This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Internet of Things Project"
Craig Smith (talk | contribs) |
Craig Smith (talk | contribs) |
||
| Line 64: | Line 64: | ||
|} | |} | ||
| + | |||
| + | = OWASP IoT Attack Surface Areas = | ||
| + | |||
| + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div> | ||
| + | |||
| + | |||
| + | The OWASP IoT Attack Surface Areas (DRAFT) are as follows: | ||
| + | |||
| + | {| border="1" class="wikitable" style="text-align: left" | ||
| + | ! Attack Surface | ||
| + | ! Vulnerability | ||
| + | |- | ||
| + | | '''Ecosystem Access Control''' | ||
| + | | | ||
| + | * Implicit trust between components | ||
| + | * Enrollment security | ||
| + | * Decommissioning system | ||
| + | * Lost access procedures | ||
| + | |- | ||
| + | | '''Device Memory''' | ||
| + | | | ||
| + | * Cleartext usernames | ||
| + | * Cleartext passwords | ||
| + | * Third-party credentials | ||
| + | * Encryption keys | ||
| + | |- | ||
| + | | '''Device Physical Interfaces''' | ||
| + | | | ||
| + | * Firmware extraction | ||
| + | * User CLI | ||
| + | * Admin CLI | ||
| + | * Privilege escalation | ||
| + | * Reset to insecure state | ||
| + | |- | ||
| + | | '''Device Web Interface''' | ||
| + | | | ||
| + | * SQL injection | ||
| + | * Cross-site scripting | ||
| + | * Username enumeration | ||
| + | * Weak passwords | ||
| + | * Account lockout | ||
| + | * Known credentials | ||
| + | |- | ||
| + | | '''Device Firmware''' | ||
| + | | | ||
| + | * Hardcoded passwords | ||
| + | * Sensitive URL disclosure | ||
| + | * Encryption keys | ||
| + | |- | ||
| + | | '''Device Network Services''' | ||
| + | | | ||
| + | * Information disclosure | ||
| + | * User CLI | ||
| + | * Administrative CLI | ||
| + | * Injection | ||
| + | * Denial of Service | ||
| + | |- | ||
| + | | '''Administrative Interface''' | ||
| + | | | ||
| + | * SQL injection | ||
| + | * Cross-site scripting | ||
| + | * Username enumeration | ||
| + | * Weak passwords | ||
| + | * Account lockout | ||
| + | * Known credentials | ||
| + | |- | ||
| + | | '''Local Data Storage''' | ||
| + | | | ||
| + | * Unencrypted data | ||
| + | * Data encrypted with discovered keys | ||
| + | * Lack of data integrity checks | ||
| + | |- | ||
| + | | '''Cloud Web Interface''' | ||
| + | | | ||
| + | * SQL injection | ||
| + | * Cross-site scripting | ||
| + | * Username enumeration | ||
| + | * Weak passwords | ||
| + | * Account lockout | ||
| + | * Known credentials | ||
| + | |- | ||
| + | | '''Third-party Backend APIs''' | ||
| + | | | ||
| + | * Unencrypted PII sent | ||
| + | * Encrypted PII sent | ||
| + | * Device information leaked | ||
| + | * Location leaked | ||
| + | |- | ||
| + | | '''Update Mechanism''' | ||
| + | | | ||
| + | * Update sent without encryption | ||
| + | * Updates not signed | ||
| + | * Update location writable | ||
| + | |- | ||
| + | | '''Mobile Application''' | ||
| + | | | ||
| + | * Implicitly trusted by device or cloud | ||
| + | * Known credentials | ||
| + | * Insecure data storage | ||
| + | * Lack of transport encryption | ||
| + | |- | ||
| + | | '''Vendor Backend APIs''' | ||
| + | | | ||
| + | * Inherent trust of cloud or mobile application | ||
| + | * Weak authentication | ||
| + | * Weak access controls | ||
| + | * Injection attacks | ||
| + | |- | ||
| + | | '''Ecosystem Communication''' | ||
| + | | | ||
| + | * Health checks | ||
| + | * Heartbeats | ||
| + | * Ecosystem commands | ||
| + | * Deprovisioning | ||
| + | * Pushing updates | ||
| + | |- | ||
| + | | '''Network Traffic''' | ||
| + | | | ||
| + | * LAN | ||
| + | * LAN to Internet | ||
| + | * Short range | ||
| + | * Non-standard | ||
| + | |- | ||
| + | |} | ||
| + | |||
| + | __NOTOC__ <headertabs /> | ||
| + | |||
| + | [[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]] | ||
Revision as of 20:34, 7 August 2015
OWASP Internet of Things (IoT) ProjectOxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.” The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies. The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities. LicensingThe OWASP Internet of Things Top 10 is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
|
What is the OWASP Internet of Things Project?The OWASP Internet of Things Project provides:
Project Leaders
Related Projects |
Email ListQuick DownloadNews and EventsClassifications
| |||||||
The OWASP IoT Attack Surface Areas (DRAFT) are as follows:
| Attack Surface | Vulnerability |
|---|---|
| Ecosystem Access Control |
|
| Device Memory |
|
| Device Physical Interfaces |
|
| Device Web Interface |
|
| Device Firmware |
|
| Device Network Services |
|
| Administrative Interface |
|
| Local Data Storage |
|
| Cloud Web Interface |
|
| Third-party Backend APIs |
|
| Update Mechanism |
|
| Mobile Application |
|
| Vendor Backend APIs |
|
| Ecosystem Communication |
|
| Network Traffic |
|
