Tester IoT Security Guidance
(DRAFT)
The goal of this page is to help testers assess IoT devices and applications in the Internet of Things space. The guidance below is at a basic level, giving testers of devices and applications a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product.
Category
|
IoT Security Consideration
|
I1: Insecure Web Interface
|
- Assess any web interface to determine if weak passwords are allowed
- Assess the account lockout mechanism
- Assess the web interface for XSS, SQLi and CSRF vulnerabilities and other web application vulnerabilities
- Assess the use of HTTPS to protect transmitted information
- Assess the ability to change the username and password
- Determine if web application firewalls are used to protect web interfaces
|
I2: Insufficient Authentication/Authorization
|
- Assess the solution for the use of strong passwords where authentication is needed
- Assess the solution for multi-user environments and ensure it includes functionality for role separation
- Assess the solution for Implementation two-factor authentication where possible
- Assess password recovery mechanisms
- Assess the solution for the option to require strong passwords
- Assess the solution for the option to force password expiration after a specific period
- Assess the solution for the option to change the default username and password
|
I3: Insecure Network Services
|
- Assess the solution to ensure network services don't respond poorly to buffer overflow, fuzzing or denial of service attacks
- Assess the solution to ensure test ports are are not present
|
I4: Lack of Transport Encryption
|
- Assess the solution to determine the use of encrypted communication between devices and between devices and the internet
- Assess the solution to determine if accepted encryption practices are used and if proprietary protocols are avoided
- Assess the solution to determine if a firewall option available is available
|
I5: Privacy Concerns
|
- Assess the solution to determine the amount of personal information collected
- Assess the solution to determine if collected personal data is properly protected using encryption at rest and in transit
- Assess the solution to determine if Ensuring data is de-identified or anonymized
- Assess the solution to ensure end-users are given a choice for data collected beyond what is needed for proper operation of the device
|
I6: Insecure Cloud Interface
|
- Assess the cloud interfaces for security vulnerabilities (e.g. API interfaces and cloud-based web interfaces)
- Assess the cloud-based web interface to ensure it disallows weak passwords
- Assess the cloud-based web interface to ensure it includes an account lockout mechanism
- Assess the cloud-based web interface to determine if two-factor authentication is used
- Assess any cloud interfaces for XSS, SQLi and CSRF vulnerabilities and other vulnerabilities
- Assess all cloud interfaces to ensure transport encryption is used
- Assess the cloud interfaces to determine if the option to require strong passwords is available
- Assess the cloud interfaces to determine if the option to force password expiration after a specific period is available
- Assess the cloud interfaces to determine if the option to change the default username and password is available
|
I7: Insecure Mobile Interface
|
- Assess the mobile interface to ensure it disallows weak passwords
- Assess the mobile interface to ensure it includes an account lockout mechanism
- Assess the mobile interface to determine if it Implements two-factor authentication (e.g Apple's Touch ID)
- Assess the mobile interface to determine if it uses transport encryption
- Assess the mobile interface to determine if the option to require strong passwords is available
- Assess the mobile interface to determine if the option to force password expiration after a specific period is available
- Assess the mobile interface to determine if the option to change the default username and password is available
- Assess the mobile interface to determine the amount of personal information collected
|
I8: Insufficient Security Configurability
|
- Assess the solution to determine if password security options (e.g. Enabling 20 character passwords or enabling two-factor authentication) are available
- Assess the solution to determine if encryption options (e.g. Enabling AES-256 where AES-128 is the default setting) are available
- Assess the solution to determine if logging for security events is available
- Assess the solution to determine if alerts and notifications to the user for security events are available
|
I9: Insecure Software/Firmware
|
- Assess the device to ensure it includes update capability and can be updated quickly when vulnerabilities are discovered
- Assess the device to ensure it uses encrypted update files and that the files are transmitted using encryption
- Assess the device to ensure is uses signed files and then validates that file before installation
|
I10: Poor Physical Security
|
- Assess the device to ensure it utilizes a minimal number of physical external ports (e.g. USB ports) on the device
- Assess the device to determine if it can be accessed via unintended methods such as through an unnecessary USB port
- Assess the device to determine if it allows for disabling of unused physical ports such as USB
- Assess the device to determine if it includes the ability to limit administrative capabilities to a local interface only
|
General Recommendations
Consider the following recommendations for all user interfaces (local device, cloud-based and mobile):
- Avoid potential Account Harvesting issues by:
- Ensuring valid user accounts can't be identified by interface error messages
- Ensuring strong passwords are required by users
- Implementing account lockout after 3 - 5 failed login attempts