This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Updating and Patching The Internet of Things"

From OWASP
Jump to: navigation, search
(Created page with "= Background= Discussion on OWASP-Community mailing list - Internet of Things and criticality of patching * [http://lists.owasp.org/pipermail/owasp-community/2014-August/thre...")
 
(Examples of IoT Devices)
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
Note: This page is a work in progress to capture major ideas on the topic. It will be formalized as the community provides more information and review.
 +
 
= Background=
 
= Background=
  
 
Discussion on OWASP-Community mailing list - Internet of Things and criticality of patching
 
Discussion on OWASP-Community mailing list - Internet of Things and criticality of patching
* [http://lists.owasp.org/pipermail/owasp-community/2014-August/thread.html Overall Archive]
+
* [http://lists.owasp.org/pipermail/owasp-community/2014-August/thread.html Mailing List Archive] - Thread starts at  "[http://lists.owasp.org/pipermail/owasp-community/2014-August/000207.html Fwd: Reliable Patching as Top IoT Security Concern]"
* see first post on topic "[http://lists.owasp.org/pipermail/owasp-community/2014-August/000207.html Fwd: Reliable Patching as Top IoT Security Concern]"
+
* Venture Beat Article by Michael Coates [http://venturebeat.com/2014/08/23/the-internet-of-things-will-be-vulnerable-for-years-and-no-one-is-incentivized-to-fix-it/ The Internet of Things will be vulnerable for years, and no one is incentivized to fix it]
 +
* [[OWASP_Internet_of_Things_Top_Ten_Project | OWASP Internet of Things Top 10]] & [[Top_10_2014-I9_Insecure_Software/Firmware | #9 Insecure Software/Firmware]]
 +
 
 +
= Major Topics =
 +
 
 +
== Seamless & Reliable Update vs Secure Update ==
 +
Explain the difference in the intent of the topics
 +
 
 +
== Different Categories of IoT Devices==
 +
Life impacting vs internet as a feature
 +
* Category 1 - Medical & other life impacting systems, cars, what else?
 +
* Category 2 - Non-life systems - Ovens, refrigerators, pedometers, thermostats
 +
 
 +
=== Methodology to Determine Cat 1 vs Cat 2 ===
 +
Prescriptive process to determine if an IoT is cat 1 or cat 2
 +
* Ideas for consideration to determine cat 1
 +
** A malfunction to the device results in immediate impact to safety/wellbeing of individuals
 +
 
 +
ToDo: Review other risk frameworks and determine applicability
 +
 
 +
== Expectations for Updates ==
 +
=== Cat 1 ===
 +
Delivered under supervision
 +
 
 +
=== Cat 2 ===
 +
* Delivered remotely
 +
* Point of consideration - whether to allow users to delay update for X # of hours, force reboot, etc
 +
 
 +
= Examples of IoT Devices =
 +
* Smart Appliances - [http://www.geappliances.com/connected-home-smart-appliances/ GE], [http://www.tmio.com/products/ tmio]
 +
** "Preheat your oven from the grocery store."
 +
** "The World's Finest Professional Cooking Ovens. Telephone, Cell Phone, and Internet Command & Control"
 +
* Webcams
 +
* Personal Health
 +
** Pedometers
 +
* Locks
 +
* Medical Devices
 +
* Multiple Devices listed at these sites:
 +
** http://iotlist.co/
  
Article to further explain important of IoT patching
+
= References=
[http://venturebeat.com/2014/08/23/the-internet-of-things-will-be-vulnerable-for-years-and-no-one-is-incentivized-to-fix-it/ The Internet of Things will be vulnerable for years, and no one is incentivized to fix it]
+
* http://www.theinternetofthings.eu/

Latest revision as of 19:52, 26 August 2014

Note: This page is a work in progress to capture major ideas on the topic. It will be formalized as the community provides more information and review.

Background

Discussion on OWASP-Community mailing list - Internet of Things and criticality of patching

Major Topics

Seamless & Reliable Update vs Secure Update

Explain the difference in the intent of the topics

Different Categories of IoT Devices

Life impacting vs internet as a feature

  • Category 1 - Medical & other life impacting systems, cars, what else?
  • Category 2 - Non-life systems - Ovens, refrigerators, pedometers, thermostats

Methodology to Determine Cat 1 vs Cat 2

Prescriptive process to determine if an IoT is cat 1 or cat 2

  • Ideas for consideration to determine cat 1
    • A malfunction to the device results in immediate impact to safety/wellbeing of individuals

ToDo: Review other risk frameworks and determine applicability

Expectations for Updates

Cat 1

Delivered under supervision

Cat 2

  • Delivered remotely
  • Point of consideration - whether to allow users to delay update for X # of hours, force reboot, etc

Examples of IoT Devices

  • Smart Appliances - GE, tmio
    • "Preheat your oven from the grocery store."
    • "The World's Finest Professional Cooking Ovens. Telephone, Cell Phone, and Internet Command & Control"
  • Webcams
  • Personal Health
    • Pedometers
  • Locks
  • Medical Devices
  • Multiple Devices listed at these sites:

References