This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Top IoT Vulnerabilities

From OWASP
Revision as of 02:38, 30 November 2015 by Craig Smith (talk | contribs) (Created page with "= Top IoT Vulnerabilities = The top IoT vulnerabilities (DRAFT) are as follow: {| border="1" class="wikitable" style="text-align: left" ! Vulnerability ! Attack Surface ! Su...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Top IoT Vulnerabilities

The top IoT vulnerabilities (DRAFT) are as follow:

Vulnerability Attack Surface Summary
Username Enumeration
  • Administrative Interface
  • Device Web Interface
  • Cloud Interface
  • Mobile Application
  • Ability to collect a set of valid usernames by interacting with the authentication mechanism
Weak Passwords
  • Administrative Interface
  • Device Web Interface
  • Cloud Interface
  • Mobile Application
  • Ability to set account passwords to '1234' or '123456' for example.
Account Lockout
  • Administrative Interface
  • Device Web Interface
  • Cloud Interface
  • Mobile Application
  • Ability to continue sending authentication attempts after 3 - 5 failed login attempts
Unencrypted Services
  • Device Network Services
  • Network services are not properly encrypted to prevent eavesdropping by attackers
Two-factor Authentication
  • Administrative Interface
  • Cloud Web Interface
  • Mobile Application
  • Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
Poorly Implemented Encryption
  • Device Network Services
  • Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
Update Sent Without Encryption
  • Update Mechanism
  • Updates are transmitted over the network without using TLS or encrypting the update file itself
Update Location Writable
  • Update Mechanism
  • Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
Denial of Service
  • Device Network Services
  • Service can be attacked in a way that denies service to that service or the entire device
Removal of Storage Media
  • Device Physical Interfaces
  • Ability to physically remove the storage media from the device
No Manual Update Mechanism
  • Update Mechanism
  • No ability to manually force an update check for the device
Missing Update Mechanism
  • Update Mechanism
  • No ability to update device
Firmware Version Display and/or Last Update Date
  • Device Firmware
  • Current firmware version is not displayed and/or the last update date is not displayed
Retrieved from "https://wiki.owasp.org/index.php?title=Top_IoT_Vulnerabilities&oldid=203955"