This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Internet of Things Top Ten Project"

From OWASP

Jump to: navigation, search

Revision as of 06:42, 6 February 2015

Main
OWASP Internet of Things Top 10 for 2014
Talks
Community
Manufacturers
Developers
Consumers
Project Details

OWASP Internet of Things Top 10

Oxford defines the Internet of Things as:

a proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.

The OWASP Internet of Things (IoT) Top 10 is a project designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable better decision making through that knowledge.

The project defines the top ten security surface areas presented by IoT systems, and provides information on threat agents, attack vectors, vulnerabilities, and impacts associated with each. In addition, the project aims to provide basic, practical recommendations for assessing and securing IoT systems in various contexts.

Licensing

The OWASP Internet of Things Top 10 is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Share this:

What is the OWASP Internet of Things Top 10?

The OWASP Internet of Things Top 10 provides:

A list of the 10 Most Critical Internet of Things Security Risks

And for each Risk it provides:

A description
Example vulnerabilities
Example attacks
Guidance on how to avoid
References to OWASP and other related resources

Project Leaders

Daniel Miessler
Craig Smith
Jason Haddix

Related Projects

OWASP_CISO_Survey

Quick Download

Email List

[Subcribe here]

News and Events

Classifications

The OWASP Internet of Things Top 10 - 2014 is as follows:

Introduction

Oxford defines the Internet of Things as “a proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

The OWASP Internet of Things (IoT) Top 10 is a project designed to help vendors who are interested in making common appliances and gadgets network/Internet accessible. The project walks through the top ten security problems that are seen with IoT devices, and how to prevent them.

Examples of IoT Devices: Cars, lighting systems, refrigerators, telephones, SCADA systems, traffic control systems, home security systems, TVs, DVRs, etc…

Feedback

Please let us know how your organization is using the Internet of Things Top 10. Include your name, organization's name, and brief description of how you use the list. Thanks for supporting OWASP!

We hope you find the information in the OWASP Internet of Things Top Ten useful. Please contribute back to the project by sending your comments, questions, and suggestions to [email protected] or [email protected] Thanks!

Project Sponsors

HP Fortify on Demand
Contribute and add your name here!

Manufacturer IoT Security Guidance

(DRAFT)

The goal of this page is help manufacturers build more secure products in the Internet of Things space. The guidance below is at a basic level, giving builders of products a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product.

Category	IoT Security Consideration
I1: Insecure Web Interface	Ensure that any web interface present in the product disallows weak passwords Ensure that any web interface present in the product has an account lockout mechanism
I2: Insufficient Authentication/Authorization	aaa bbb
I3: Insecure Network Services	Ensure the device operates with a minimal number of network ports active Ensure the device does not make network ports and/or services available to the internet
I4: Lack of Transport Encryption	aaa bbb
I5: Privacy Concerns	aaa bbb
I6: Insecure Cloud Interface	aaa bbb
I7: Insecure Mobile Interface	aaa bbb
I8: Insufficient Security Configurability	aaa bbb
I9: Insecure Software/Firmware	aaa bbb
I10: Poor Physical Security	Ensure the device is produced with a minimal number of physical external ports (e.g. USB ports) bbb

(DRAFT)

The goal of this page is help developers build more secure applications in the Internet of Things space. The guidance below is at a basic level, giving developers of applications a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product.

Category	IoT Security Consideration
I1: Insecure Web Interface	aaa bbb
I2: Insufficient Authentication/Authorization	aaa bbb
I3: Insecure Network Services	aaa bbb
I4: Lack of Transport Encryption	aaa bbb
I5: Privacy Concerns	aaa bbb
I6: Insecure Cloud Interface	aaa bbb
I7: Insecure Mobile Interface	aaa bbb
I8: Insufficient Security Configurability	aaa bbb
I9: Insecure Software/Firmware	aaa bbb
I10: Poor Physical Security	aaa bbb

If you are looking to develop for a device or system, consider the following recommendations for all user interfaces (local device, cloud-based and mobile):

Avoid potential Account Harvesting issues by:
- Ensuring valid user accounts can't be identified by interface error messages
- Ensuring strong passwords are required by users
- Implementing account lockout after 3 - 5 failed login attempts
Ensure user credentials are properly protected using recommended and accepted encryption or hashing practices
Ensure sensitive data is properly protected both at rest and during transmission using recommended practices
Provide the option for two-factor authentication
Ensure user roles are properly segregated in multi-user environments

(DRAFT)

The goal of this page is help consumers purchase secure products in the Internet of Things space. The guidance below is at a basic level, giving consumers a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly aid the consumer in purchasing a secure IoT product.

Category	IoT Security Consideration
I1: Insecure Web Interface	aaa bbb
I2: Insufficient Authentication/Authorization	aaa bbb
I3: Insecure Network Services	aaa bbb
I4: Lack of Transport Encryption	aaa bbb
I5: Privacy Concerns	aaa bbb
I6: Insecure Cloud Interface	aaa bbb
I7: Insecure Mobile Interface	aaa bbb
I8: Insufficient Security Configurability	aaa bbb
I9: Insecure Software/Firmware	aaa bbb
I10: Poor Physical Security	aaa bbb

If you are looking to purchase a device or system, consider the following recommendations:

Include security in feature considerations when evaluating a product
Avoid using system defaults for usernames and passwords when possible and choose good passwords and two-factor authentication when possible
Place Internet of Things devices on a separate wireless network if possible using a firewall

PROJECT INFO
What does this OWASP project offer you?

RELEASE(S) INFO
What releases are available for this project?

what	is this project?
Name: OWASP Internet of Things Top Ten Project (home page)
Purpose: Oxford defines the Internet of Things as “a proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.” The OWASP Internet of Things (IoT) Top 10 is a project designed to help vendors who are interested in making common appliances and gadgets network/Internet accessible. The project walks through the top ten security problems that are seen with IoT devices, and how to prevent them.
License: Creative Commons Attribution Share Alike 3.0
who	is working on this project?
Project Leader(s): Daniel Miessler @
how	can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
Contact Daniel Miessler @ to contribute to this project Contact Daniel Miessler @ to review or sponsor this project

current release
Not Yet Published
last reviewed release
Not Yet Reviewed

other releases

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Internet_of_Things_Top_Ten_Project&oldid=189127"

Categories:

Difference between revisions of "OWASP Internet of Things Top Ten Project"

Revision as of 06:42, 6 February 2015

OWASP Internet of Things Top 10

Licensing

What is the OWASP Internet of Things Top 10?

Project Leaders

Related Projects

Quick Download

Email List

News and Events

Classifications

Introduction

Feedback

Project Sponsors

Manufacturer IoT Security Guidance

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools

@@ Line 8: / Line 8: @@
 ==OWASP Internet of Things Top 10==
-Oxford defines the Internet of Things as “a proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”
+Oxford defines the Internet of Things as:
+<blockquote>a proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.</blockquote>
 The OWASP Internet of Things (IoT) Top 10 is a project designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable better decision making through that knowledge.