This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Top IoT Vulnerabilities"

From OWASP
Jump to: navigation, search
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
<center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Attack_Surface_Areas Back To The IoT Attack Surface Areas Project]</center>
+
<center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Vulnerabilities Back To IoT Vulnerabilities Project]</center>
  
The top IoT vulnerabilities (DRAFT) are as follow:
+
The OWASP Top 10 IoT Vulnerabilities from 2014 are as follows:
  
 
{| border="1" class="wikitable" style="text-align: left"
 
{| border="1" class="wikitable" style="text-align: left"
! Vulnerability
+
! Rank
! Attack Surface
+
! Title
! Summary
+
|-  
|-
+
| '''I1'''
| '''Username Enumeration'''
 
|
 
* Administrative Interface
 
* Device Web Interface
 
* Cloud Interface
 
* Mobile Application
 
 
|
 
|
* Ability to collect a set of valid usernames by interacting with the authentication mechanism
+
* [[Top_10_2014-I1 Insecure Web Interface | Insecure Web Interface]]
|-
+
|-  
| '''Weak Passwords'''
+
| '''I2'''
 
|
 
|
* Administrative Interface
+
* [[Top_10_2014-I2 Insufficient Authentication/Authorization | Insufficient Authentication/Authorization]]
* Device Web Interface
+
|-
* Cloud Interface
+
| '''I3'''
* Mobile Application
 
 
|
 
|
* Ability to set account passwords to '1234' or '123456' for example.
+
* [[Top_10_2014-I3 Insecure Network Services | Insecure Network Services]]
 
|-
 
|-
| '''Account Lockout'''
+
| '''I4'''
|
 
* Administrative Interface
 
* Device Web Interface
 
* Cloud Interface
 
* Mobile Application
 
 
|
 
|
* Ability to continue sending authentication attempts after 3 - 5 failed login attempts
+
* [[Top_10_2014-I4 Lack of Transport Encryption | Lack of Transport Encryption/Integrity Verification]]
|-
+
|-  
| '''Unencrypted Services'''
+
| '''I5'''
 
|
 
|
* Device Network Services
+
* [[Top_10_2014-I5 Privacy Concerns | Privacy Concerns]]
 +
|-
 +
| '''I6'''
 
|
 
|
* Network services are not properly encrypted to prevent eavesdropping by attackers
+
* [[Top_10_2014-I6 Insecure Cloud Interface | Insecure Cloud Interface]]
|-
+
|-  
| '''Two-factor Authentication'''
+
| '''I7'''
 
|
 
|
* Administrative Interface
+
* [[Top_10_2014-I7 Insecure Mobile Interface | Insecure Mobile Interface]]
* Cloud Web Interface
+
|-
* Mobile Application
+
| '''I8'''
 
|
 
|
* Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
+
* [[Top_10_2014-I8 Insufficient Security Configurability | Insufficient Security Configurability]]
|-
+
|-  
| '''Poorly Implemented Encryption'''
+
| '''I9'''
 
|
 
|
* Device Network Services
+
* [[Top_10_2014-I9 Insecure Software/Firmware | Insecure Software/Firmware]]
 +
|-
 +
| '''I10'''
 
|
 
|
* Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
+
* [[Top_10_2014-I10 Poor Physical Security | Poor Physical Security]]
|-
+
|-  
| '''Update Sent Without Encryption'''
 
|
 
* Update Mechanism
 
|
 
* Updates are transmitted over the network without using TLS or encrypting the update file itself
 
|-
 
| '''Update Location Writable'''
 
|
 
* Update Mechanism
 
|
 
* Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
 
|-
 
| '''Denial of Service'''
 
|
 
* Device Network Services
 
|
 
* Service can be attacked in a way that denies service to that service or the entire device
 
|-
 
| '''Removal of Storage Media'''
 
|
 
* Device Physical Interfaces
 
|
 
* Ability to physically remove the storage media from the device
 
|-
 
| '''No Manual Update Mechanism'''
 
|
 
* Update Mechanism
 
|
 
* No ability to manually force an update check for the device
 
|-
 
| '''Missing Update Mechanism'''
 
|
 
* Update Mechanism
 
|
 
* No ability to update device
 
|-
 
| '''Firmware Version Display and/or Last Update Date'''
 
|
 
* Device Firmware
 
|
 
* Current firmware version is not displayed and/or the last update date is not displayed
 
|-
 
 
|}
 
|}

Latest revision as of 15:19, 18 May 2016

Back To IoT Vulnerabilities Project

The OWASP Top 10 IoT Vulnerabilities from 2014 are as follows:

Rank Title
I1
I2
I3
I4
I5
I6
I7
I8
I9
I10
Retrieved from "https://wiki.owasp.org/index.php?title=Top_IoT_Vulnerabilities&oldid=217046"