1
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger
|Players leave, Lost Revenue
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
|
| 3PS/1PS/MMO
|-
|VN1
| colspan="10" style="text-align: center;" | "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating, which could have been prevented by <code>CRYPTOGRAPHIC INTEGRITY CHECKS ON GAME CLIENT</code>”
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|-
|
|
|
|
|
|
|
|
|
|
|
|}
''Template''

:

{{Social Media Links}}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-22T19:05:22Z

Daniel Miessler: Updating tab names.

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Technical Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Business Impacts =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability 1''

{| class="wikitable"
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Attacker Goal
! style="font-weight: bold;" | Negative Outcome
! style="font-weight: bold;" | Tester Tool
! style="font-weight: bold;" | Defense
! Ref
! Genre
|-
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger, Lost Revenue
| Game Client
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
| 3PS/1PS/MMO
|-
| colspan="9" style="text-align: center;" | The attacker attacked and edited the LOCAL GAME CLIENT (Attack Surface), which had a LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability), which allowed her to ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal), ultimately leading to an UNHAPPY PLAYER BASE (Negative Outcome) and DECLINING GAME REVENUE (Negative Outcome) due to cheating.
|-
|
|
|
|
|
|
|
|
|
|}
''Template 1''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

{{Social Media Links}}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-03-22T17:57:26Z

Daniel Miessler: /* Collaboration */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

In 2016 the videogame market became 99.6 Billion dollar industry... any why shouldn't it be? Some of the most prolific and complex software developed today are video games. They are professionally played, sponsored, scrutinized, monetized, and celebrated, just like many sports. They handle clients, servers, web components, monetary transfers, social interactions, virtual markets, etc, with every bit the need of security that most internet hosted apps have (if not more in some cases). The GSF is designed to help threat model gaming issues that have devastated new games. Most importantly we hope the GSF can help new developers and security testers alike root out bugs in your favorite titles.

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* Kevin Hemmingsen
* Troy Cunefare
* Ryan Lawrence
* Martin Mendoza
* Koray Algan
* Tom Simkovic
* Matt Espinoza
* Chad Lynch

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* January, 2017: Doing a complete redesign of the project.
* March 2017: Presenting version 1.0 at HouSecCon 2017.

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Game Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| class="wikitable" border="1" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability 1''

{| class="wikitable"
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Attacker Goal
! style="font-weight: bold;" | Negative Outcome
! style="font-weight: bold;" | Tester Tool
! style="font-weight: bold;" | Defense
! Ref
! Genre
|-
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger, Lost Revenue
| Game Client
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
| 3PS/1PS/MMO
|-
| colspan="9" style="text-align: center;" | The attacker attacked and edited the LOCAL GAME CLIENT (Attack Surface), which had a LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability), which allowed her to ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal), ultimately leading to an UNHAPPY PLAYER BASE (Negative Outcome) and DECLINING GAME REVENUE (Negative Outcome) due to cheating.
|-
|
|
|
|
|
|
|
|
|
|}
''Template 1''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

{{Social Media Links}}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure

[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research

[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP_Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:OWASP_Release_Quality_Document]]

OWASP Internet of Things Project

2017-02-15T19:28:21Z

Daniel Miessler: /* Medical Device Testing */

= Main =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Internet of Things (IoT) Project==

Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

[[File:iot-project.png|400px|thumb|center]]

==Licensing==
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Internet of Things Project? ==

The OWASP Internet of Things Project provides information on:

* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]
* IoT Vulnerabilities
* Firmware Analysis
* ICS/SCADA Software Weaknesses
* Community Information
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]
* Developer, Consumer and Manufacturer Guidance
* Design Principles

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Contributors ==
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]
* Saša Zdjelar

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_.NET_Project|OWASP .NET]]
* [[Java|OWASP Java and JVM]]
* [[C/C++|OWASP C/C++]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]

[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]

[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]

[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]

[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]

[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]

[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]

== News and Events ==
* Added a [https://owasp-iot-security.slack.com/ Slack channel]
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]
* Migrating the IoT Top Ten to be under the IoT Project
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= IoT Attack Surface Areas =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Attack Surface Areas Project ==

The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|

* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Attack Surface Areas Project? ==

The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Vulnerabilities Project ==

{| border="1" class="wikitable" style="text-align: left"
! Vulnerability
! Attack Surface
! Summary
|-
| '''Username Enumeration'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to collect a set of valid usernames by interacting with the authentication mechanism
|-
| '''Weak Passwords'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to set account passwords to '1234' or '123456' for example.
|-
| '''Account Lockout'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts
|-
| '''Unencrypted Services'''
|
* Device Network Services
|
* Network services are not properly encrypted to prevent eavesdropping by attackers
|-
| '''Two-factor Authentication'''
|
* Administrative Interface
* Cloud Web Interface
* Mobile Application
|
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
|-
| '''Poorly Implemented Encryption'''
|
* Device Network Services
|
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
|-
| '''Update Sent Without Encryption'''
|
* Update Mechanism
|
* Updates are transmitted over the network without using TLS or encrypting the update file itself
|-
| '''Update Location Writable'''
|
* Update Mechanism
|
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
|-
| '''Denial of Service'''
|
* Device Network Services
|
* Service can be attacked in a way that denies service to that service or the entire device
|-
| '''Removal of Storage Media'''
|
* Device Physical Interfaces
|
* Ability to physically remove the storage media from the device
|-
| '''No Manual Update Mechanism'''
|
* Update Mechanism
|
* No ability to manually force an update check for the device
|-
| '''Missing Update Mechanism'''
|
* Update Mechanism
|
* No ability to update device
|-
| '''Firmware Version Display and/or Last Update Date'''
|
* Device Firmware
|
* Current firmware version is not displayed and/or the last update date is not displayed
|-
| '''Firmware and storage extraction'''
|
* JTAG / SWD interface
* [https://www.flashrom.org/Flashrom In-Situ dumping]
* Intercepting a OTA update
* Downloading from the manufacturers web page
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
|
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
|-
| '''Manipulating the code execution flow of the device'''
|
* JTAG / SWD interface
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]
|
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
|-
| '''Obtaining console access'''
|
* Serial interfaces (SPI / UART)
|
* By connecting to a serial interface, we will obtain full console access to a device
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.

|-

|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Vulnerabilities Project? ==

The IoT Vulnerabilities Project provides:

* Information on the top IoT vulnerabilities
* The attack surface associated with the vulnerability
* A summary of the vulnerability

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Medical Devices =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Medical Device Testing ==

The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''HL7'''
|
* XML Parsing
** XSS
* Information Disclosure
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Data Flow'''
|
* What data is being captured?
* How does it move within the ecosystem?
* How is it protected in transit?
* How is it protected at rest?
* Who is that data shared with?
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)
* Failure state analysis
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Medical Attack Surfaces project? ==

The Medical Attack Surfaces project provides:

* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.

|}

= Firmware Analysis =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Firmware Analysis Project ==

The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":

{| border="1" class="wikitable" style="text-align: left"
! Section
!
|-
|
Device Firmware Vulnerabilties
|
* Out-of-date core components
* Unsupported core components
* Expired and/or self-signed certificates
* Same certificate used on multiple devices
* Admin web interface concerns
* Hardcoded or easy to guess credentials
* Sensitive information disclosure
* Sensitive URL disclosure
* Encryption key exposure
* Backdoor accounts
* Vulnerable services (web, ssh, tftp, etc.)
|-
|
Manufacturer Recommendations
|
* Ensure that supported and up-to-date software is used by developers
* Ensure that robust update mechanisms are in place for devices
* Ensure that certificates are not duplicated across devices and product lines.
* Ensure supported and up-to-date software is used by developers
* Develop a mechanism to ensure a new certificate is installed when old ones expire
* Disable deprecated SSL versions
* Ensure developers do not code in easy to guess or common admin passwords
* Ensure services such as SSH have a secure password created
* Develop a mechanism that requires the user to create a secure admin password during initial device setup
* Ensure developers do not hard code passwords or hashes
* Have source code reviewed by a third party before releasing device to production
* Ensure industry standard encryption or strong hashing is used
|-
|
Device Firmware Guidance and Instruction
|
* Firmware file analysis
* Firmware extraction
* Dynamic binary analysis
* Static binary analysis
* Static code analysis
* Firmware emulation
* File system analysis
|-
|
Device Firmware Tools
|
* [https://github.com/craigz28/firmwalker Firmwalker]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://github.com/angr/angr Angr binary analysis framework]
* [http://binwalk.org/ Binwalk firmware analysis tool]
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
* [https://github.com/firmadyne/firmadyne Firmadyne]
|-
|
Vulnerable Firmware
|
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Firmware Analysis Project? ==

The Firmware Analysis Project provides:

* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
* Steps for extracting file systems from various firmware files
* Guidance on searching a file systems for sensitive of interesting data
* Information on static analysis of firmware contents
* Information on dynamic analysis of emulated services (e.g. web admin interface)
* Testing tool links
* A site for pulling together existing information on firmware analysis

== Project Leaders ==

* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Coming Soon

|}

= IoT Event Logging Project=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Logging Events==

This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.

{| border="1" class="wikitable" style="text-align: left"
! Event Category
! Events
|-
| '''Request Exceptions'''
|
* Attempt to Invoke Unsupported HTTP Method
* Unexpected Quantity of Characters in Parameter
* Unexpected Type of Characters in Parameter
|-
| '''Authentication Exceptions'''
|
* Multiple Failed Passwords
* High Rate of Login Attempts
* Additional POST Variable
* Deviation from Normal GEO Location
|-
| '''Session Exceptions'''
|
* Modifying the Existing Cookie
* Substituting Another User's Valid SessionID or Cookie
* Source Location Changes During Session
|-
| '''Access Control Exceptions'''
|
* Modifying URL Argument Within a GET for Direct Object Access Attempt
* Modifying Parameter Within a POST for Direct Object Access Attempt
* Forced Browsing Attempt
|-
| '''Ecosystem Membership Exceptions'''
|
* Traffic Seen from Disenrolled System
* Traffic Seen from Unenrolled System
* Failed Attempt to Enroll in Ecosystem
* Multiple Attempts to Enroll in Ecosystem
|-
| '''Device Access Events'''
|
* Device Case Tampering Detected
* Device Logic Board Tampering Detected
|-
| '''Administrative Mode Events'''
|
* Device Entered Administrative Mode
* Device Accessed Using Default Administrative Credentials
|-
| '''Input Exceptions'''
|
* Double Encoded Character
* Unexpected Encoding Used
|-
| '''Command Injection Exceptions'''
|
* Blacklist Inspection for Common SQL Injection Values
* Abnormal Quantity of Returned Records
|-
| '''Honey Trap Exceptions'''
|
* Honey Trap Resource Requested
* Honey Trap Data Used
|-
| '''Reputation Exceptions'''
|
* Suspicious or Disallowed User Source Location

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" |

== What is the IoT Security Logging Project? ==

The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= ICS/SCADA =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== ICS/SCADA Project ==

The OWASP ICS/SCADA Top 10 software weaknesses are as follows:

{| border="1" class="wikitable" style="text-align: left"
! Rank and ID
! Title
|-
| '''1 - CWE-119'''
|
* Improper Restriction of Operations within the Bounds of a Memory Buffer
|-
| '''2 - CWE-20'''
|
* Improper Input Validation
|-
| '''3 - CWE-22'''
|
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|-
| '''4 - CWE-264'''
|
* Permissions, Privileges, and Access Controls
|-
| '''5 - CWE-200'''
|
* Information Exposure
|-
| '''6 - CWE-255'''
|
* Credentials Management
|-
| '''7 - CWE-287'''
|
* Improper Authentication
|-
| '''8 - CWE-399'''
|
* Resource Management Errors
|-
| '''9 - CWE-79'''
|
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|-
| '''10 - CWE-189'''
|
* Numeric Errors
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the ICS/SCADA Project? ==

The ICS/SCADA Project provides:

* A list of the Top 10 most dangerous software weaknesses

== Project Leaders ==

* NJ Ouchn

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Security Policy Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Security Policy Project ==

The OWASP IoT Security Policy Project provides:

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Security Policies Project? ==

The IoT Security Policy Project provides:

== Project Leaders ==

* Saša Zdjelar

== Related Projects ==

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Internet of Things Project

2017-02-15T19:27:19Z

Daniel Miessler: /* Medical Device Testing */

= Main =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Internet of Things (IoT) Project==

Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

[[File:iot-project.png|400px|thumb|center]]

==Licensing==
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Internet of Things Project? ==

The OWASP Internet of Things Project provides information on:

* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]
* IoT Vulnerabilities
* Firmware Analysis
* ICS/SCADA Software Weaknesses
* Community Information
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]
* Developer, Consumer and Manufacturer Guidance
* Design Principles

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Contributors ==
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]
* Saša Zdjelar

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_.NET_Project|OWASP .NET]]
* [[Java|OWASP Java and JVM]]
* [[C/C++|OWASP C/C++]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]

[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]

[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]

[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]

[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]

[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]

[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]

== News and Events ==
* Added a [https://owasp-iot-security.slack.com/ Slack channel]
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]
* Migrating the IoT Top Ten to be under the IoT Project
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= IoT Attack Surface Areas =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Attack Surface Areas Project ==

The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|

* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Attack Surface Areas Project? ==

The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Vulnerabilities Project ==

{| border="1" class="wikitable" style="text-align: left"
! Vulnerability
! Attack Surface
! Summary
|-
| '''Username Enumeration'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to collect a set of valid usernames by interacting with the authentication mechanism
|-
| '''Weak Passwords'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to set account passwords to '1234' or '123456' for example.
|-
| '''Account Lockout'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts
|-
| '''Unencrypted Services'''
|
* Device Network Services
|
* Network services are not properly encrypted to prevent eavesdropping by attackers
|-
| '''Two-factor Authentication'''
|
* Administrative Interface
* Cloud Web Interface
* Mobile Application
|
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
|-
| '''Poorly Implemented Encryption'''
|
* Device Network Services
|
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
|-
| '''Update Sent Without Encryption'''
|
* Update Mechanism
|
* Updates are transmitted over the network without using TLS or encrypting the update file itself
|-
| '''Update Location Writable'''
|
* Update Mechanism
|
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
|-
| '''Denial of Service'''
|
* Device Network Services
|
* Service can be attacked in a way that denies service to that service or the entire device
|-
| '''Removal of Storage Media'''
|
* Device Physical Interfaces
|
* Ability to physically remove the storage media from the device
|-
| '''No Manual Update Mechanism'''
|
* Update Mechanism
|
* No ability to manually force an update check for the device
|-
| '''Missing Update Mechanism'''
|
* Update Mechanism
|
* No ability to update device
|-
| '''Firmware Version Display and/or Last Update Date'''
|
* Device Firmware
|
* Current firmware version is not displayed and/or the last update date is not displayed
|-
| '''Firmware and storage extraction'''
|
* JTAG / SWD interface
* [https://www.flashrom.org/Flashrom In-Situ dumping]
* Intercepting a OTA update
* Downloading from the manufacturers web page
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
|
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
|-
| '''Manipulating the code execution flow of the device'''
|
* JTAG / SWD interface
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]
|
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
|-
| '''Obtaining console access'''
|
* Serial interfaces (SPI / UART)
|
* By connecting to a serial interface, we will obtain full console access to a device
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.

|-

|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Vulnerabilities Project? ==

The IoT Vulnerabilities Project provides:

* Information on the top IoT vulnerabilities
* The attack surface associated with the vulnerability
* A summary of the vulnerability

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Medical Devices =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Medical Device Testing ==

The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Failure States'''
|
* DoS
* Sensor failure reactions
* Detecting malfunctioning sensors
* Subsystem failure logic
|-
| '''HL7'''
|
* XML Parsing
** XSS
* Information Disclosure
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Data Flow'''
|
* What data is being captured?
* How does it move within the ecosystem?
* How is it protected in transit?
* How is it protected at rest?
* Who is that data shared with?
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)
* Failure state analysis

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Medical Attack Surfaces project? ==

The Medical Attack Surfaces project provides:

* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.

|}

= Firmware Analysis =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Firmware Analysis Project ==

The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":

{| border="1" class="wikitable" style="text-align: left"
! Section
!
|-
|
Device Firmware Vulnerabilties
|
* Out-of-date core components
* Unsupported core components
* Expired and/or self-signed certificates
* Same certificate used on multiple devices
* Admin web interface concerns
* Hardcoded or easy to guess credentials
* Sensitive information disclosure
* Sensitive URL disclosure
* Encryption key exposure
* Backdoor accounts
* Vulnerable services (web, ssh, tftp, etc.)
|-
|
Manufacturer Recommendations
|
* Ensure that supported and up-to-date software is used by developers
* Ensure that robust update mechanisms are in place for devices
* Ensure that certificates are not duplicated across devices and product lines.
* Ensure supported and up-to-date software is used by developers
* Develop a mechanism to ensure a new certificate is installed when old ones expire
* Disable deprecated SSL versions
* Ensure developers do not code in easy to guess or common admin passwords
* Ensure services such as SSH have a secure password created
* Develop a mechanism that requires the user to create a secure admin password during initial device setup
* Ensure developers do not hard code passwords or hashes
* Have source code reviewed by a third party before releasing device to production
* Ensure industry standard encryption or strong hashing is used
|-
|
Device Firmware Guidance and Instruction
|
* Firmware file analysis
* Firmware extraction
* Dynamic binary analysis
* Static binary analysis
* Static code analysis
* Firmware emulation
* File system analysis
|-
|
Device Firmware Tools
|
* [https://github.com/craigz28/firmwalker Firmwalker]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://github.com/angr/angr Angr binary analysis framework]
* [http://binwalk.org/ Binwalk firmware analysis tool]
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
* [https://github.com/firmadyne/firmadyne Firmadyne]
|-
|
Vulnerable Firmware
|
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Firmware Analysis Project? ==

The Firmware Analysis Project provides:

* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
* Steps for extracting file systems from various firmware files
* Guidance on searching a file systems for sensitive of interesting data
* Information on static analysis of firmware contents
* Information on dynamic analysis of emulated services (e.g. web admin interface)
* Testing tool links
* A site for pulling together existing information on firmware analysis

== Project Leaders ==

* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Coming Soon

|}

= IoT Event Logging Project=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Logging Events==

This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.

{| border="1" class="wikitable" style="text-align: left"
! Event Category
! Events
|-
| '''Request Exceptions'''
|
* Attempt to Invoke Unsupported HTTP Method
* Unexpected Quantity of Characters in Parameter
* Unexpected Type of Characters in Parameter
|-
| '''Authentication Exceptions'''
|
* Multiple Failed Passwords
* High Rate of Login Attempts
* Additional POST Variable
* Deviation from Normal GEO Location
|-
| '''Session Exceptions'''
|
* Modifying the Existing Cookie
* Substituting Another User's Valid SessionID or Cookie
* Source Location Changes During Session
|-
| '''Access Control Exceptions'''
|
* Modifying URL Argument Within a GET for Direct Object Access Attempt
* Modifying Parameter Within a POST for Direct Object Access Attempt
* Forced Browsing Attempt
|-
| '''Ecosystem Membership Exceptions'''
|
* Traffic Seen from Disenrolled System
* Traffic Seen from Unenrolled System
* Failed Attempt to Enroll in Ecosystem
* Multiple Attempts to Enroll in Ecosystem
|-
| '''Device Access Events'''
|
* Device Case Tampering Detected
* Device Logic Board Tampering Detected
|-
| '''Administrative Mode Events'''
|
* Device Entered Administrative Mode
* Device Accessed Using Default Administrative Credentials
|-
| '''Input Exceptions'''
|
* Double Encoded Character
* Unexpected Encoding Used
|-
| '''Command Injection Exceptions'''
|
* Blacklist Inspection for Common SQL Injection Values
* Abnormal Quantity of Returned Records
|-
| '''Honey Trap Exceptions'''
|
* Honey Trap Resource Requested
* Honey Trap Data Used
|-
| '''Reputation Exceptions'''
|
* Suspicious or Disallowed User Source Location

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" |

== What is the IoT Security Logging Project? ==

The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= ICS/SCADA =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== ICS/SCADA Project ==

The OWASP ICS/SCADA Top 10 software weaknesses are as follows:

{| border="1" class="wikitable" style="text-align: left"
! Rank and ID
! Title
|-
| '''1 - CWE-119'''
|
* Improper Restriction of Operations within the Bounds of a Memory Buffer
|-
| '''2 - CWE-20'''
|
* Improper Input Validation
|-
| '''3 - CWE-22'''
|
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|-
| '''4 - CWE-264'''
|
* Permissions, Privileges, and Access Controls
|-
| '''5 - CWE-200'''
|
* Information Exposure
|-
| '''6 - CWE-255'''
|
* Credentials Management
|-
| '''7 - CWE-287'''
|
* Improper Authentication
|-
| '''8 - CWE-399'''
|
* Resource Management Errors
|-
| '''9 - CWE-79'''
|
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|-
| '''10 - CWE-189'''
|
* Numeric Errors
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the ICS/SCADA Project? ==

The ICS/SCADA Project provides:

* A list of the Top 10 most dangerous software weaknesses

== Project Leaders ==

* NJ Ouchn

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Security Policy Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Security Policy Project ==

The OWASP IoT Security Policy Project provides:

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Security Policies Project? ==

The IoT Security Policy Project provides:

== Project Leaders ==

* Saša Zdjelar

== Related Projects ==

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Internet of Things Project

2017-02-15T19:23:53Z

Daniel Miessler: /* Medical Device Testing */

= Main =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Internet of Things (IoT) Project==

Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

[[File:iot-project.png|400px|thumb|center]]

==Licensing==
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Internet of Things Project? ==

The OWASP Internet of Things Project provides information on:

* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]
* IoT Vulnerabilities
* Firmware Analysis
* ICS/SCADA Software Weaknesses
* Community Information
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]
* Developer, Consumer and Manufacturer Guidance
* Design Principles

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Contributors ==
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]
* Saša Zdjelar

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_.NET_Project|OWASP .NET]]
* [[Java|OWASP Java and JVM]]
* [[C/C++|OWASP C/C++]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]

[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]

[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]

[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]

[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]

[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]

[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]

== News and Events ==
* Added a [https://owasp-iot-security.slack.com/ Slack channel]
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]
* Migrating the IoT Top Ten to be under the IoT Project
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= IoT Attack Surface Areas =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Attack Surface Areas Project ==

The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|

* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Attack Surface Areas Project? ==

The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Vulnerabilities Project ==

{| border="1" class="wikitable" style="text-align: left"
! Vulnerability
! Attack Surface
! Summary
|-
| '''Username Enumeration'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to collect a set of valid usernames by interacting with the authentication mechanism
|-
| '''Weak Passwords'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to set account passwords to '1234' or '123456' for example.
|-
| '''Account Lockout'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts
|-
| '''Unencrypted Services'''
|
* Device Network Services
|
* Network services are not properly encrypted to prevent eavesdropping by attackers
|-
| '''Two-factor Authentication'''
|
* Administrative Interface
* Cloud Web Interface
* Mobile Application
|
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
|-
| '''Poorly Implemented Encryption'''
|
* Device Network Services
|
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
|-
| '''Update Sent Without Encryption'''
|
* Update Mechanism
|
* Updates are transmitted over the network without using TLS or encrypting the update file itself
|-
| '''Update Location Writable'''
|
* Update Mechanism
|
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
|-
| '''Denial of Service'''
|
* Device Network Services
|
* Service can be attacked in a way that denies service to that service or the entire device
|-
| '''Removal of Storage Media'''
|
* Device Physical Interfaces
|
* Ability to physically remove the storage media from the device
|-
| '''No Manual Update Mechanism'''
|
* Update Mechanism
|
* No ability to manually force an update check for the device
|-
| '''Missing Update Mechanism'''
|
* Update Mechanism
|
* No ability to update device
|-
| '''Firmware Version Display and/or Last Update Date'''
|
* Device Firmware
|
* Current firmware version is not displayed and/or the last update date is not displayed
|-
| '''Firmware and storage extraction'''
|
* JTAG / SWD interface
* [https://www.flashrom.org/Flashrom In-Situ dumping]
* Intercepting a OTA update
* Downloading from the manufacturers web page
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
|
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
|-
| '''Manipulating the code execution flow of the device'''
|
* JTAG / SWD interface
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]
|
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
|-
| '''Obtaining console access'''
|
* Serial interfaces (SPI / UART)
|
* By connecting to a serial interface, we will obtain full console access to a device
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.

|-

|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Vulnerabilities Project? ==

The IoT Vulnerabilities Project provides:

* Information on the top IoT vulnerabilities
* The attack surface associated with the vulnerability
* A summary of the vulnerability

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Medical Devices =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Medical Device Testing ==

The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Failure States'''
|
* DoS
* Sensor failure reactions
* Detecting malfunctioning sensors
* Subsystem failure logic
|-
| '''HL7'''
|
* XML Parsing
** XSS
* Information Disclosure
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Medical Attack Surfaces project? ==

The Medical Attack Surfaces project provides:

* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.

|}

= Firmware Analysis =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Firmware Analysis Project ==

The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":

{| border="1" class="wikitable" style="text-align: left"
! Section
!
|-
|
Device Firmware Vulnerabilties
|
* Out-of-date core components
* Unsupported core components
* Expired and/or self-signed certificates
* Same certificate used on multiple devices
* Admin web interface concerns
* Hardcoded or easy to guess credentials
* Sensitive information disclosure
* Sensitive URL disclosure
* Encryption key exposure
* Backdoor accounts
* Vulnerable services (web, ssh, tftp, etc.)
|-
|
Manufacturer Recommendations
|
* Ensure that supported and up-to-date software is used by developers
* Ensure that robust update mechanisms are in place for devices
* Ensure that certificates are not duplicated across devices and product lines.
* Ensure supported and up-to-date software is used by developers
* Develop a mechanism to ensure a new certificate is installed when old ones expire
* Disable deprecated SSL versions
* Ensure developers do not code in easy to guess or common admin passwords
* Ensure services such as SSH have a secure password created
* Develop a mechanism that requires the user to create a secure admin password during initial device setup
* Ensure developers do not hard code passwords or hashes
* Have source code reviewed by a third party before releasing device to production
* Ensure industry standard encryption or strong hashing is used
|-
|
Device Firmware Guidance and Instruction
|
* Firmware file analysis
* Firmware extraction
* Dynamic binary analysis
* Static binary analysis
* Static code analysis
* Firmware emulation
* File system analysis
|-
|
Device Firmware Tools
|
* [https://github.com/craigz28/firmwalker Firmwalker]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://github.com/angr/angr Angr binary analysis framework]
* [http://binwalk.org/ Binwalk firmware analysis tool]
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
* [https://github.com/firmadyne/firmadyne Firmadyne]
|-
|
Vulnerable Firmware
|
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Firmware Analysis Project? ==

The Firmware Analysis Project provides:

* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
* Steps for extracting file systems from various firmware files
* Guidance on searching a file systems for sensitive of interesting data
* Information on static analysis of firmware contents
* Information on dynamic analysis of emulated services (e.g. web admin interface)
* Testing tool links
* A site for pulling together existing information on firmware analysis

== Project Leaders ==

* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Coming Soon

|}

= IoT Event Logging Project=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Logging Events==

This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.

{| border="1" class="wikitable" style="text-align: left"
! Event Category
! Events
|-
| '''Request Exceptions'''
|
* Attempt to Invoke Unsupported HTTP Method
* Unexpected Quantity of Characters in Parameter
* Unexpected Type of Characters in Parameter
|-
| '''Authentication Exceptions'''
|
* Multiple Failed Passwords
* High Rate of Login Attempts
* Additional POST Variable
* Deviation from Normal GEO Location
|-
| '''Session Exceptions'''
|
* Modifying the Existing Cookie
* Substituting Another User's Valid SessionID or Cookie
* Source Location Changes During Session
|-
| '''Access Control Exceptions'''
|
* Modifying URL Argument Within a GET for Direct Object Access Attempt
* Modifying Parameter Within a POST for Direct Object Access Attempt
* Forced Browsing Attempt
|-
| '''Ecosystem Membership Exceptions'''
|
* Traffic Seen from Disenrolled System
* Traffic Seen from Unenrolled System
* Failed Attempt to Enroll in Ecosystem
* Multiple Attempts to Enroll in Ecosystem
|-
| '''Device Access Events'''
|
* Device Case Tampering Detected
* Device Logic Board Tampering Detected
|-
| '''Administrative Mode Events'''
|
* Device Entered Administrative Mode
* Device Accessed Using Default Administrative Credentials
|-
| '''Input Exceptions'''
|
* Double Encoded Character
* Unexpected Encoding Used
|-
| '''Command Injection Exceptions'''
|
* Blacklist Inspection for Common SQL Injection Values
* Abnormal Quantity of Returned Records
|-
| '''Honey Trap Exceptions'''
|
* Honey Trap Resource Requested
* Honey Trap Data Used
|-
| '''Reputation Exceptions'''
|
* Suspicious or Disallowed User Source Location

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" |

== What is the IoT Security Logging Project? ==

The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= ICS/SCADA =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== ICS/SCADA Project ==

The OWASP ICS/SCADA Top 10 software weaknesses are as follows:

{| border="1" class="wikitable" style="text-align: left"
! Rank and ID
! Title
|-
| '''1 - CWE-119'''
|
* Improper Restriction of Operations within the Bounds of a Memory Buffer
|-
| '''2 - CWE-20'''
|
* Improper Input Validation
|-
| '''3 - CWE-22'''
|
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|-
| '''4 - CWE-264'''
|
* Permissions, Privileges, and Access Controls
|-
| '''5 - CWE-200'''
|
* Information Exposure
|-
| '''6 - CWE-255'''
|
* Credentials Management
|-
| '''7 - CWE-287'''
|
* Improper Authentication
|-
| '''8 - CWE-399'''
|
* Resource Management Errors
|-
| '''9 - CWE-79'''
|
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|-
| '''10 - CWE-189'''
|
* Numeric Errors
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the ICS/SCADA Project? ==

The ICS/SCADA Project provides:

* A list of the Top 10 most dangerous software weaknesses

== Project Leaders ==

* NJ Ouchn

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Security Policy Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Security Policy Project ==

The OWASP IoT Security Policy Project provides:

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Security Policies Project? ==

The IoT Security Policy Project provides:

== Project Leaders ==

* Saša Zdjelar

== Related Projects ==

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Internet of Things Project

2017-02-15T19:20:50Z

Daniel Miessler: /* Medical Device Testing */

= Main =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Internet of Things (IoT) Project==

Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

[[File:iot-project.png|400px|thumb|center]]

==Licensing==
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Internet of Things Project? ==

The OWASP Internet of Things Project provides information on:

* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]
* IoT Vulnerabilities
* Firmware Analysis
* ICS/SCADA Software Weaknesses
* Community Information
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]
* Developer, Consumer and Manufacturer Guidance
* Design Principles

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Contributors ==
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]
* Saša Zdjelar

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_.NET_Project|OWASP .NET]]
* [[Java|OWASP Java and JVM]]
* [[C/C++|OWASP C/C++]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]

[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]

[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]

[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]

[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]

[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]

[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]

== News and Events ==
* Added a [https://owasp-iot-security.slack.com/ Slack channel]
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]
* Migrating the IoT Top Ten to be under the IoT Project
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= IoT Attack Surface Areas =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Attack Surface Areas Project ==

The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|

* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Attack Surface Areas Project? ==

The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Vulnerabilities Project ==

{| border="1" class="wikitable" style="text-align: left"
! Vulnerability
! Attack Surface
! Summary
|-
| '''Username Enumeration'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to collect a set of valid usernames by interacting with the authentication mechanism
|-
| '''Weak Passwords'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to set account passwords to '1234' or '123456' for example.
|-
| '''Account Lockout'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts
|-
| '''Unencrypted Services'''
|
* Device Network Services
|
* Network services are not properly encrypted to prevent eavesdropping by attackers
|-
| '''Two-factor Authentication'''
|
* Administrative Interface
* Cloud Web Interface
* Mobile Application
|
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
|-
| '''Poorly Implemented Encryption'''
|
* Device Network Services
|
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
|-
| '''Update Sent Without Encryption'''
|
* Update Mechanism
|
* Updates are transmitted over the network without using TLS or encrypting the update file itself
|-
| '''Update Location Writable'''
|
* Update Mechanism
|
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
|-
| '''Denial of Service'''
|
* Device Network Services
|
* Service can be attacked in a way that denies service to that service or the entire device
|-
| '''Removal of Storage Media'''
|
* Device Physical Interfaces
|
* Ability to physically remove the storage media from the device
|-
| '''No Manual Update Mechanism'''
|
* Update Mechanism
|
* No ability to manually force an update check for the device
|-
| '''Missing Update Mechanism'''
|
* Update Mechanism
|
* No ability to update device
|-
| '''Firmware Version Display and/or Last Update Date'''
|
* Device Firmware
|
* Current firmware version is not displayed and/or the last update date is not displayed
|-
| '''Firmware and storage extraction'''
|
* JTAG / SWD interface
* [https://www.flashrom.org/Flashrom In-Situ dumping]
* Intercepting a OTA update
* Downloading from the manufacturers web page
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
|
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
|-
| '''Manipulating the code execution flow of the device'''
|
* JTAG / SWD interface
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]
|
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
|-
| '''Obtaining console access'''
|
* Serial interfaces (SPI / UART)
|
* By connecting to a serial interface, we will obtain full console access to a device
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.

|-

|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Vulnerabilities Project? ==

The IoT Vulnerabilities Project provides:

* Information on the top IoT vulnerabilities
* The attack surface associated with the vulnerability
* A summary of the vulnerability

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Medical Devices =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Medical Device Testing ==

The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Failure States'''
|
* DoS
* Sensor failure reactions
* Detecting malfunctioning sensors
* Subsystem failure logic
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|

* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Medical Attack Surfaces project? ==

The Medical Attack Surfaces project provides:

* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.

|}

= Firmware Analysis =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Firmware Analysis Project ==

The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":

{| border="1" class="wikitable" style="text-align: left"
! Section
!
|-
|
Device Firmware Vulnerabilties
|
* Out-of-date core components
* Unsupported core components
* Expired and/or self-signed certificates
* Same certificate used on multiple devices
* Admin web interface concerns
* Hardcoded or easy to guess credentials
* Sensitive information disclosure
* Sensitive URL disclosure
* Encryption key exposure
* Backdoor accounts
* Vulnerable services (web, ssh, tftp, etc.)
|-
|
Manufacturer Recommendations
|
* Ensure that supported and up-to-date software is used by developers
* Ensure that robust update mechanisms are in place for devices
* Ensure that certificates are not duplicated across devices and product lines.
* Ensure supported and up-to-date software is used by developers
* Develop a mechanism to ensure a new certificate is installed when old ones expire
* Disable deprecated SSL versions
* Ensure developers do not code in easy to guess or common admin passwords
* Ensure services such as SSH have a secure password created
* Develop a mechanism that requires the user to create a secure admin password during initial device setup
* Ensure developers do not hard code passwords or hashes
* Have source code reviewed by a third party before releasing device to production
* Ensure industry standard encryption or strong hashing is used
|-
|
Device Firmware Guidance and Instruction
|
* Firmware file analysis
* Firmware extraction
* Dynamic binary analysis
* Static binary analysis
* Static code analysis
* Firmware emulation
* File system analysis
|-
|
Device Firmware Tools
|
* [https://github.com/craigz28/firmwalker Firmwalker]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://github.com/angr/angr Angr binary analysis framework]
* [http://binwalk.org/ Binwalk firmware analysis tool]
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
* [https://github.com/firmadyne/firmadyne Firmadyne]
|-
|
Vulnerable Firmware
|
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Firmware Analysis Project? ==

The Firmware Analysis Project provides:

* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
* Steps for extracting file systems from various firmware files
* Guidance on searching a file systems for sensitive of interesting data
* Information on static analysis of firmware contents
* Information on dynamic analysis of emulated services (e.g. web admin interface)
* Testing tool links
* A site for pulling together existing information on firmware analysis

== Project Leaders ==

* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Coming Soon

|}

= IoT Event Logging Project=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Logging Events==

This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.

{| border="1" class="wikitable" style="text-align: left"
! Event Category
! Events
|-
| '''Request Exceptions'''
|
* Attempt to Invoke Unsupported HTTP Method
* Unexpected Quantity of Characters in Parameter
* Unexpected Type of Characters in Parameter
|-
| '''Authentication Exceptions'''
|
* Multiple Failed Passwords
* High Rate of Login Attempts
* Additional POST Variable
* Deviation from Normal GEO Location
|-
| '''Session Exceptions'''
|
* Modifying the Existing Cookie
* Substituting Another User's Valid SessionID or Cookie
* Source Location Changes During Session
|-
| '''Access Control Exceptions'''
|
* Modifying URL Argument Within a GET for Direct Object Access Attempt
* Modifying Parameter Within a POST for Direct Object Access Attempt
* Forced Browsing Attempt
|-
| '''Ecosystem Membership Exceptions'''
|
* Traffic Seen from Disenrolled System
* Traffic Seen from Unenrolled System
* Failed Attempt to Enroll in Ecosystem
* Multiple Attempts to Enroll in Ecosystem
|-
| '''Device Access Events'''
|
* Device Case Tampering Detected
* Device Logic Board Tampering Detected
|-
| '''Administrative Mode Events'''
|
* Device Entered Administrative Mode
* Device Accessed Using Default Administrative Credentials
|-
| '''Input Exceptions'''
|
* Double Encoded Character
* Unexpected Encoding Used
|-
| '''Command Injection Exceptions'''
|
* Blacklist Inspection for Common SQL Injection Values
* Abnormal Quantity of Returned Records
|-
| '''Honey Trap Exceptions'''
|
* Honey Trap Resource Requested
* Honey Trap Data Used
|-
| '''Reputation Exceptions'''
|
* Suspicious or Disallowed User Source Location

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" |

== What is the IoT Security Logging Project? ==

The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= ICS/SCADA =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== ICS/SCADA Project ==

The OWASP ICS/SCADA Top 10 software weaknesses are as follows:

{| border="1" class="wikitable" style="text-align: left"
! Rank and ID
! Title
|-
| '''1 - CWE-119'''
|
* Improper Restriction of Operations within the Bounds of a Memory Buffer
|-
| '''2 - CWE-20'''
|
* Improper Input Validation
|-
| '''3 - CWE-22'''
|
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|-
| '''4 - CWE-264'''
|
* Permissions, Privileges, and Access Controls
|-
| '''5 - CWE-200'''
|
* Information Exposure
|-
| '''6 - CWE-255'''
|
* Credentials Management
|-
| '''7 - CWE-287'''
|
* Improper Authentication
|-
| '''8 - CWE-399'''
|
* Resource Management Errors
|-
| '''9 - CWE-79'''
|
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|-
| '''10 - CWE-189'''
|
* Numeric Errors
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the ICS/SCADA Project? ==

The ICS/SCADA Project provides:

* A list of the Top 10 most dangerous software weaknesses

== Project Leaders ==

* NJ Ouchn

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Security Policy Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Security Policy Project ==

The OWASP IoT Security Policy Project provides:

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Security Policies Project? ==

The IoT Security Policy Project provides:

== Project Leaders ==

* Saša Zdjelar

== Related Projects ==

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Internet of Things Project

2017-02-15T19:16:44Z

Daniel Miessler: /* Medical Device Attack Surfaces */

= Main =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Internet of Things (IoT) Project==

Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

[[File:iot-project.png|400px|thumb|center]]

==Licensing==
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Internet of Things Project? ==

The OWASP Internet of Things Project provides information on:

* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]
* IoT Vulnerabilities
* Firmware Analysis
* ICS/SCADA Software Weaknesses
* Community Information
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]
* Developer, Consumer and Manufacturer Guidance
* Design Principles

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Contributors ==
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]
* Saša Zdjelar

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_.NET_Project|OWASP .NET]]
* [[Java|OWASP Java and JVM]]
* [[C/C++|OWASP C/C++]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]

[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]

[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]

[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]

[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]

[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]

[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]

== News and Events ==
* Added a [https://owasp-iot-security.slack.com/ Slack channel]
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]
* Migrating the IoT Top Ten to be under the IoT Project
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= IoT Attack Surface Areas =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Attack Surface Areas Project ==

The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|

* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Attack Surface Areas Project? ==

The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Vulnerabilities Project ==

{| border="1" class="wikitable" style="text-align: left"
! Vulnerability
! Attack Surface
! Summary
|-
| '''Username Enumeration'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to collect a set of valid usernames by interacting with the authentication mechanism
|-
| '''Weak Passwords'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to set account passwords to '1234' or '123456' for example.
|-
| '''Account Lockout'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts
|-
| '''Unencrypted Services'''
|
* Device Network Services
|
* Network services are not properly encrypted to prevent eavesdropping by attackers
|-
| '''Two-factor Authentication'''
|
* Administrative Interface
* Cloud Web Interface
* Mobile Application
|
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
|-
| '''Poorly Implemented Encryption'''
|
* Device Network Services
|
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
|-
| '''Update Sent Without Encryption'''
|
* Update Mechanism
|
* Updates are transmitted over the network without using TLS or encrypting the update file itself
|-
| '''Update Location Writable'''
|
* Update Mechanism
|
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
|-
| '''Denial of Service'''
|
* Device Network Services
|
* Service can be attacked in a way that denies service to that service or the entire device
|-
| '''Removal of Storage Media'''
|
* Device Physical Interfaces
|
* Ability to physically remove the storage media from the device
|-
| '''No Manual Update Mechanism'''
|
* Update Mechanism
|
* No ability to manually force an update check for the device
|-
| '''Missing Update Mechanism'''
|
* Update Mechanism
|
* No ability to update device
|-
| '''Firmware Version Display and/or Last Update Date'''
|
* Device Firmware
|
* Current firmware version is not displayed and/or the last update date is not displayed
|-
| '''Firmware and storage extraction'''
|
* JTAG / SWD interface
* [https://www.flashrom.org/Flashrom In-Situ dumping]
* Intercepting a OTA update
* Downloading from the manufacturers web page
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
|
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
|-
| '''Manipulating the code execution flow of the device'''
|
* JTAG / SWD interface
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]
|
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
|-
| '''Obtaining console access'''
|
* Serial interfaces (SPI / UART)
|
* By connecting to a serial interface, we will obtain full console access to a device
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.

|-

|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Vulnerabilities Project? ==

The IoT Vulnerabilities Project provides:

* Information on the top IoT vulnerabilities
* The attack surface associated with the vulnerability
* A summary of the vulnerability

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Medical Devices =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Medical Device Attack Surfaces ==

The Medical Device Attack Surfaces project is intended to provide some basic guidelines around the types of areas that need to be secured before shipping Medical Device equipment.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|

* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Medical Attack Surfaces project? ==

The Medical Attack Surfaces project provides:

* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.

|}

= Firmware Analysis =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Firmware Analysis Project ==

The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":

{| border="1" class="wikitable" style="text-align: left"
! Section
!
|-
|
Device Firmware Vulnerabilties
|
* Out-of-date core components
* Unsupported core components
* Expired and/or self-signed certificates
* Same certificate used on multiple devices
* Admin web interface concerns
* Hardcoded or easy to guess credentials
* Sensitive information disclosure
* Sensitive URL disclosure
* Encryption key exposure
* Backdoor accounts
* Vulnerable services (web, ssh, tftp, etc.)
|-
|
Manufacturer Recommendations
|
* Ensure that supported and up-to-date software is used by developers
* Ensure that robust update mechanisms are in place for devices
* Ensure that certificates are not duplicated across devices and product lines.
* Ensure supported and up-to-date software is used by developers
* Develop a mechanism to ensure a new certificate is installed when old ones expire
* Disable deprecated SSL versions
* Ensure developers do not code in easy to guess or common admin passwords
* Ensure services such as SSH have a secure password created
* Develop a mechanism that requires the user to create a secure admin password during initial device setup
* Ensure developers do not hard code passwords or hashes
* Have source code reviewed by a third party before releasing device to production
* Ensure industry standard encryption or strong hashing is used
|-
|
Device Firmware Guidance and Instruction
|
* Firmware file analysis
* Firmware extraction
* Dynamic binary analysis
* Static binary analysis
* Static code analysis
* Firmware emulation
* File system analysis
|-
|
Device Firmware Tools
|
* [https://github.com/craigz28/firmwalker Firmwalker]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://github.com/angr/angr Angr binary analysis framework]
* [http://binwalk.org/ Binwalk firmware analysis tool]
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
* [https://github.com/firmadyne/firmadyne Firmadyne]
|-
|
Vulnerable Firmware
|
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Firmware Analysis Project? ==

The Firmware Analysis Project provides:

* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
* Steps for extracting file systems from various firmware files
* Guidance on searching a file systems for sensitive of interesting data
* Information on static analysis of firmware contents
* Information on dynamic analysis of emulated services (e.g. web admin interface)
* Testing tool links
* A site for pulling together existing information on firmware analysis

== Project Leaders ==

* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Coming Soon

|}

= IoT Event Logging Project=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Logging Events==

This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.

{| border="1" class="wikitable" style="text-align: left"
! Event Category
! Events
|-
| '''Request Exceptions'''
|
* Attempt to Invoke Unsupported HTTP Method
* Unexpected Quantity of Characters in Parameter
* Unexpected Type of Characters in Parameter
|-
| '''Authentication Exceptions'''
|
* Multiple Failed Passwords
* High Rate of Login Attempts
* Additional POST Variable
* Deviation from Normal GEO Location
|-
| '''Session Exceptions'''
|
* Modifying the Existing Cookie
* Substituting Another User's Valid SessionID or Cookie
* Source Location Changes During Session
|-
| '''Access Control Exceptions'''
|
* Modifying URL Argument Within a GET for Direct Object Access Attempt
* Modifying Parameter Within a POST for Direct Object Access Attempt
* Forced Browsing Attempt
|-
| '''Ecosystem Membership Exceptions'''
|
* Traffic Seen from Disenrolled System
* Traffic Seen from Unenrolled System
* Failed Attempt to Enroll in Ecosystem
* Multiple Attempts to Enroll in Ecosystem
|-
| '''Device Access Events'''
|
* Device Case Tampering Detected
* Device Logic Board Tampering Detected
|-
| '''Administrative Mode Events'''
|
* Device Entered Administrative Mode
* Device Accessed Using Default Administrative Credentials
|-
| '''Input Exceptions'''
|
* Double Encoded Character
* Unexpected Encoding Used
|-
| '''Command Injection Exceptions'''
|
* Blacklist Inspection for Common SQL Injection Values
* Abnormal Quantity of Returned Records
|-
| '''Honey Trap Exceptions'''
|
* Honey Trap Resource Requested
* Honey Trap Data Used
|-
| '''Reputation Exceptions'''
|
* Suspicious or Disallowed User Source Location

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" |

== What is the IoT Security Logging Project? ==

The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= ICS/SCADA =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== ICS/SCADA Project ==

The OWASP ICS/SCADA Top 10 software weaknesses are as follows:

{| border="1" class="wikitable" style="text-align: left"
! Rank and ID
! Title
|-
| '''1 - CWE-119'''
|
* Improper Restriction of Operations within the Bounds of a Memory Buffer
|-
| '''2 - CWE-20'''
|
* Improper Input Validation
|-
| '''3 - CWE-22'''
|
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|-
| '''4 - CWE-264'''
|
* Permissions, Privileges, and Access Controls
|-
| '''5 - CWE-200'''
|
* Information Exposure
|-
| '''6 - CWE-255'''
|
* Credentials Management
|-
| '''7 - CWE-287'''
|
* Improper Authentication
|-
| '''8 - CWE-399'''
|
* Resource Management Errors
|-
| '''9 - CWE-79'''
|
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|-
| '''10 - CWE-189'''
|
* Numeric Errors
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the ICS/SCADA Project? ==

The ICS/SCADA Project provides:

* A list of the Top 10 most dangerous software weaknesses

== Project Leaders ==

* NJ Ouchn

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Security Policy Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Security Policy Project ==

The OWASP IoT Security Policy Project provides:

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Security Policies Project? ==

The IoT Security Policy Project provides:

== Project Leaders ==

* Saša Zdjelar

== Related Projects ==

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Internet of Things Project

2017-02-15T17:06:54Z

Daniel Miessler:

= Main =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Internet of Things (IoT) Project==

Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

[[File:iot-project.png|400px|thumb|center]]

==Licensing==
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Internet of Things Project? ==

The OWASP Internet of Things Project provides information on:

* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]
* IoT Vulnerabilities
* Firmware Analysis
* ICS/SCADA Software Weaknesses
* Community Information
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]
* Developer, Consumer and Manufacturer Guidance
* Design Principles

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Contributors ==
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]
* Saša Zdjelar

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_.NET_Project|OWASP .NET]]
* [[Java|OWASP Java and JVM]]
* [[C/C++|OWASP C/C++]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]

[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]

[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]

[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]

[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]

[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]

[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]

== News and Events ==
* Added a [https://owasp-iot-security.slack.com/ Slack channel]
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]
* Migrating the IoT Top Ten to be under the IoT Project
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= IoT Attack Surface Areas =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Attack Surface Areas Project ==

The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|

* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Attack Surface Areas Project? ==

The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Vulnerabilities Project ==

{| border="1" class="wikitable" style="text-align: left"
! Vulnerability
! Attack Surface
! Summary
|-
| '''Username Enumeration'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to collect a set of valid usernames by interacting with the authentication mechanism
|-
| '''Weak Passwords'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to set account passwords to '1234' or '123456' for example.
|-
| '''Account Lockout'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts
|-
| '''Unencrypted Services'''
|
* Device Network Services
|
* Network services are not properly encrypted to prevent eavesdropping by attackers
|-
| '''Two-factor Authentication'''
|
* Administrative Interface
* Cloud Web Interface
* Mobile Application
|
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
|-
| '''Poorly Implemented Encryption'''
|
* Device Network Services
|
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
|-
| '''Update Sent Without Encryption'''
|
* Update Mechanism
|
* Updates are transmitted over the network without using TLS or encrypting the update file itself
|-
| '''Update Location Writable'''
|
* Update Mechanism
|
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
|-
| '''Denial of Service'''
|
* Device Network Services
|
* Service can be attacked in a way that denies service to that service or the entire device
|-
| '''Removal of Storage Media'''
|
* Device Physical Interfaces
|
* Ability to physically remove the storage media from the device
|-
| '''No Manual Update Mechanism'''
|
* Update Mechanism
|
* No ability to manually force an update check for the device
|-
| '''Missing Update Mechanism'''
|
* Update Mechanism
|
* No ability to update device
|-
| '''Firmware Version Display and/or Last Update Date'''
|
* Device Firmware
|
* Current firmware version is not displayed and/or the last update date is not displayed
|-
| '''Firmware and storage extraction'''
|
* JTAG / SWD interface
* [https://www.flashrom.org/Flashrom In-Situ dumping]
* Intercepting a OTA update
* Downloading from the manufacturers web page
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
|
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
|-
| '''Manipulating the code execution flow of the device'''
|
* JTAG / SWD interface
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]
|
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
|-
| '''Obtaining console access'''
|
* Serial interfaces (SPI / UART)
|
* By connecting to a serial interface, we will obtain full console access to a device
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.

|-

|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Vulnerabilities Project? ==

The IoT Vulnerabilities Project provides:

* Information on the top IoT vulnerabilities
* The attack surface associated with the vulnerability
* A summary of the vulnerability

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Medical Devices =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Medical Device Attack Surfaces ==

The Medical Device Attack Surfaces project is intended to provide some basic guidelines around the types of areas that need to be secured before shipping Medical Device equipment.

{| border="1" class="wikitable" style="text-align: left"
! Section
!
|-
|
Firmware Vulnerabilities
|
* Out-of-date core components
* Unsupported core components
* Expired and/or self-signed certificates
* Same certificate used on multiple devices
* Admin web interface concerns
* Hardcoded or easy to guess credentials
* Sensitive information disclosure
* Sensitive URL disclosure
* Encryption key exposure
* Backdoor accounts
* Backdoor keys / tokens
* Vulnerable services (web, ssh, tftp, etc.)
|-
|
Data in Transit
|
* Ensure that supported and up-to-date software is used by developers
* Ensure that robust update mechanisms are in place for devices
* Ensure that certificates are not duplicated across devices and product lines.
* Ensure supported and up-to-date software is used by developers
* Develop a mechanism to ensure a new certificate is installed when old ones expire
* Disable deprecated SSL versions
* Ensure developers do not code in easy to guess or common admin passwords
* Ensure services such as SSH have a secure password created
* Develop a mechanism that requires the user to create a secure admin password during initial device setup
* Ensure developers do not hard code passwords or hashes
* Have source code reviewed by a third party before releasing device to production
* Ensure industry standard encryption or strong hashing is used
|-
|
Device Firmware Guidance and Instruction
|
* Firmware file analysis
* Firmware extraction
* Dynamic binary analysis
* Static binary analysis
* Static code analysis
* Firmware emulation
* File system analysis
|-
|
Device Firmware Tools
|
* [https://github.com/craigz28/firmwalker Firmwalker]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://github.com/angr/angr Angr binary analysis framework]
* [http://binwalk.org/ Binwalk firmware analysis tool]
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
* [https://github.com/firmadyne/firmadyne Firmadyne]
|-
|
Vulnerable Firmware
|
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Medical Attack Surfaces project? ==

The Medical Attack Surfaces project provides:

* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.

|}

= Firmware Analysis =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Firmware Analysis Project ==

The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":

{| border="1" class="wikitable" style="text-align: left"
! Section
!
|-
|
Device Firmware Vulnerabilties
|
* Out-of-date core components
* Unsupported core components
* Expired and/or self-signed certificates
* Same certificate used on multiple devices
* Admin web interface concerns
* Hardcoded or easy to guess credentials
* Sensitive information disclosure
* Sensitive URL disclosure
* Encryption key exposure
* Backdoor accounts
* Vulnerable services (web, ssh, tftp, etc.)
|-
|
Manufacturer Recommendations
|
* Ensure that supported and up-to-date software is used by developers
* Ensure that robust update mechanisms are in place for devices
* Ensure that certificates are not duplicated across devices and product lines.
* Ensure supported and up-to-date software is used by developers
* Develop a mechanism to ensure a new certificate is installed when old ones expire
* Disable deprecated SSL versions
* Ensure developers do not code in easy to guess or common admin passwords
* Ensure services such as SSH have a secure password created
* Develop a mechanism that requires the user to create a secure admin password during initial device setup
* Ensure developers do not hard code passwords or hashes
* Have source code reviewed by a third party before releasing device to production
* Ensure industry standard encryption or strong hashing is used
|-
|
Device Firmware Guidance and Instruction
|
* Firmware file analysis
* Firmware extraction
* Dynamic binary analysis
* Static binary analysis
* Static code analysis
* Firmware emulation
* File system analysis
|-
|
Device Firmware Tools
|
* [https://github.com/craigz28/firmwalker Firmwalker]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://github.com/angr/angr Angr binary analysis framework]
* [http://binwalk.org/ Binwalk firmware analysis tool]
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
* [https://github.com/firmadyne/firmadyne Firmadyne]
|-
|
Vulnerable Firmware
|
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Firmware Analysis Project? ==

The Firmware Analysis Project provides:

* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
* Steps for extracting file systems from various firmware files
* Guidance on searching a file systems for sensitive of interesting data
* Information on static analysis of firmware contents
* Information on dynamic analysis of emulated services (e.g. web admin interface)
* Testing tool links
* A site for pulling together existing information on firmware analysis

== Project Leaders ==

* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Coming Soon

|}

= IoT Event Logging Project=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Logging Events==

This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.

{| border="1" class="wikitable" style="text-align: left"
! Event Category
! Events
|-
| '''Request Exceptions'''
|
* Attempt to Invoke Unsupported HTTP Method
* Unexpected Quantity of Characters in Parameter
* Unexpected Type of Characters in Parameter
|-
| '''Authentication Exceptions'''
|
* Multiple Failed Passwords
* High Rate of Login Attempts
* Additional POST Variable
* Deviation from Normal GEO Location
|-
| '''Session Exceptions'''
|
* Modifying the Existing Cookie
* Substituting Another User's Valid SessionID or Cookie
* Source Location Changes During Session
|-
| '''Access Control Exceptions'''
|
* Modifying URL Argument Within a GET for Direct Object Access Attempt
* Modifying Parameter Within a POST for Direct Object Access Attempt
* Forced Browsing Attempt
|-
| '''Ecosystem Membership Exceptions'''
|
* Traffic Seen from Disenrolled System
* Traffic Seen from Unenrolled System
* Failed Attempt to Enroll in Ecosystem
* Multiple Attempts to Enroll in Ecosystem
|-
| '''Device Access Events'''
|
* Device Case Tampering Detected
* Device Logic Board Tampering Detected
|-
| '''Administrative Mode Events'''
|
* Device Entered Administrative Mode
* Device Accessed Using Default Administrative Credentials
|-
| '''Input Exceptions'''
|
* Double Encoded Character
* Unexpected Encoding Used
|-
| '''Command Injection Exceptions'''
|
* Blacklist Inspection for Common SQL Injection Values
* Abnormal Quantity of Returned Records
|-
| '''Honey Trap Exceptions'''
|
* Honey Trap Resource Requested
* Honey Trap Data Used
|-
| '''Reputation Exceptions'''
|
* Suspicious or Disallowed User Source Location

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" |

== What is the IoT Security Logging Project? ==

The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= ICS/SCADA =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== ICS/SCADA Project ==

The OWASP ICS/SCADA Top 10 software weaknesses are as follows:

{| border="1" class="wikitable" style="text-align: left"
! Rank and ID
! Title
|-
| '''1 - CWE-119'''
|
* Improper Restriction of Operations within the Bounds of a Memory Buffer
|-
| '''2 - CWE-20'''
|
* Improper Input Validation
|-
| '''3 - CWE-22'''
|
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|-
| '''4 - CWE-264'''
|
* Permissions, Privileges, and Access Controls
|-
| '''5 - CWE-200'''
|
* Information Exposure
|-
| '''6 - CWE-255'''
|
* Credentials Management
|-
| '''7 - CWE-287'''
|
* Improper Authentication
|-
| '''8 - CWE-399'''
|
* Resource Management Errors
|-
| '''9 - CWE-79'''
|
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|-
| '''10 - CWE-189'''
|
* Numeric Errors
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the ICS/SCADA Project? ==

The ICS/SCADA Project provides:

* A list of the Top 10 most dangerous software weaknesses

== Project Leaders ==

* NJ Ouchn

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Security Policy Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Security Policy Project ==

The OWASP IoT Security Policy Project provides:

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Security Policies Project? ==

The IoT Security Policy Project provides:

== Project Leaders ==

* Saša Zdjelar

== Related Projects ==

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Internet of Things Project

2017-02-13T21:03:03Z

Daniel Miessler:

= Main =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Internet of Things (IoT) Project==

Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

[[File:iot-project.png|400px|thumb|center]]

==Licensing==
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Internet of Things Project? ==

The OWASP Internet of Things Project provides information on:

* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]
* IoT Vulnerabilities
* Firmware Analysis
* ICS/SCADA Software Weaknesses
* Community Information
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]
* Developer, Consumer and Manufacturer Guidance
* Design Principles

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Contributors ==
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]
* Saša Zdjelar

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_.NET_Project|OWASP .NET]]
* [[Java|OWASP Java and JVM]]
* [[C/C++|OWASP C/C++]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]

[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]

[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]

[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]

[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]

[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]

[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]

== News and Events ==
* Added a [https://owasp-iot-security.slack.com/ Slack channel]
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]
* Migrating the IoT Top Ten to be under the IoT Project
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= IoT Attack Surface Areas =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Attack Surface Areas Project ==

The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability
|-
| '''Ecosystem (general)'''
|
* Interoperability standards
* Data governance
* System wide failure
* Individual stakeholder risks
* Implicit trust between components
* Enrollment security
* Decommissioning system
* Lost access procedures
|-
| '''Device Memory'''
|
* Sensitive data
** Cleartext usernames
** Cleartext passwords
** Third-party credentials
** Encryption keys
|-
| '''Device Physical Interfaces'''
|
* Firmware extraction
* User CLI
* Admin CLI
* Privilege escalation
* Reset to insecure state
* Removal of storage media
* Tamper resistance
* Debug port
* Device ID/Serial number exposure
|-
| '''Device Web Interface'''
|
* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Device Firmware'''
|
* Sensitive data exposure:
** Backdoor accounts
** Hardcoded credentials
** Encryption keys
** Encryption (Symmetric, Asymmetric)
** Sensitive information
** Sensitive URL disclosure
* Firmware version display and/or last update date
* Vulnerable services (web, ssh, tftp, etc.)
* Security related function API exposure
* Firmware downgrade
|-
| '''Device Network Services'''
|
* Information disclosure
* User CLI
* Administrative CLI
* Injection
* Denial of Service
* Unencrypted Services
* Poorly implemented encryption
* Test/Development Services
* Buffer Overflow
* UPnP
* Vulnerable UDP Services
* DoS
* Device Firmware OTA update block
* Replay attack
* Lack of payload verification
* Lack of message integrity check
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
|-
| '''Administrative Interface'''
|
* Standard web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
** Username enumeration
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Security/encryption options
* Logging options
* Two-factor authentication
* Inability to wipe device
|-
| '''Local Data Storage'''
|
* Unencrypted data
* Data encrypted with discovered keys
* Lack of data integrity checks
* Use of static same enc/dec key
|-
| '''Cloud Web Interface'''
|

* Standard set of web vulnerabilities:
** SQL injection
** Cross-site scripting
** Cross-site Request Forgery
* Credential management vulnerabilities:
** Username enumeration
** Weak passwords
** Account lockout
** Known default credentials
** Insecure password recovery mechanism
* Transport encryption
* Two-factor authentication
|-
| '''Third-party Backend APIs'''
|
* Unencrypted PII sent
* Encrypted PII sent
* Device information leaked
* Location leaked
|-
| '''Update Mechanism'''
|
* Update sent without encryption
* Updates not signed
* Update location writable
* Update verification
* Update authentication
* Malicious update
* Missing update mechanism
* No manual update mechanism
|-
| '''Mobile Application'''
|
* Implicitly trusted by device or cloud
* Username enumeration
* Account lockout
* Known default credentials
* Weak passwords
* Insecure data storage
* Transport encryption
* Insecure password recovery mechanism
* Two-factor authentication
|-
| '''Vendor Backend APIs'''
|
* Inherent trust of cloud or mobile application
* Weak authentication
* Weak access controls
* Injection attacks
* Hidden services
|-
| '''Ecosystem Communication'''
|
* Health checks
* Heartbeats
* Ecosystem commands
* Deprovisioning
* Pushing updates
|-
| '''Network Traffic'''
|
* LAN
* LAN to Internet
* Short range
* Non-standard
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
* Protocol fuzzing
|-
| '''Authentication/Authorization'''
|
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
* Reusing of session key, token, etc.
* Device to device authentication
* Device to mobile Application authentication
* Device to cloud system authentication
* Mobile application to cloud system authentication
* Web application to cloud system authentication
* Lack of dynamic authentication
|-
| '''Privacy'''
|
* User data disclosure
* User/device location disclosure
* Differential privacy
|-
| '''Hardware (Sensors)'''
|
* Sensing Environment Manipulation
* Tampering (Physically)
* Damaging (Physically)

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Attack Surface Areas Project? ==

The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Vulnerabilities Project ==

{| border="1" class="wikitable" style="text-align: left"
! Vulnerability
! Attack Surface
! Summary
|-
| '''Username Enumeration'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to collect a set of valid usernames by interacting with the authentication mechanism
|-
| '''Weak Passwords'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to set account passwords to '1234' or '123456' for example.
|-
| '''Account Lockout'''
|
* Administrative Interface
* Device Web Interface
* Cloud Interface
* Mobile Application
|
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts
|-
| '''Unencrypted Services'''
|
* Device Network Services
|
* Network services are not properly encrypted to prevent eavesdropping by attackers
|-
| '''Two-factor Authentication'''
|
* Administrative Interface
* Cloud Web Interface
* Mobile Application
|
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
|-
| '''Poorly Implemented Encryption'''
|
* Device Network Services
|
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
|-
| '''Update Sent Without Encryption'''
|
* Update Mechanism
|
* Updates are transmitted over the network without using TLS or encrypting the update file itself
|-
| '''Update Location Writable'''
|
* Update Mechanism
|
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
|-
| '''Denial of Service'''
|
* Device Network Services
|
* Service can be attacked in a way that denies service to that service or the entire device
|-
| '''Removal of Storage Media'''
|
* Device Physical Interfaces
|
* Ability to physically remove the storage media from the device
|-
| '''No Manual Update Mechanism'''
|
* Update Mechanism
|
* No ability to manually force an update check for the device
|-
| '''Missing Update Mechanism'''
|
* Update Mechanism
|
* No ability to update device
|-
| '''Firmware Version Display and/or Last Update Date'''
|
* Device Firmware
|
* Current firmware version is not displayed and/or the last update date is not displayed
|-
| '''Firmware and storage extraction'''
|
* JTAG / SWD interface
* [https://www.flashrom.org/Flashrom In-Situ dumping]
* Intercepting a OTA update
* Downloading from the manufacturers web page
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
|
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
|-
| '''Manipulating the code execution flow of the device'''
|
* JTAG / SWD interface
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]
|
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
|-
| '''Obtaining console access'''
|
* Serial interfaces (SPI / UART)
|
* By connecting to a serial interface, we will obtain full console access to a device
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.

|-

|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Vulnerabilities Project? ==

The IoT Vulnerabilities Project provides:

* Information on the top IoT vulnerabilities
* The attack surface associated with the vulnerability
* A summary of the vulnerability

== Project Leaders ==

* Daniel Miessler
* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Medical Devices =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Medical Device Attack Surfaces ==

The Medical Device Attack Surfaces project is intended to provide some basic guidelines around the types of areas that need to be secured before shipping Medical Device equipment.

{| border="1" class="wikitable" style="text-align: left"
! Section
!
|-
|
Firmware Vulnerabilities
|
* Out-of-date core components
* Unsupported core components
* Expired and/or self-signed certificates
* Same certificate used on multiple devices
* Admin web interface concerns
* Hardcoded or easy to guess credentials
* Sensitive information disclosure
* Sensitive URL disclosure
* Encryption key exposure
* Backdoor accounts
* Backdoor keys / tokens
* Vulnerable services (web, ssh, tftp, etc.)
|-
|
Manufacturer Recommendations
|
* Ensure that supported and up-to-date software is used by developers
* Ensure that robust update mechanisms are in place for devices
* Ensure that certificates are not duplicated across devices and product lines.
* Ensure supported and up-to-date software is used by developers
* Develop a mechanism to ensure a new certificate is installed when old ones expire
* Disable deprecated SSL versions
* Ensure developers do not code in easy to guess or common admin passwords
* Ensure services such as SSH have a secure password created
* Develop a mechanism that requires the user to create a secure admin password during initial device setup
* Ensure developers do not hard code passwords or hashes
* Have source code reviewed by a third party before releasing device to production
* Ensure industry standard encryption or strong hashing is used
|-
|
Device Firmware Guidance and Instruction
|
* Firmware file analysis
* Firmware extraction
* Dynamic binary analysis
* Static binary analysis
* Static code analysis
* Firmware emulation
* File system analysis
|-
|
Device Firmware Tools
|
* [https://github.com/craigz28/firmwalker Firmwalker]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://github.com/angr/angr Angr binary analysis framework]
* [http://binwalk.org/ Binwalk firmware analysis tool]
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
* [https://github.com/firmadyne/firmadyne Firmadyne]
|-
|
Vulnerable Firmware
|
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Firmware Analysis Project? ==

The Firmware Analysis Project provides:

* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
* Steps for extracting file systems from various firmware files
* Guidance on searching a file systems for sensitive of interesting data
* Information on static analysis of firmware contents
* Information on dynamic analysis of emulated services (e.g. web admin interface)
* Testing tool links
* A site for pulling together existing information on firmware analysis

== Project Leaders ==

* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Coming Soon

|}

= Firmware Analysis =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Firmware Analysis Project ==

The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":

{| border="1" class="wikitable" style="text-align: left"
! Section
!
|-
|
Device Firmware Vulnerabilties
|
* Out-of-date core components
* Unsupported core components
* Expired and/or self-signed certificates
* Same certificate used on multiple devices
* Admin web interface concerns
* Hardcoded or easy to guess credentials
* Sensitive information disclosure
* Sensitive URL disclosure
* Encryption key exposure
* Backdoor accounts
* Vulnerable services (web, ssh, tftp, etc.)
|-
|
Manufacturer Recommendations
|
* Ensure that supported and up-to-date software is used by developers
* Ensure that robust update mechanisms are in place for devices
* Ensure that certificates are not duplicated across devices and product lines.
* Ensure supported and up-to-date software is used by developers
* Develop a mechanism to ensure a new certificate is installed when old ones expire
* Disable deprecated SSL versions
* Ensure developers do not code in easy to guess or common admin passwords
* Ensure services such as SSH have a secure password created
* Develop a mechanism that requires the user to create a secure admin password during initial device setup
* Ensure developers do not hard code passwords or hashes
* Have source code reviewed by a third party before releasing device to production
* Ensure industry standard encryption or strong hashing is used
|-
|
Device Firmware Guidance and Instruction
|
* Firmware file analysis
* Firmware extraction
* Dynamic binary analysis
* Static binary analysis
* Static code analysis
* Firmware emulation
* File system analysis
|-
|
Device Firmware Tools
|
* [https://github.com/craigz28/firmwalker Firmwalker]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://github.com/angr/angr Angr binary analysis framework]
* [http://binwalk.org/ Binwalk firmware analysis tool]
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]
* [https://github.com/firmadyne/firmadyne Firmadyne]
|-
|
Vulnerable Firmware
|
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Firmware Analysis Project? ==

The Firmware Analysis Project provides:

* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
* Steps for extracting file systems from various firmware files
* Guidance on searching a file systems for sensitive of interesting data
* Information on static analysis of firmware contents
* Information on dynamic analysis of emulated services (e.g. web admin interface)
* Testing tool links
* A site for pulling together existing information on firmware analysis

== Project Leaders ==

* Craig Smith

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]

== News and Events ==
* Coming Soon

|}

= IoT Event Logging Project=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Logging Events==

This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.

{| border="1" class="wikitable" style="text-align: left"
! Event Category
! Events
|-
| '''Request Exceptions'''
|
* Attempt to Invoke Unsupported HTTP Method
* Unexpected Quantity of Characters in Parameter
* Unexpected Type of Characters in Parameter
|-
| '''Authentication Exceptions'''
|
* Multiple Failed Passwords
* High Rate of Login Attempts
* Additional POST Variable
* Deviation from Normal GEO Location
|-
| '''Session Exceptions'''
|
* Modifying the Existing Cookie
* Substituting Another User's Valid SessionID or Cookie
* Source Location Changes During Session
|-
| '''Access Control Exceptions'''
|
* Modifying URL Argument Within a GET for Direct Object Access Attempt
* Modifying Parameter Within a POST for Direct Object Access Attempt
* Forced Browsing Attempt
|-
| '''Ecosystem Membership Exceptions'''
|
* Traffic Seen from Disenrolled System
* Traffic Seen from Unenrolled System
* Failed Attempt to Enroll in Ecosystem
* Multiple Attempts to Enroll in Ecosystem
|-
| '''Device Access Events'''
|
* Device Case Tampering Detected
* Device Logic Board Tampering Detected
|-
| '''Administrative Mode Events'''
|
* Device Entered Administrative Mode
* Device Accessed Using Default Administrative Credentials
|-
| '''Input Exceptions'''
|
* Double Encoded Character
* Unexpected Encoding Used
|-
| '''Command Injection Exceptions'''
|
* Blacklist Inspection for Common SQL Injection Values
* Abnormal Quantity of Returned Records
|-
| '''Honey Trap Exceptions'''
|
* Honey Trap Resource Requested
* Honey Trap Data Used
|-
| '''Reputation Exceptions'''
|
* Suspicious or Disallowed User Source Location

|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" |

== What is the IoT Security Logging Project? ==

The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= ICS/SCADA =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== ICS/SCADA Project ==

The OWASP ICS/SCADA Top 10 software weaknesses are as follows:

{| border="1" class="wikitable" style="text-align: left"
! Rank and ID
! Title
|-
| '''1 - CWE-119'''
|
* Improper Restriction of Operations within the Bounds of a Memory Buffer
|-
| '''2 - CWE-20'''
|
* Improper Input Validation
|-
| '''3 - CWE-22'''
|
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|-
| '''4 - CWE-264'''
|
* Permissions, Privileges, and Access Controls
|-
| '''5 - CWE-200'''
|
* Information Exposure
|-
| '''6 - CWE-255'''
|
* Credentials Management
|-
| '''7 - CWE-287'''
|
* Improper Authentication
|-
| '''8 - CWE-399'''
|
* Resource Management Errors
|-
| '''9 - CWE-79'''
|
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|-
| '''10 - CWE-189'''
|
* Numeric Errors
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the ICS/SCADA Project? ==

The ICS/SCADA Project provides:

* A list of the Top 10 most dangerous software weaknesses

== Project Leaders ==

* NJ Ouchn

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= IoT Security Policy Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== IoT Security Policy Project ==

The OWASP IoT Security Policy Project provides:

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the IoT Security Policies Project? ==

The IoT Security Policy Project provides:

== Project Leaders ==

* Saša Zdjelar

== Related Projects ==

== Collaboration ==
[https://owasp-iot-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-01-18T02:18:15Z

Daniel Miessler:

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* QA
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* LFG

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* ''[JANUARY 2017]'' Doing a complete redesign of the project.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Game Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

== Real-world Examples of Gaming Vulnerabilities==

''Vulnerability 1''

{| class="wikitable"
! style="font-weight: bold;" | Vulnerabilty Name
! style="font-weight: bold;" | Description
! style="font-weight: bold;" | Surface Area
! style="font-weight: bold;" | Attacker Goal
! style="font-weight: bold;" | Negative Outcome
! style="font-weight: bold;" | Tester Tool
! style="font-weight: bold;" | Defense
! Ref
! Genre
|-
| Local Resource Modification, Client-side Logic Flaw
| In 2015 The Division experienced an exploit that allowed an attacker to switch weapons rapidly, applying weapon buffs in a stacking manner, with no cap.
| Game Client
| Unfair Player Advantage
| Player Anger, Lost Revenue
| Game Client
| Cryptographic Integrity Checks on Game Client
| http://www.gamesradar.com/theres-a-division-damage-stacking-glitch-if-youve-got-fast-fingers/
| 3PS/1PS/MMO
|-
|}

''Template 1''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

== ==
{{Social Media Links}}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

== ==
{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-01-18T01:00:15Z

Daniel Miessler: /* Game Security Vulnerabilities */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* LFG

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* ''[JANUARY 2017]'' Doing a complete redesign of the project.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Game Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Vulnerability Name
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Defenses =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Common Game Security Defenses ==

Table Here

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}
= Examples =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
|}

= Testing Tools =

== Commonly Used Game Hacking Tools ==

== ==
{{Social Media Links}}

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-01-17T05:43:35Z

Daniel Miessler: /* Project Leaders */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* LFG

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* ''[JANUARY 2017]'' Doing a complete redesign of the project.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Game Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Examples =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-01-17T05:43:16Z

Daniel Miessler: /* Project Leaders */

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* LFG

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* ''[JANUARY 2017]'' Doing a complete redesign of the project.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Game Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Examples =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-01-17T05:34:17Z

Daniel Miessler:

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* LFG

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* ''[JANUARY 2017]'' Doing a complete redesign of the project.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Game Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Examples =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-01-17T05:33:41Z

Daniel Miessler:

= About the Project =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Game Security Framework (GSF)==

'''The OWASP Game Security Framework (GSF) represents a modular approach to understanding the security issues that surround video game ecosystems.'''

''The framework is broken into three main concepts / sections:''

'''1. Identifying and clustering the components of risk within the overall game security space, and then giving instances of each component.'''

''Components include the following:''

* '''Attack Surfaces''': the various surface areas that can be attacked by attackers in order to cause harm to the gaming ecosystem.

* '''Vulnerabilities''': the specific weaknesses in design or implementation that allows attackers to successfully target a given game.

* '''Attacker Goals''': a list of the reasons that an attacker might want to attack a given game.

* '''Negative Outcomes''': a collection of ways that the gaming company could ultimately be impacted negatively by attacks to its game and associated infrastructure.

'''2. A natural language semantic structure for thinking about and articulating game security issues, which uses the modular risk components as sentence structure.'''

''Example:''

: "The attacker attacked and edited the <code>LOCAL GAME CLIENT (Attack Surface)</code>, which had a <code>LACK OF CLIENT INTEGRITY CONTROLS (Vulnerability)</code>, which allowed her to <code>ARTIFICIALLY INCREASE HER ABILITIES (Attacker Goal)</code>, ultimately leading to an <code>UNHAPPY PLAYER BASE (Negative Outcome)</code> and <code>DECLINING GAME REVENUE (Negative Outcome)</code> due to cheating.”

Using this structure, security testers can clearly communicate the various aspects of a game security issue to many different types of stakeholder—from pentesting peers to business executives in the gaming industry.

'''3. Examples of real-world examples of previous attacks against games, and how the attacks map to the GSF framework components.'''

==Licensing==
The OWASP Game Security Framework is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the OWASP Game Security Framework? ==

The goal of the OWASP Game Security Framework is to provide a structure for discussing the various aspects around the security of video games.

The target audience for the project includes:

* Gamers
* Game designers
* Penetration testers
* Gaming executives
* Anyone else with a vested interest in game security

== Project Leaders ==

* Jason Haddix
* Daniel Miessler

== Contributors ==
* LFG

== Related Projects ==

* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

| valign="top" style="padding-left:25px;width:200px;" |

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==

COMING SOON

== News and Events ==
* ''[JANUARY 2017]'' Doing a complete redesign of the project.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Game Attack Surfaces =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Attack Surfaces ==

The following is a list of the attack surfaces that can be found in video games of various types.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* The locally running game client that is accessible to the gamer because it's running on his/her machine.
|-
| '''Game Network Traffic'''
|
* The network which game traffic traverses in order to reach the game's server or peers who are playing the game.
|-
| '''Game Server'''
|
* The game server that is hosting the instance that gamers connect to in order to play the game.
|-
| '''Game Economy'''
|
* The economic system that exists within the game.
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Attack Surfaces Section? ==

This section provides an overview of the various places an attacker can target to harm a given game infrastructure.

== Project Leaders ==

* Daniel Miessler

== Related Projects ==

* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Quick Download ==
* Coming Soon

== News and Events ==
* Coming Soon

|}

= Game Vulnerabilities =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Attacker Goals =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Negative Outcomes =

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Game Security Vulnerabilities ==

The following is a list of the vulnerabilities that can be found in video games of various types, and the attack surfaces they're likely to be associated with.

{| border="1" class="wikitable" style="text-align: left"
! Attack Surface
! Description
|-
| '''Local Game Client'''
|
* Ability to edit in-game resources
* Ability to bypass license requirement
|-
| '''Game Network Traffic'''
|
* Network Denial of Service (player)
** Player bandwidth exhaustion
** Player game client resource exhaustion
|-
| '''Game Application Traffic'''
|
* Application Level Denial of Service (Player)
** Player application logic Denial of Service
|-
| '''Game Server'''
|
* Application Level Denial of Service (Server)
** Server application logic Denial of Service
* Ability to modify game ladder rankings
* Ability to modify own player resources
|-
| '''Game Economy'''
|
* Ability to generate unlimited money on client side
* Ability to generate unlimited money through network/application traffic modification
* Ability to modify prices for in-game items
* Ability to replay financial actions such as buying or selling through network/application manipulation
|-
|}

== ==
{{Social Media Links}}

| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |

== What is the Game Security Vulnerabilities Project? ==

The Security Vulnerabilities Project provides information on what types of vulnerabilities exist within games, and which attack surfaces they fall under.

== Project Leaders ==

* Jason Haddix

== Related Projects ==

* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]

== Collaboration ==
[https://game-security.slack.com The Slack Channel]

== Resources ==
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]

== News and Events ==
* Coming Soon

|}

= Community =

[https://www.iamthecavalry.org/ I Am The Cavalry]

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:
* Medical devices
* Automobiles
* Home Electronics
* Public Infrastructure
== ==
[http://builditsecure.ly BuildItSecure.ly]

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:
* Focus effort towards small business
* Build partnerships
* Coordinate efforts
* Curate informational resources
* Present research
== ==
[https://otalliance.org Online Trust Alliance]

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
== ==
[https://allseenalliance.org/framework AllSeen Alliance]

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
== ==
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
== ==
[http://securingsmartcities.org/ Securing Smart Cities]

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

===Talks===

RSA Conference San Francisco <br>
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br>
Daniel Miessler, Practice Principal <br>
April 21, 2015 <br>
--- <br>
Defcon 23 <br>
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br>
Daniel Miessler <br>
August 6-9, 2015

===Podcasts===

* [http://iotpodcast.com/ The Internet of Things Podcast]
* [http://www.iot-inc.com/ IoT Inc]
* [https://craigsmith.net/category/podcast/ IoT This Week]
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]

===IoT Conferences===

* [http://www.iotevents.org Internet of Things Events]

Conference Call for Papers
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]

=Project About=

{{Template:Project About
| project_name =OWASP Internet of Things Project
| project_description =
| project_license =CC-BY 3.0 for documentation and GPLv3 for code.
| leader_name1 = Daniel Miessler
| leader_email1 =
| leader_username1 =
| leader_name2 =Craig Smith
| leader_email2 =
| leader_username2 =
| contributor_name1 = Justin Klein Keane]
| contributor_email1 =
| contributor_username1 = Justin_C._Klein_Keane
| contributor_name2 = Yunsoul
| contributor_email2 =
| contributor_username2 = Yunsoul
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url1 =
| links_name1 =
}}

__NOTOC__ <headertabs />

[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]

OWASP Game Security Framework Project

2017-01-17T05:30:55Z

Daniel Miessler: /* Main */