Difference between revisions of "OWASP Internet of Things Project"

Revision as of 10:20, 20 March 2017

OWASP Internet of Things (IoT) Project

Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

Licensing

The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Share this:

What is the OWASP Internet of Things Project?

The OWASP Internet of Things Project provides information on:

IoT Attack Surface Areas
IoT Vulnerabilities
Firmware Analysis
ICS/SCADA Software Weaknesses
Community Information
IoT Testing Guides
IoT Security Guidance
Principles of IoT Security
IoT Framework Assessment
Developer, Consumer and Manufacturer Guidance
Design Principles

Project Leaders

Daniel Miessler
Craig Smith

Contributors

Justin Klein Keane
Saša Zdjelar

Related Projects

Collaboration

The Slack Channel

Quick Download

IoT Attack Surface Mapping DEFCON 23

IoT Testing Guidance Handout

OWASP IoT Top Ten PDF

OWASP IoT Top Ten Infographic

OWASP IoT Top Ten PPT

OWASP IoT Top Ten-RSA 2015

OWASP IoT Project Overview

News and Events

Added a Slack channel
Added a sub-project; IoT Security Policy Project
Daniel Miessler gave his IoT talk at DEFCON 23
Migrating the IoT Top Ten to be under the IoT Project
HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack

Classifications

IoT Attack Surface Areas Project

The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

Attack Surface	Vulnerability
Ecosystem (general)	Interoperability standards Data governance System wide failure Individual stakeholder risks Implicit trust between components Enrollment security Decommissioning system Lost access procedures
Device Memory	Sensitive data Cleartext usernames Cleartext passwords Third-party credentials Encryption keys
Device Physical Interfaces	Firmware extraction User CLI Admin CLI Privilege escalation Reset to insecure state Removal of storage media Tamper resistance Debug port UART (Serial) JTAG / SWD Device ID/Serial number exposure
Device Web Interface	Standard set of web application vulnerabilities, see: OWASP Web Top 10 OWASP ASVS OWASP Testing guide Credential management vulnerabilities: Username enumeration Weak passwords Account lockout Known default credentials Insecure password recovery mechanism
Device Firmware	Sensitive data exposure (See OWASP Top 10 - A6 Sensitive data exposure): Backdoor accounts Hardcoded credentials Encryption keys Encryption (Symmetric, Asymmetric) Sensitive information Sensitive URL disclosure Firmware version display and/or last update date Vulnerable services (web, ssh, tftp, etc.) Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc) Security related function API exposure Firmware downgrade possibility
Device Network Services	Information disclosure User CLI Administrative CLI Injection Denial of Service Unencrypted Services Poorly implemented encryption Test/Development Services Buffer Overflow UPnP Vulnerable UDP Services DoS Device Firmware OTA update block Firmware loaded over insecure channel (no TLS) Replay attack Lack of payload verification Lack of message integrity check Credential management vulnerabilities: Username enumeration Weak passwords Account lockout Known default credentials Insecure password recovery mechanism
Administrative Interface	Standard set of web application vulnerabilities, see: OWASP Web Top 10 OWASP ASVS OWASP Testing guide Credential management vulnerabilities: Username enumeration Weak passwords Account lockout Known default credentials Insecure password recovery mechanism Security/encryption options Logging options Two-factor authentication Check for insecure direct object references Inability to wipe device
Local Data Storage	Unencrypted data Data encrypted with discovered keys Lack of data integrity checks Use of static same enc/dec key
Cloud Web Interface	Standard set of web application vulnerabilities, see: OWASP Web Top 10 OWASP ASVS OWASP Testing guide Credential management vulnerabilities: Username enumeration Weak passwords Account lockout Known default credentials Insecure password recovery mechanism Transport encryption Two-factor authentication
Third-party Backend APIs	Unencrypted PII sent Encrypted PII sent Device information leaked Location leaked
Update Mechanism	Update sent without encryption Updates not signed Update location writable Update verification Update authentication Malicious update Missing update mechanism No manual update mechanism
Mobile Application	Implicitly trusted by device or cloud Username enumeration Account lockout Known default credentials Weak passwords Insecure data storage Transport encryption Insecure password recovery mechanism Two-factor authentication
Vendor Backend APIs	Inherent trust of cloud or mobile application Weak authentication Weak access controls Injection attacks Hidden services
Ecosystem Communication	Health checks Heartbeats Ecosystem commands Deprovisioning Pushing updates
Network Traffic	LAN LAN to Internet Short range Non-standard Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA) Protocol fuzzing
Authentication/Authorization	Authentication/Authorization related values (session key, token, cookie, etc.) disclosure Reusing of session key, token, etc. Device to device authentication Device to mobile Application authentication Device to cloud system authentication Mobile application to cloud system authentication Web application to cloud system authentication Lack of dynamic authentication
Privacy	User data disclosure User/device location disclosure Differential privacy
Hardware (Sensors)	Sensing Environment Manipulation Tampering (Physically) Damage (Physicall)

Share this:

What is the IoT Attack Surface Areas Project?

The IoT Attack Surface Areas Project provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers, and those looking to deploy or implement IoT technologies within their organizations.

Project Leaders

Daniel Miessler
Craig Smith

Related Projects

Collaboration

The Slack Channel

Quick Download

Coming Soon

News and Events

Coming Soon

IoT Vulnerabilities Project

Vulnerability	Attack Surface	Summary
Username Enumeration	Administrative Interface Device Web Interface Cloud Interface Mobile Application	Ability to collect a set of valid usernames by interacting with the authentication mechanism
Weak Passwords	Administrative Interface Device Web Interface Cloud Interface Mobile Application	Ability to set account passwords to '1234' or '123456' for example. Usage of pre-programmed default passwords
Account Lockout	Administrative Interface Device Web Interface Cloud Interface Mobile Application	Ability to continue sending authentication attempts after 3 - 5 failed login attempts
Unencrypted Services	Device Network Services	Network services are not properly encrypted to prevent eavesdropping or tampering by attackers
Two-factor Authentication	Administrative Interface Cloud Web Interface Mobile Application	Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
Poorly Implemented Encryption	Device Network Services	Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
Update Sent Without Encryption	Update Mechanism	Updates are transmitted over the network without using TLS or encrypting the update file itself
Update Location Writable	Update Mechanism	Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
Denial of Service	Device Network Services	Service can be attacked in a way that denies service to that service or the entire device
Removal of Storage Media	Device Physical Interfaces	Ability to physically remove the storage media from the device
No Manual Update Mechanism	Update Mechanism	No ability to manually force an update check for the device
Missing Update Mechanism	Update Mechanism	No ability to update device
Firmware Version Display and/or Last Update Date	Device Firmware	Current firmware version is not displayed and/or the last update date is not displayed
Firmware and storage extraction	JTAG / SWD interface In-Situ dumping Intercepting a OTA update Downloading from the manufacturers web page eMMC tapping Unsoldering the SPI Flash / eMMC chip and reading it in a adapter	Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.
Manipulating the code execution flow of the device	JTAG / SWD interface Side channel attacks like glitching	With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls. Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
Obtaining console access	Serial interfaces (SPI / UART)	By connecting to a serial interface, we will obtain full console access to a device Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.

Share this:

What is the IoT Vulnerabilities Project?

The IoT Vulnerabilities Project provides:

Information on the top IoT vulnerabilities
The attack surface associated with the vulnerability
A summary of the vulnerability

Project Leaders

Daniel Miessler
Craig Smith

Related Projects

Collaboration

The Slack Channel

Resources

Top 10 IoT Vulnerabilities from 2014

News and Events

Coming Soon

Medical Device Testing

The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.

Attack Surface	Vulnerability
Ecosystem (general)	Interoperability standards Data governance System wide failure Individual stakeholder risks Implicit trust between components Enrollment security Decommissioning system Lost access procedures
HL7	XML Parsing XSS Information Disclosure
Device Memory	Sensitive data Cleartext usernames Cleartext passwords Third-party credentials Encryption keys
Device Physical Interfaces	Firmware extraction User CLI Admin CLI Privilege escalation Reset to insecure state Removal of storage media Tamper resistance Debug port Device ID/Serial number exposure
Device Web Interface	Standard set of web vulnerabilities: SQL injection Cross-site scripting Cross-site Request Forgery Username enumeration Credential management vulnerabilities: Username enumeration Weak passwords Account lockout Known default credentials Insecure password recovery mechanism
Device Firmware	Sensitive data exposure: Backdoor accounts Hardcoded credentials Encryption keys Encryption (Symmetric, Asymmetric) Sensitive information Sensitive URL disclosure Firmware version display and/or last update date Vulnerable services (web, ssh, tftp, etc.) Security related function API exposure Firmware downgrade
Device Network Services	Information disclosure User CLI Administrative CLI Injection Denial of Service Unencrypted Services Poorly implemented encryption Test/Development Services Buffer Overflow UPnP Vulnerable UDP Services DoS Device Firmware OTA update block Replay attack Lack of payload verification Lack of message integrity check Credential management vulnerabilities: Username enumeration Weak passwords Account lockout Known default credentials Insecure password recovery mechanism
Administrative Interface	Standard web vulnerabilities: SQL injection Cross-site scripting Cross-site Request Forgery Username enumeration Credential management vulnerabilities: Username enumeration Weak passwords Account lockout Known default credentials Insecure password recovery mechanism Security/encryption options Logging options Two-factor authentication Inability to wipe device
Local Data Storage	Unencrypted data Data encrypted with discovered keys Lack of data integrity checks Use of static same enc/dec key
Cloud Web Interface	Standard set of web vulnerabilities: SQL injection Cross-site scripting Cross-site Request Forgery Credential management vulnerabilities: Username enumeration Weak passwords Account lockout Known default credentials Insecure password recovery mechanism Transport encryption Two-factor authentication
Third-party Backend APIs	Unencrypted PII sent Encrypted PII sent Device information leaked Location leaked
Update Mechanism	Update sent without encryption Updates not signed Update location writable Update verification Update authentication Malicious update Missing update mechanism No manual update mechanism
Mobile Application	Implicitly trusted by device or cloud Username enumeration Account lockout Known default credentials Weak passwords Insecure data storage Transport encryption Insecure password recovery mechanism Two-factor authentication
Vendor Backend APIs	Inherent trust of cloud or mobile application Weak authentication Weak access controls Injection attacks Hidden services
Ecosystem Communication	Health checks Heartbeats Ecosystem commands Deprovisioning Pushing updates
Network Traffic	LAN LAN to Internet Short range Non-standard Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA) Protocol fuzzing
Authentication/Authorization	Authentication/Authorization related values (session key, token, cookie, etc.) disclosure Reusing of session key, token, etc. Device to device authentication Device to mobile Application authentication Device to cloud system authentication Mobile application to cloud system authentication Web application to cloud system authentication Lack of dynamic authentication
Data Flow	What data is being captured? How does it move within the ecosystem? How is it protected in transit? How is it protected at rest? Who is that data shared with?
Hardware (Sensors)	Sensing Environment Manipulation Tampering (Physically) Damaging (Physically) Failure state analysis

Share this:

What is the Medical Attack Surfaces project?

The Medical Attack Surfaces project provides:

A simple way for testers, manufacturers, developers, and users to get an understanding of the complexity of a modern medical environment
Allows people to visualize the numerous attack surfaces that need to be defended within medical equipment ecosystems

Project Leaders

Daniel Miessler

Related Projects

Collaboration

The Slack Channel

Resources

News and Events

Daniel Miessler presented on using Adaptive Testing Methodologies to evaluate the security of medical devices at RSA 2017.

Firmware Analysis Project

The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":

Section
Device Firmware Vulnerabilties	Out-of-date core components Unsupported core components Expired and/or self-signed certificates Same certificate used on multiple devices Admin web interface concerns Hardcoded or easy to guess credentials Sensitive information disclosure Sensitive URL disclosure Encryption key exposure Backdoor accounts Vulnerable services (web, ssh, tftp, etc.)
Manufacturer Recommendations	Ensure that supported and up-to-date software is used by developers Ensure that robust update mechanisms are in place for devices Ensure that certificates are not duplicated across devices and product lines. Ensure supported and up-to-date software is used by developers Develop a mechanism to ensure a new certificate is installed when old ones expire Disable deprecated SSL versions Ensure developers do not code in easy to guess or common admin passwords Ensure services such as SSH have a secure password created Develop a mechanism that requires the user to create a secure admin password during initial device setup Ensure developers do not hard code passwords or hashes Have source code reviewed by a third party before releasing device to production Ensure industry standard encryption or strong hashing is used
Device Firmware Guidance and Instruction	Firmware file analysis Firmware extraction Dynamic binary analysis Static binary analysis Static code analysis Firmware emulation File system analysis
Device Firmware Tools	Firmwalker Firmware Modification Kit Angr binary analysis framework Binwalk firmware analysis tool Binary Analysis Tool Firmadyne
Vulnerable Firmware	Damn Vulnerable Router Firmware

Share this:

What is the Firmware Analysis Project?

The Firmware Analysis Project provides:

Security testing guidance for vulnerabilities in the "Device Firmware" attack surface
Steps for extracting file systems from various firmware files
Guidance on searching a file systems for sensitive of interesting data
Information on static analysis of firmware contents
Information on dynamic analysis of emulated services (e.g. web admin interface)
Testing tool links
A site for pulling together existing information on firmware analysis

Project Leaders

Craig Smith

Related Projects

Collaboration

The Slack Channel

Resources

News and Events

Coming Soon

IoT Logging Events

This is a working draft of the recommended minimum IoT Device logging events. This includes many different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.

Event Category	Events
Request Exceptions	Attempt to Invoke Unsupported HTTP Method Unexpected Quantity of Characters in Parameter Unexpected Type of Characters in Parameter
Authentication Exceptions	Multiple Failed Passwords High Rate of Login Attempts Additional POST Variable Deviation from Normal GEO Location
Session Exceptions	Modifying the Existing Cookie Substituting Another User's Valid SessionID or Cookie Source Location Changes During Session
Access Control Exceptions	Modifying URL Argument Within a GET for Direct Object Access Attempt Modifying Parameter Within a POST for Direct Object Access Attempt Forced Browsing Attempt
Ecosystem Membership Exceptions	Traffic Seen from Disenrolled System Traffic Seen from Unenrolled System Failed Attempt to Enroll in Ecosystem Multiple Attempts to Enroll in Ecosystem
Device Access Events	Device Case Tampering Detected Device Logic Board Tampering Detected
Administrative Mode Events	Device Entered Administrative Mode Device Accessed Using Default Administrative Credentials
Input Exceptions	Double Encoded Character Unexpected Encoding Used
Command Injection Exceptions	Blacklist Inspection for Common SQL Injection Values Abnormal Quantity of Returned Records
Honey Trap Exceptions	Honey Trap Resource Requested Honey Trap Data Used
Reputation Exceptions	Suspicious or Disallowed User Source Location

Share this:

What is the IoT Security Logging Project?

The IoT Secure Logging Project provides a list of core events that should be logged in any IoT-related system. The project exists because IoT systems in general are not logging nearly enough events to constitute input for a solid detection and response program around IoT devices, and for companies that want to do this there are not many good resources for what should be logged.

Project Leaders

Daniel Miessler

Related Projects

The OWASP AppSensor Project

Collaboration

The Slack Channel

Quick Download

Coming Soon

News and Events

Coming Soon

I Am The Cavalry

A global grassroots organization that is focused on issues where computer security intersects public safety and human life.

Their areas of focus include:

Medical devices
Automobiles
Home Electronics
Public Infrastructure

BuildItSecure.ly

A project focused on helping small business connect with security researchers to aid in securing their IoT-based products before going market.

Their goals include:

Focus effort towards small business
Build partnerships
Coordinate efforts
Curate informational resources
Present research

Online Trust Alliance

Formed as an informal industry working group in 2005, today OTA is an Internal Revenue Service (IRS) approved 501c3 charitable organization with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet. OTA is global organization supported by over 100 organizations headquartered in Bellevue, Washington with offices in Washington DC.

Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the IoT Trustworthy Working Group (ITWG), a multi-stakeholder initiative. The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.

AllSeen Alliance

The AllSeen Alliance is a Linux Foundation collaborative project. They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things. The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.

The Industrial Internet Consortium (IIC)

The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.

Securing Smart Cities

Securing Smart Cities is a not-for-profit global initiative that aims to solve the existing and future cybersecurity problems of smart cities through collaboration between companies, governments, media outlets, other not-for-profit initiatives and individuals across the world.

Talks

RSA Conference San Francisco
Securing the Internet of Things: Mapping IoT Attack Surface Areas with the OWASP IoT Top 10 Project
Daniel Miessler, Practice Principal
April 21, 2015
---
Defcon 23
IoT Attack Surface Mapping
Daniel Miessler
August 6-9, 2015

Podcasts

IoT Conferences

Internet of Things Events

Conference Call for Papers

@@ Line 4: / Line 4: @@
 {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
-| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
 ==OWASP Internet of Things (IoT) Project==
@@ Line 19: / Line 19: @@
 The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
-== ==
 {{Social Media Links}}
-| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
+| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 == What is the OWASP Internet of Things Project? ==
@@ Line 58: / Line 57: @@
 * [[C/C++|OWASP C/C++]]
-| valign="top"  style="padding-left:25px;width:200px;" |
+| valign="top" style="padding-left:25px;width:200px;" |
 == Collaboration ==
@@ Line 89: / Line 88: @@
     {| width="200" cellpadding="2"
     |-
-    | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
+    | rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
-    | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
+    | align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=]]
     |-
-    | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
+    | align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=]]
     |-
-    | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
+    | colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
     |-
-    | colspan="2" align="center"  | [[File:Project_Type_Files_DOC.jpg|link=]]
+    | colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
     |}
@@ Line 106: / Line 105: @@
 {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
-| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
 == IoT Attack Surface Areas Project ==
@@ Line 112: / Line 111: @@
 The OWASP IoT Attack Surface Areas (DRAFT) are as follows:
-{| border="1" class="wikitable" style="text-align: left"
+{| class="wikitable" border="1" style="text-align: left"
 ! Attack Surface
 ! Vulnerability
@@ Line 145: / Line 144: @@
 * Tamper resistance
 * Debug port
+** UART (Serial)
+** JTAG / SWD
 * Device ID/Serial number exposure
 |-
 | '''Device Web Interface'''
 |
-* Standard set of web vulnerabilities:
+* Standard set of web application vulnerabilities, see:
-** SQL injection
+** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
-** Cross-site scripting
+** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
-** Cross-site Request Forgery
+** [[:Category:OWASP Testing Project|OWASP Testing guide]]
-** Username enumeration
 * Credential management vulnerabilities:
 ** Username enumeration
@@ Line 163: / Line 163: @@
 | '''Device Firmware'''
 |
-* Sensitive data exposure:
+* Sensitive data exposure ([[Top 10 2013-A6-Sensitive Data Exposure|See OWASP Top 10 - A6 Sensitive data exposure]]):
 ** Backdoor accounts
 ** Hardcoded credentials
@@ Line 172: / Line 172: @@
 * Firmware version display and/or last update date
 * Vulnerable services (web, ssh, tftp, etc.)
+** Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)
 * Security related function API exposure
-* Firmware downgrade
+* Firmware downgrade possibility
 |-
 | '''Device Network Services'''
@@ Line 190: / Line 191: @@
 * DoS
 * Device Firmware OTA update block
+* Firmware loaded over insecure channel (no TLS)
 * Replay attack
 * Lack of payload verification
@@ Line 202: / Line 204: @@
 | '''Administrative Interface'''
 |
-* Standard web vulnerabilities:
+* Standard set of web application vulnerabilities, see:
-** SQL injection
+** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
-** Cross-site scripting
+** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
-** Cross-site Request Forgery
+** [[:Category:OWASP Testing Project|OWASP Testing guide]]
-** Username enumeration
 * Credential management vulnerabilities:
 ** Username enumeration
@@ Line 216: / Line 217: @@
 * Logging options
 * Two-factor authentication
+* Check for insecure direct object references
 * Inability to wipe device
 |-
@@ Line 228: / Line 230: @@
 |
-* Standard set of web vulnerabilities:
+* Standard set of web application vulnerabilities, see:
-** SQL injection
+** [[:Category:OWASP Top Ten Project|OWASP Web Top 10]]
-** Cross-site scripting
+** [[:Category:OWASP Application Security Verification Standard Project|OWASP ASVS]]
-** Cross-site Request Forgery
+** [[:Category:OWASP Testing Project|OWASP Testing guide]]
 * Credential management vulnerabilities:
 ** Username enumeration
@@ Line 317: / Line 319: @@
 * Sensing Environment Manipulation
 * Tampering (Physically)
-* Damaging (Physically)
+* Damage (Physicall)
 |-
 |}
-== ==
 {{Social Media Links}}
-| valign="top"  style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
+| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
 == What is the IoT Attack Surface Areas Project? ==
@@ Line 357: / Line 358: @@
 {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
-| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
 == IoT Vulnerabilities Project ==
-{| border="1" class="wikitable" style="text-align: left"
+{| class="wikitable" border="1" style="text-align: left"
 ! Vulnerability
 ! Attack Surface
@@ Line 383: / Line 384: @@
 |
 * Ability to set account passwords to '1234' or '123456' for example.
+* Usage of pre-programmed default passwords
 |-
 | '''Account Lockout'''
@@ Line 397: / Line 399: @@
 * Device Network Services
 |
-* Network services are not properly encrypted to prevent eavesdropping by attackers
+* Network services are not properly encrypted to prevent eavesdropping or tampering  by attackers
 |-
 | '''Two-factor Authentication'''
@@ Line 480: / Line 482: @@
 * By connecting to a serial interface, we will obtain full console access to a device
 * Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.
 |-
 |}
-== ==
 {{Social Media Links}}
-| valign="top"  style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
+| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
 == What is the IoT Vulnerabilities Project? ==
@@ Line 528: / Line 525: @@
 {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
-| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
 == Medical Device Testing ==
@@ Line 534: / Line 531: @@
 The Medical Device Testing project is intended to provide some basic attack surface considerations that should be evaluated before shipping Medical Device equipment.
-{| border="1" class="wikitable" style="text-align: left"
+{| class="wikitable" border="1" style="text-align: left"
 ! Attack Surface
 ! Vulnerability
@@ Line 751: / Line 748: @@
 |}
-== ==
 {{Social Media Links}}
-| valign="top"  style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
+| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
 == What is the Medical Attack Surfaces project? ==
@@ Line 794: / Line 790: @@
 {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
-| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
 == Firmware Analysis Project ==
@@ Line 800: / Line 796: @@
 The Firmware Analysis Project is intended to provide security testing guidance for the IoT Attack Surface "Device Firmware":
-{| border="1" class="wikitable" style="text-align: left"
+{| class="wikitable" border="1" style="text-align: left"
 ! Section
 !
@@ Line 863: / Line 859: @@
 |}
-== ==
 {{Social Media Links}}
-| valign="top"  style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
+| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
 == What is the Firmware Analysis Project? ==
@@ Line 911: / Line 906: @@
 {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
-| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
 == IoT Logging Events==
@@ Line 917: / Line 912: @@
 This is a working draft of the recommended minimum IoT Device logging events. This includes many   different types of devices, including consumer IoT, enterprise IoT, and ICS/SCADA type devices.
-{| border="1" class="wikitable" style="text-align: left"
+{| class="wikitable" border="1" style="text-align: left"
 ! Event Category
 ! Events
@@ Line 985: / Line 980: @@
 |}
-== ==
 {{Social Media Links}}
-| valign="top"  style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:  25px;" |
+| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:  25px;" |
 == What is the IoT Security Logging Project? ==
@@ Line 1,018: / Line 1,012: @@
 {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
-| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
 == ICS/SCADA Project ==
@@ Line 1,024: / Line 1,018: @@
 The OWASP ICS/SCADA Top 10 software weaknesses are as follows:
-{| border="1" class="wikitable" style="text-align: left"
+{| class="wikitable" border="1" style="text-align: left"
 ! Rank and ID
 ! Title
@@ Line 1,070: / Line 1,064: @@
 |}
-== ==
 {{Social Media Links}}
-| valign="top"  style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
+| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
 == What is the ICS/SCADA Project? ==
@@ Line 1,106: / Line 1,099: @@
 {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
-| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
+| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
 == IoT Security Policy Project ==
@@ Line 1,112: / Line 1,105: @@
 The OWASP IoT Security Policy Project provides:
-== ==
 {{Social Media Links}}
-| valign="top"  style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
+| valign="top" style="padding-left:25px;width:300px;border-right: 1px dotted gray;padding-right:25px;" |
 == What is the IoT Security Policies Project? ==
@@ Line 1,137: / Line 1,129: @@
 |}
 = Community =
@@ Line 1,151: / Line 1,141: @@
 * Home Electronics
 * Public Infrastructure
-== ==
 [http://builditsecure.ly BuildItSecure.ly]
@@ Line 1,162: / Line 1,152: @@
 * Curate informational resources
 * Present research
-== ==
 [https://otalliance.org Online Trust Alliance]
@@ Line 1,168: / Line 1,158: @@
 Addressing the mounting concerns, in January 2015 the Online Trust Alliance, established the [https://otalliance.org/initiatives/internet-things IoT Trustworthy Working Group (ITWG)], a multi-stakeholder initiative.  The group recognizes “security and privacy by design” must be a priority from the onset of product development and be addressed holistically. The framework focuses on privacy, security sustainability. The sustainability pillar is critical as it looks at the life-cycle issues related to long- term supportability and transfers of ownership of devices and the data collected.
-== ==
 [https://allseenalliance.org/framework AllSeen Alliance]
 The AllSeen Alliance is a Linux Foundation collaborative project.  They're a cross-industry consortium dedicated to enabling the interoperability of billions of devices, services and apps that comprise the Internet of Things.  The Alliance supports the AllJoyn Framework, an open source software framework that makes it easy for devices and apps to discover and communicate with each other. Developers can write applications for interoperability regardless of transport layer, manufacturer, and without the need for Internet access. The software has been and will continue to be openly available for developers to download, and runs on popular platforms such as Linux and Linux-based Android, iOS, and Windows, including many other lightweight real-time operating systems.
-== ==
 [http://www.iiconsortium.org/ The Industrial Internet Consortium (IIC)]
 The Industrial Internet Consortium is the open membership, international not-for-profit consortium that is setting the architectural framework and direction for the Industrial Internet. Founded by AT&T, Cisco, GE, IBM and Intel in March 2014, the consortium’s mission is to coordinate vast ecosystem initiatives to connect and integrate objects with people, processes and data using common architectures, interoperability and open standards.
-== ==
 [http://securingsmartcities.org/ Securing Smart Cities]
@@ Line 1,207: / Line 1,197: @@
 * [http://www.wikicfp.com/cfp/servlet/tool.search?q=internet+of+things&year=t WikiCFP - Internet of Things]
 * [http://www.wikicfp.com/cfp/servlet/tool.search?q=iot&year=t WikiCFP - IoT]
@@ Line 1,234: / Line 1,223: @@
 | links_url1 =
 | links_name1 =
-| links_url1 =
-| links_name1 =
 }}
@@ Line 1,242: / Line 1,229: @@
+__NOTOC__ <headertabs></headertabs>
+[[Category:OWASP_Project]]
-__NOTOC__ <headertabs />
+[[Category:OWASP_Document]]
+[[Category:OWASP_Download]]
-[[Category:OWASP_Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Release_Quality_Document]]
+[[Category:OWASP_Release_Quality_Document]]

Difference between revisions of "OWASP Internet of Things Project"

Revision as of 10:20, 20 March 2017

OWASP Internet of Things (IoT) Project

Licensing

What is the OWASP Internet of Things Project?

Project Leaders

Contributors

Related Projects

Collaboration

Quick Download

News and Events

Classifications

Navigation menu

Search