This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

IoT Security Checklist

From OWASP
Revision as of 12:59, 1 March 2015 by Alexander Antukh (talk | contribs) (Client-device encryption)

Jump to: navigation, search

The Checklist

Originally presented by @wallarm at OWASP Russia Meetup #2.


Threat model : neighbour

Unprotected wireless channel

  • Present
  • Not present

Threat model : guest

Authentication between client and device

  • Not present
  • Login/password
  • Key

Client-device encryption

  • Not present
  • Weak
  • Strong
  • Type:
    • Symmetric
    • Asymmetric
    • Encryption key length

Authentication for firmware update

  • Not present
  • Login/password
  • Key

Firmware integrity controls

  • Not present
  • Weak
  • Strong
  • Type:
    • E-signature
    • Checksum
    • Self-written
  • Threat model applies for reseller too!

Threat model : vendor

Hidden data exchange services

  • Present
  • Not present

Backdoor accounts

  • Present
  • Not present


Threat model : website

Client-side vulnerabilities in web interface

  • Present
  • Not present

Server-side vulnerabilities in web interface

  • Present
  • Not present
  • Threat model applies for guest too!


Threat model : physical

Physical protection from damage

  • Present
  • Not present