This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Top IoT Vulnerabilities"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
<center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Attack_Surface_Areas Back To The IoT Attack Surface Areas Project]</center>
+
<center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project Back To Internet of Things Project]</center>
  
 
The top IoT vulnerabilities (DRAFT) are as follow:
 
The top IoT vulnerabilities (DRAFT) are as follow:

Revision as of 19:33, 14 May 2016

Back To Internet of Things Project

The top IoT vulnerabilities (DRAFT) are as follow:

Vulnerability Attack Surface Summary
Username Enumeration
  • Administrative Interface
  • Device Web Interface
  • Cloud Interface
  • Mobile Application
  • Ability to collect a set of valid usernames by interacting with the authentication mechanism
Weak Passwords
  • Administrative Interface
  • Device Web Interface
  • Cloud Interface
  • Mobile Application
  • Ability to set account passwords to '1234' or '123456' for example.
Account Lockout
  • Administrative Interface
  • Device Web Interface
  • Cloud Interface
  • Mobile Application
  • Ability to continue sending authentication attempts after 3 - 5 failed login attempts
Unencrypted Services
  • Device Network Services
  • Network services are not properly encrypted to prevent eavesdropping by attackers
Two-factor Authentication
  • Administrative Interface
  • Cloud Web Interface
  • Mobile Application
  • Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
Poorly Implemented Encryption
  • Device Network Services
  • Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
Update Sent Without Encryption
  • Update Mechanism
  • Updates are transmitted over the network without using TLS or encrypting the update file itself
Update Location Writable
  • Update Mechanism
  • Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
Denial of Service
  • Device Network Services
  • Service can be attacked in a way that denies service to that service or the entire device
Removal of Storage Media
  • Device Physical Interfaces
  • Ability to physically remove the storage media from the device
No Manual Update Mechanism
  • Update Mechanism
  • No ability to manually force an update check for the device
Missing Update Mechanism
  • Update Mechanism
  • No ability to update device
Firmware Version Display and/or Last Update Date
  • Device Firmware
  • Current firmware version is not displayed and/or the last update date is not displayed
Retrieved from "https://wiki.owasp.org/index.php?title=Top_IoT_Vulnerabilities&oldid=216876"