Back To The Internet of Things Project
Tester IoT Security Guidance
(DRAFT)
The goal of this page is to help testers assess IoT devices and applications in the Internet of Things space. The guidance below is at a basic level, giving testers of devices and applications a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product.
Category
|
IoT Security Consideration
|
I1: Insecure Web Interface
|
- Assess any web interface to determine if weak passwords are allowed
- Assess the account lockout mechanism
- Assess the web interface for XSS, SQLi and CSRF vulnerabilities and other web application vulnerabilities
- Assess the use of HTTPS to protect transmitted information
- Assess the ability to change the username and password
- Determine if web application firewalls are used to protect web interfaces
|
I2: Insufficient Authentication/Authorization
|
- Assess the solution for the use of strong passwords where authentication is needed
- Assess the solution for multi-user environments and ensure it includes functionality for role separation
- Assess the solution for Implementation two-factor authentication where possible
- Assess password recovery mechanisms
- Assess the solution for the option to require strong passwords
- Assess the solution for the option to force password expiration after a specific period
- Assess the solution for the option to change the default username and password
|
I3: Insecure Network Services
|
- Assess the solution to ensure network services don't respond poorly to buffer overflow, fuzzing or denial of service attacks
- Assess the solution to ensure test ports are are not present
|
I4: Lack of Transport Encryption
|
- Assess the solution to determine the use of encrypted communication between devices and between devices and the internet
- Assess the solution to determine if accepted encryption practices are used and if proprietary protocols are avoided
- Assess the solution to determine if a firewall option available is available
|
I5: Privacy Concerns
|
- Assess the solution to determine the amount of personal information collected
- Assess the solution to determine if collected personal data is properly protected using encryption at rest and in transit
- Assess the solution to determine if Ensuring data is de-identified or anonymized
- Assess the solution to ensure end-users are given a choice for data collected beyond what is needed for proper operation of the device
|
I6: Insecure Cloud Interface
|
- Assess the cloud interfaces for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces)
- Assess the cloud-based web interface to ensure it disallows weak passwords
- Assess the cloud-based web interface to ensure it includes an account lockout mechanism
- Assess the cloud-based web interface to determine if two-factor authentication is used
- Assess any cloud interfaces for XSS, SQLi and CSRF vulnerabilities and other vulnerabilities
- Assess all cloud interfaces to ensure transport encryption is used
- Assess the cloud interfaces to determine if the option to require strong passwords is available
- Assess the cloud interfaces to determine if the option to force password expiration after a specific period is available
- Assess the cloud interfaces to determine if the option to change the default username and password is available
|
I7: Insecure Mobile Interface
|
- Assess the mobile interface to ensure it disallows weak passwords
- Assess the mobile interface to ensure it includes an account lockout mechanism
- Assess the mobile interface to determine if it Implements two-factor authentication (e.g Apple's Touch ID)
- Assess the mobile interface to determine if it uses transport encryption
- Assess the mobile interface to determine if the option to require strong passwords is available
- Assess the mobile interface to determine if the option to force password expiration after a specific period is available
- Assess the mobile interface to determine if the option to change the default username and password is available
- Assess the mobile interface to determine the amount of personal information collected
|
I8: Insufficient Security Configurability
|
- Assess the solution to determine if password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication) are available
- Assess the solution to determine if encryption options (e.g. Enabling AES-256 where AES-128 is the default setting) are available
- Assess the solution to determine if logging for security events is available
- Assess the solution to determine if alerts and notifications to the user for security events are available
|
I9: Insecure Software/Firmware
|
- Assess the device to ensure it includes update capability and can be updated quickly when vulnerabilities are discovered
- Assess the device to ensure it uses encrypted update files and that the files are transmitted using encryption
- Assess the device to ensure is uses signed files and then validates that file before installation
|
I10: Poor Physical Security
|
- Assess the device to ensure it utilizes a minimal number of physical external ports (e.g. USB ports) on the device
- Assess the device to determine if it can be accessed via unintended methods such as through an unnecessary USB port
- Assess the device to determine if it allows for disabling of unused physical ports such as USB
- Assess the device to determine if it includes the ability to limit administrative capabilities to a local interface only
|
General Recommendations
Consider the following recommendations for all user interfaces (local device, cloud-based and mobile):
- Avoid potential Account Harvesting issues by:
- Ensuring valid user accounts can't be identified by interface error messages
- Ensuring strong passwords are required by users
- Implementing account lockout after 3 - 5 failed login attempts