|
|
(One intermediate revision by the same user not shown) |
Line 1: |
Line 1: |
− | <center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project Back To Internet of Things Project]</center> | + | <center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Vulnerabilities Back To IoT Vulnerabilities Project]</center> |
− | | |
− | The top IoT vulnerabilities (DRAFT) are as follow:
| |
− | | |
− | {| border="1" class="wikitable" style="text-align: left"
| |
− | ! Vulnerability
| |
− | ! Attack Surface
| |
− | ! Summary
| |
− | |-
| |
− | | '''Username Enumeration'''
| |
− | |
| |
− | * Administrative Interface
| |
− | * Device Web Interface
| |
− | * Cloud Interface
| |
− | * Mobile Application
| |
− | |
| |
− | * Ability to collect a set of valid usernames by interacting with the authentication mechanism
| |
− | |-
| |
− | | '''Weak Passwords'''
| |
− | |
| |
− | * Administrative Interface
| |
− | * Device Web Interface
| |
− | * Cloud Interface
| |
− | * Mobile Application
| |
− | |
| |
− | * Ability to set account passwords to '1234' or '123456' for example.
| |
− | |-
| |
− | | '''Account Lockout'''
| |
− | |
| |
− | * Administrative Interface
| |
− | * Device Web Interface
| |
− | * Cloud Interface
| |
− | * Mobile Application
| |
− | |
| |
− | * Ability to continue sending authentication attempts after 3 - 5 failed login attempts
| |
− | |-
| |
− | | '''Unencrypted Services'''
| |
− | |
| |
− | * Device Network Services
| |
− | |
| |
− | * Network services are not properly encrypted to prevent eavesdropping by attackers
| |
− | |-
| |
− | | '''Two-factor Authentication'''
| |
− | |
| |
− | * Administrative Interface
| |
− | * Cloud Web Interface
| |
− | * Mobile Application
| |
− | |
| |
− | * Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
| |
− | |-
| |
− | | '''Poorly Implemented Encryption'''
| |
− | |
| |
− | * Device Network Services
| |
− | |
| |
− | * Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
| |
− | |-
| |
− | | '''Update Sent Without Encryption'''
| |
− | |
| |
− | * Update Mechanism
| |
− | |
| |
− | * Updates are transmitted over the network without using TLS or encrypting the update file itself
| |
− | |-
| |
− | | '''Update Location Writable'''
| |
− | |
| |
− | * Update Mechanism
| |
− | |
| |
− | * Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
| |
− | |-
| |
− | | '''Denial of Service'''
| |
− | |
| |
− | * Device Network Services
| |
− | |
| |
− | * Service can be attacked in a way that denies service to that service or the entire device
| |
− | |-
| |
− | | '''Removal of Storage Media'''
| |
− | |
| |
− | * Device Physical Interfaces
| |
− | |
| |
− | * Ability to physically remove the storage media from the device
| |
− | |-
| |
− | | '''No Manual Update Mechanism'''
| |
− | |
| |
− | * Update Mechanism
| |
− | |
| |
− | * No ability to manually force an update check for the device
| |
− | |-
| |
− | | '''Missing Update Mechanism'''
| |
− | |
| |
− | * Update Mechanism
| |
− | |
| |
− | * No ability to update device
| |
− | |-
| |
− | | '''Firmware Version Display and/or Last Update Date'''
| |
− | |
| |
− | * Device Firmware
| |
− | |
| |
− | * Current firmware version is not displayed and/or the last update date is not displayed
| |
− | |-
| |
− | |}
| |
| | | |
| The OWASP Top 10 IoT Vulnerabilities from 2014 are as follows: | | The OWASP Top 10 IoT Vulnerabilities from 2014 are as follows: |