Difference between revisions of "Top IoT Vulnerabilities"

Revision as of 19:45, 14 May 2016

The top IoT vulnerabilities (DRAFT) are as follow:

Vulnerability	Attack Surface	Summary
Username Enumeration	Administrative Interface Device Web Interface Cloud Interface Mobile Application	Ability to collect a set of valid usernames by interacting with the authentication mechanism
Weak Passwords	Administrative Interface Device Web Interface Cloud Interface Mobile Application	Ability to set account passwords to '1234' or '123456' for example.
Account Lockout	Administrative Interface Device Web Interface Cloud Interface Mobile Application	Ability to continue sending authentication attempts after 3 - 5 failed login attempts
Unencrypted Services	Device Network Services	Network services are not properly encrypted to prevent eavesdropping by attackers
Two-factor Authentication	Administrative Interface Cloud Web Interface Mobile Application	Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
Poorly Implemented Encryption	Device Network Services	Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
Update Sent Without Encryption	Update Mechanism	Updates are transmitted over the network without using TLS or encrypting the update file itself
Update Location Writable	Update Mechanism	Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
Denial of Service	Device Network Services	Service can be attacked in a way that denies service to that service or the entire device
Removal of Storage Media	Device Physical Interfaces	Ability to physically remove the storage media from the device
No Manual Update Mechanism	Update Mechanism	No ability to manually force an update check for the device
Missing Update Mechanism	Update Mechanism	No ability to update device
Firmware Version Display and/or Last Update Date	Device Firmware	Current firmware version is not displayed and/or the last update date is not displayed

The OWASP Top 10 IoT Vulnerabilities from 2014 are as follows:

Rank	Title
I1	Insecure Web Interface
I2	Insufficient Authentication/Authorization
I3	Insecure Network Services
I4	Lack of Transport Encryption/Integrity Verification
I5	Privacy Concerns
I6	Insecure Cloud Interface
I7	Insecure Mobile Interface
I8	Insufficient Security Configurability
I9	Insecure Software/Firmware
I10	Poor Physical Security

@@ Line 97: / Line 97: @@
 * Current firmware version is not displayed and/or the last update date is not displayed
 |-
+|}
+The OWASP Top 10 IoT Vulnerabilities from 2014 are as follows:
+{| border="1" class="wikitable" style="text-align: left"
+! Rank
+! Title
+|-
+| '''I1'''
+|
+* [[Top_10_2014-I1 Insecure Web Interface | Insecure Web Interface]]
+|-
+| '''I2'''
+|
+* [[Top_10_2014-I2 Insufficient Authentication/Authorization | Insufficient Authentication/Authorization]]
+|-
+| '''I3'''
+|
+* [[Top_10_2014-I3 Insecure Network Services | Insecure Network Services]]
+|-
+| '''I4'''
+|
+* [[Top_10_2014-I4 Lack of Transport Encryption | Lack of Transport Encryption/Integrity Verification]]
+|-
+| '''I5'''
+|
+* [[Top_10_2014-I5 Privacy Concerns | Privacy Concerns]]
+|-
+| '''I6'''
+|
+* [[Top_10_2014-I6 Insecure Cloud Interface | Insecure Cloud Interface]]
+|-
+| '''I7'''
+|
+* [[Top_10_2014-I7 Insecure Mobile Interface | Insecure Mobile Interface]]
+|-
+| '''I8'''
+|
+* [[Top_10_2014-I8 Insufficient Security Configurability | Insufficient Security Configurability]]
+|-
+| '''I9'''
+|
+* [[Top_10_2014-I9 Insecure Software/Firmware | Insecure Software/Firmware]]
+|-
+| '''I10'''
+|
+* [[Top_10_2014-I10 Poor Physical Security | Poor Physical Security]]
+|-
 |}

Difference between revisions of "Top IoT Vulnerabilities"

Revision as of 19:45, 14 May 2016

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools