This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "IoT Security Checklist"
From OWASP
(init) |
(init) |
||
| Line 1: | Line 1: | ||
| − | + | = The Checklist = | |
| − | + | ||
| − | ! | + | == Threat model : neighbour == |
| − | + | === Unprotected wireless channel === | |
| − | + | * Present | |
| − | + | * Not present | |
| − | + | ||
| − | + | == Threat model : guest == | |
| − | + | === Authentication between client and device === | |
| − | + | * Not present | |
| − | + | * Login/password | |
| − | + | * Key | |
| − | + | ||
| − | + | === Client-device encryption === | |
| + | * Not present | ||
| + | * Weak/strong | ||
| + | * Symmetric/asymmetric | ||
| + | * Encryption key length | ||
| + | |||
| + | === Authentication for firmware update === | ||
| + | * Not present | ||
| + | * Login/password | ||
| + | * Key | ||
| + | |||
| + | === Firmware integrity controls === | ||
| + | * Not present | ||
| + | * Weak/strong | ||
| + | * E-signature | ||
| + | * Checksum | ||
| + | * Self-written | ||
| + | * Threat model applies for reseller too! | ||
| + | |||
| + | |||
| + | == Threat model : vendor == | ||
| + | === Hidden data exchange services === | ||
| + | * Present | ||
| + | * Not present | ||
| + | |||
| + | === Backdoor accounts === | ||
| + | * Present | ||
| + | * Not present | ||
| + | |||
| + | |||
| + | == Threat model : website == | ||
| + | === Client-side vulnerabilities in web interface === | ||
| + | * Present | ||
| + | * Not present | ||
| + | |||
| + | === Server-side vulnerabilities in web interface === | ||
| + | * Present | ||
| + | * Not present | ||
| + | * Threat model applies for guest too! | ||
| + | |||
| + | |||
| + | == Threat model : physical == | ||
| + | === Physical protection from damage === | ||
| + | * Present | ||
| + | * Not present | ||
Revision as of 12:54, 1 March 2015
The Checklist
Threat model : neighbour
Unprotected wireless channel
- Present
- Not present
Threat model : guest
Authentication between client and device
- Not present
- Login/password
- Key
Client-device encryption
- Not present
- Weak/strong
- Symmetric/asymmetric
- Encryption key length
Authentication for firmware update
- Not present
- Login/password
- Key
Firmware integrity controls
- Not present
- Weak/strong
- E-signature
- Checksum
- Self-written
- Threat model applies for reseller too!
Threat model : vendor
Hidden data exchange services
- Present
- Not present
Backdoor accounts
- Present
- Not present
Threat model : website
Client-side vulnerabilities in web interface
- Present
- Not present
Server-side vulnerabilities in web interface
- Present
- Not present
- Threat model applies for guest too!
Threat model : physical
Physical protection from damage
- Present
- Not present
