|
|
| Line 1: |
Line 1: |
| | <center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project Back To Internet of Things Project]</center> | | <center>[https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project Back To Internet of Things Project]</center> |
| − |
| |
| − | The top IoT vulnerabilities (DRAFT) are as follow:
| |
| − |
| |
| − | {| border="1" class="wikitable" style="text-align: left"
| |
| − | ! Vulnerability
| |
| − | ! Attack Surface
| |
| − | ! Summary
| |
| − | |-
| |
| − | | '''Username Enumeration'''
| |
| − | |
| |
| − | * Administrative Interface
| |
| − | * Device Web Interface
| |
| − | * Cloud Interface
| |
| − | * Mobile Application
| |
| − | |
| |
| − | * Ability to collect a set of valid usernames by interacting with the authentication mechanism
| |
| − | |-
| |
| − | | '''Weak Passwords'''
| |
| − | |
| |
| − | * Administrative Interface
| |
| − | * Device Web Interface
| |
| − | * Cloud Interface
| |
| − | * Mobile Application
| |
| − | |
| |
| − | * Ability to set account passwords to '1234' or '123456' for example.
| |
| − | |-
| |
| − | | '''Account Lockout'''
| |
| − | |
| |
| − | * Administrative Interface
| |
| − | * Device Web Interface
| |
| − | * Cloud Interface
| |
| − | * Mobile Application
| |
| − | |
| |
| − | * Ability to continue sending authentication attempts after 3 - 5 failed login attempts
| |
| − | |-
| |
| − | | '''Unencrypted Services'''
| |
| − | |
| |
| − | * Device Network Services
| |
| − | |
| |
| − | * Network services are not properly encrypted to prevent eavesdropping by attackers
| |
| − | |-
| |
| − | | '''Two-factor Authentication'''
| |
| − | |
| |
| − | * Administrative Interface
| |
| − | * Cloud Web Interface
| |
| − | * Mobile Application
| |
| − | |
| |
| − | * Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner
| |
| − | |-
| |
| − | | '''Poorly Implemented Encryption'''
| |
| − | |
| |
| − | * Device Network Services
| |
| − | |
| |
| − | * Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
| |
| − | |-
| |
| − | | '''Update Sent Without Encryption'''
| |
| − | |
| |
| − | * Update Mechanism
| |
| − | |
| |
| − | * Updates are transmitted over the network without using TLS or encrypting the update file itself
| |
| − | |-
| |
| − | | '''Update Location Writable'''
| |
| − | |
| |
| − | * Update Mechanism
| |
| − | |
| |
| − | * Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
| |
| − | |-
| |
| − | | '''Denial of Service'''
| |
| − | |
| |
| − | * Device Network Services
| |
| − | |
| |
| − | * Service can be attacked in a way that denies service to that service or the entire device
| |
| − | |-
| |
| − | | '''Removal of Storage Media'''
| |
| − | |
| |
| − | * Device Physical Interfaces
| |
| − | |
| |
| − | * Ability to physically remove the storage media from the device
| |
| − | |-
| |
| − | | '''No Manual Update Mechanism'''
| |
| − | |
| |
| − | * Update Mechanism
| |
| − | |
| |
| − | * No ability to manually force an update check for the device
| |
| − | |-
| |
| − | | '''Missing Update Mechanism'''
| |
| − | |
| |
| − | * Update Mechanism
| |
| − | |
| |
| − | * No ability to update device
| |
| − | |-
| |
| − | | '''Firmware Version Display and/or Last Update Date'''
| |
| − | |
| |
| − | * Device Firmware
| |
| − | |
| |
| − | * Current firmware version is not displayed and/or the last update date is not displayed
| |
| − | |-
| |
| − | |}
| |
| | | | |
| | The OWASP Top 10 IoT Vulnerabilities from 2014 are as follows: | | The OWASP Top 10 IoT Vulnerabilities from 2014 are as follows: |
