This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

IoT Security Checklist

From OWASP
Jump to: navigation, search

The Checklist

Originally presented by @wallarm at OWASP Russia Meetup #2.


Threat model : neighbour

Unprotected wireless channel

  • Present
  • Not present

Threat model : guest

Authentication between client and device

  • Not present
  • Login/password
  • Key

Client-device encryption

  • Not present
  • Weak/strong
  • Symmetric/asymmetric
  • Encryption key length

Authentication for firmware update

  • Not present
  • Login/password
  • Key

Firmware integrity controls

  • Not present
  • Weak/strong
  • E-signature
  • Checksum
  • Self-written
  • Threat model applies for reseller too!


Threat model : vendor

Hidden data exchange services

  • Present
  • Not present

Backdoor accounts

  • Present
  • Not present


Threat model : website

Client-side vulnerabilities in web interface

  • Present
  • Not present

Server-side vulnerabilities in web interface

  • Present
  • Not present
  • Threat model applies for guest too!


Threat model : physical

Physical protection from damage

  • Present
  • Not present