This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Top IoT Vulnerabilities

From OWASP
Revision as of 19:33, 14 May 2016 by Craig Smith (talk | contribs)

Jump to: navigation, search
Back To Internet of Things Project

The top IoT vulnerabilities (DRAFT) are as follow:

Vulnerability Attack Surface Summary
Username Enumeration
  • Administrative Interface
  • Device Web Interface
  • Cloud Interface
  • Mobile Application
  • Ability to collect a set of valid usernames by interacting with the authentication mechanism
Weak Passwords
  • Administrative Interface
  • Device Web Interface
  • Cloud Interface
  • Mobile Application
  • Ability to set account passwords to '1234' or '123456' for example.
Account Lockout
  • Administrative Interface
  • Device Web Interface
  • Cloud Interface
  • Mobile Application
  • Ability to continue sending authentication attempts after 3 - 5 failed login attempts
Unencrypted Services
  • Device Network Services
  • Network services are not properly encrypted to prevent eavesdropping by attackers
Two-factor Authentication
  • Administrative Interface
  • Cloud Web Interface
  • Mobile Application
  • Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
Poorly Implemented Encryption
  • Device Network Services
  • Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
Update Sent Without Encryption
  • Update Mechanism
  • Updates are transmitted over the network without using TLS or encrypting the update file itself
Update Location Writable
  • Update Mechanism
  • Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
Denial of Service
  • Device Network Services
  • Service can be attacked in a way that denies service to that service or the entire device
Removal of Storage Media
  • Device Physical Interfaces
  • Ability to physically remove the storage media from the device
No Manual Update Mechanism
  • Update Mechanism
  • No ability to manually force an update check for the device
Missing Update Mechanism
  • Update Mechanism
  • No ability to update device
Firmware Version Display and/or Last Update Date
  • Device Firmware
  • Current firmware version is not displayed and/or the last update date is not displayed