This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Top 10 2014-I9 Insecure Software/Firmware"
Craig Smith (talk | contribs) (Created page with "<center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=OWASP_Internet_of_Things_Top_10_for_2014 Back To The Internet of Things Top 10]</center> ...") |
Craig Smith (talk | contribs) |
||
Line 21: | Line 21: | ||
{{Top_10_2010:SummaryTableEndTemplate|year=2013}} | {{Top_10_2010:SummaryTableEndTemplate|year=2013}} | ||
− | {{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title= | + | {{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=Is My Software/Firmware Secure?|position=firstLeft|year=2013|language=en}} |
The simplest way to check for insecure software/firmware updates is to review the update file itself and also the communication method used to transmit those updates. The update file should also be reviewed for exposure of any sensitive data in human readable format by someone using a hex edit tool. | The simplest way to check for insecure software/firmware updates is to review the update file itself and also the communication method used to transmit those updates. The update file should also be reviewed for exposure of any sensitive data in human readable format by someone using a hex edit tool. | ||
− | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=How Do I Secure My Software/Firmware | + | {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|title=How Do I Secure My Software/Firmware?|position=right|year=2013|language=en}} |
Securing software/firmware updates require: | Securing software/firmware updates require: | ||
# Ensuring the update file is encrypted. | # Ensuring the update file is encrypted. |
Revision as of 18:37, 30 June 2014
Threat Agents | Attack Vectors | Security Weakness | Technical Impacts | Business Impacts | |
---|---|---|---|---|---|
Application Specific | Exploitability DIFFICULT |
Prevalence COMMON |
Detectability EASY |
Impact SEVERE |
Application / Business Specific |
Consider anyone who has access to the device and/or the network the device resides on. | Attacker uses multiple vectors such as capturing update files via unencrypted connections, the update file itself is not encrypted or they are able to perform their own malicious update via DNS hijacking. Depending on method of update and device configuration, attack could come from the local network or the internet. | Insecure software/firmware updates are present when the updated files themselves and the network connection they are delivered on are not protected. Software/Firmware updates can also be insecure if they contain hardcoded sensitive data such as credentials. Security issues with software/firmware updates are relatively easy to discover by simply inspecting the network traffic during the update to check for encryption or using a hex editor to inspect the update file itself for interesting information. | Insecure software/firmware updates could lead to compromise of user data, control over the device and attacks against other devices. | Consider the business impact if data can be stolen or modified and devices taken control of for the purpose of attacking other devices. Could your customers be harmed? Could other users be harmed? |
Is My Software/Firmware Secure?
The simplest way to check for insecure software/firmware updates is to review the update file itself and also the communication method used to transmit those updates. The update file should also be reviewed for exposure of any sensitive data in human readable format by someone using a hex edit tool. |
How Do I Secure My Software/Firmware?
Securing software/firmware updates require:
|
Example Attack Scenarios
Scenario #1: Update file is transmitted via HTTP. http://www.xyz.com/update.bin Scenario #2: Update file is unencrypted and human readable data can be viewed. �v�ñ]��Ü��Qw�û]��ˇ3DP�Ö�∂]��ˇ3DPadmin.htmadvanced.htmalarms.htm In the cases above, the attacker is able to either capture the update file or capture the file and view it's contents.
|
References
OWASP External |