This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Internet of Things Project"

From OWASP

Jump to: navigation, search

Revision as of 19:31, 17 August 2015

OWASP Internet of Things (IoT) Project

Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

Licensing

The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Share this:

What is the OWASP Internet of Things Project?

The OWASP Internet of Things Project provides:

IoT Attack Surface Areas
IoT Testing Guides
Top IoT Vulnerabilities

Project Leaders

Daniel Miessler
Craig Smith

Related Projects

Email List

Subscribe to the Top Ten list

Quick Download

OWASP IoT Top Ten PDF

OWASP IoT Top Ten Infographic

OWASP IoT Top Ten PPT

OWASP IoT Top Ten-RSA 2015

News and Events

Daniel Miessler gave his IoT talk at DEFCON 23
Migrating the IoT Top Ten to be under the IoT Project

Classifications

Attack Surface	Vulnerability
Ecosystem Access Control	Implicit trust between components Enrollment security Decommissioning system Lost access procedures
Device Memory	Cleartext usernames Cleartext passwords Third-party credentials Encryption keys
Device Physical Interfaces	Firmware extraction User CLI Admin CLI Privilege escalation Reset to insecure state
Device Web Interface	SQL injection Cross-site scripting Username enumeration Weak passwords Account lockout Known credentials
Device Firmware	Hardcoded passwords Sensitive URL disclosure Encryption keys
Device Network Services	Information disclosure User CLI Administrative CLI Injection Denial of Service
Administrative Interface	SQL injection Cross-site scripting Username enumeration Weak passwords Account lockout Known credentials
Local Data Storage	Unencrypted data Data encrypted with discovered keys Lack of data integrity checks
Cloud Web Interface	SQL injection Cross-site scripting Username enumeration Weak passwords Account lockout Known credentials
Third-party Backend APIs	Unencrypted PII sent Encrypted PII sent Device information leaked Location leaked
Update Mechanism	Update sent without encryption Updates not signed Update location writable
Mobile Application	Implicitly trusted by device or cloud Known credentials Insecure data storage Lack of transport encryption
Vendor Backend APIs	Inherent trust of cloud or mobile application Weak authentication Weak access controls Injection attacks
Ecosystem Communication	Health checks Heartbeats Ecosystem commands Deprovisioning Pushing updates
Network Traffic	LAN LAN to Internet Short range Non-standard

Tester IoT Security Guidance

(DRAFT)

The goal of this page is to help testers assess IoT devices and applications in the Internet of Things space. The guidance below is at a basic level, giving testers of devices and applications a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product.

Category	IoT Security Consideration
I1: Insecure Web Interface	Assess any web interface to determine if weak passwords are allowed Assess the account lockout mechanism Assess the web interface for XSS, SQLi and CSRF vulnerabilities and other web application vulnerabilities Assess the use of HTTPS to protect transmitted information Assess the ability to change the username and password Determine if web application firewalls are used to protect web interfaces
I2: Insufficient Authentication/Authorization	Assess the solution for the use of strong passwords where authentication is needed Assess the solution for multi-user environments and ensure it includes functionality for role separation Assess the solution for Implementation two-factor authentication where possible Assess password recovery mechanisms Assess the solution for the option to require strong passwords Assess the solution for the option to force password expiration after a specific period Assess the solution for the option to change the default username and password
I3: Insecure Network Services	Assess the solution to ensure network services don't respond poorly to buffer overflow, fuzzing or denial of service attacks Assess the solution to ensure test ports are are not present
I4: Lack of Transport Encryption	Assess the solution to determine the use of encrypted communication between devices and between devices and the internet Assess the solution to determine if accepted encryption practices are used and if proprietary protocols are avoided Assess the solution to determine if a firewall option available is available
I5: Privacy Concerns	Assess the solution to determine the amount of personal information collected Assess the solution to determine if collected personal data is properly protected using encryption at rest and in transit Assess the solution to determine if Ensuring data is de-identified or anonymized Assess the solution to ensure end-users are given a choice for data collected beyond what is needed for proper operation of the device
I6: Insecure Cloud Interface	Assess the cloud interfaces for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces) Assess the cloud-based web interface to ensure it disallows weak passwords Assess the cloud-based web interface to ensure it includes an account lockout mechanism Assess the cloud-based web interface to determine if two-factor authentication is used Assess any cloud interfaces for XSS, SQLi and CSRF vulnerabilities and other vulnerabilities Assess all cloud interfaces to ensure transport encryption is used Assess the cloud interfaces to determine if the option to require strong passwords is available Assess the cloud interfaces to determine if the option to force password expiration after a specific period is available Assess the cloud interfaces to determine if the option to change the default username and password is available
I7: Insecure Mobile Interface	Assess the mobile interface to ensure it disallows weak passwords Assess the mobile interface to ensure it includes an account lockout mechanism Assess the mobile interface to determine if it Implements two-factor authentication (e.g Apple's Touch ID) Assess the mobile interface to determine if it uses transport encryption Assess the mobile interface to determine if the option to require strong passwords is available Assess the mobile interface to determine if the option to force password expiration after a specific period is available Assess the mobile interface to determine if the option to change the default username and password is available Assess the mobile interface to determine the amount of personal information collected
I8: Insufficient Security Configurability	Assess the solution to determine if password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication) are available Assess the solution to determine if encryption options (e.g. Enabling AES-256 where AES-128 is the default setting) are available Assess the solution to determine if logging for security events is available Assess the solution to determine if alerts and notifications to the user for security events are available
I9: Insecure Software/Firmware	Assess the device to ensure it includes update capability and can be updated quickly when vulnerabilities are discovered Assess the device to ensure it uses encrypted update files and that the files are transmitted using encryption Assess the device to ensure is uses signed files and then validates that file before installation
I10: Poor Physical Security	Assess the device to ensure it utilizes a minimal number of physical external ports (e.g. USB ports) on the device Assess the device to determine if it can be accessed via unintended methods such as through an unnecessary USB port Assess the device to determine if it allows for disabling of unused physical ports such as USB Assess the device to determine if it includes the ability to limit administrative capabilities to a local interface only

General Recommendations

Consider the following recommendations for all user interfaces (local device, cloud-based and mobile):

Avoid potential Account Harvesting issues by:
- Ensuring valid user accounts can't be identified by interface error messages
- Ensuring strong passwords are required by users
- Implementing account lockout after 3 - 5 failed login attempts

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Project&oldid=199140"

Categories:

@@ Line 57: / Line 57: @@
 == News and Events ==
+* Daniel Miessler gave his IoT talk at DEFCON 23
+* Migrating the IoT Top Ten to be under the IoT Project
 ==Classifications==

Difference between revisions of "OWASP Internet of Things Project"

Revision as of 19:31, 17 August 2015

OWASP Internet of Things (IoT) Project

Licensing

What is the OWASP Internet of Things Project?

Project Leaders

Related Projects

Email List

Quick Download

News and Events

Classifications

Tester IoT Security Guidance

General Recommendations

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools