This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Updating and Patching The Internet of Things"
From OWASP
(→Background) |
(→Examples of IoT Devices) |
||
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | Note: This page is a work in progress to capture major ideas on the topic. It will be formalized as the community provides more information and review. | ||
+ | |||
= Background= | = Background= | ||
Line 6: | Line 8: | ||
* [[OWASP_Internet_of_Things_Top_Ten_Project | OWASP Internet of Things Top 10]] & [[Top_10_2014-I9_Insecure_Software/Firmware | #9 Insecure Software/Firmware]] | * [[OWASP_Internet_of_Things_Top_Ten_Project | OWASP Internet of Things Top 10]] & [[Top_10_2014-I9_Insecure_Software/Firmware | #9 Insecure Software/Firmware]] | ||
− | = | + | = Major Topics = |
+ | |||
+ | == Seamless & Reliable Update vs Secure Update == | ||
+ | Explain the difference in the intent of the topics | ||
+ | |||
+ | == Different Categories of IoT Devices== | ||
+ | Life impacting vs internet as a feature | ||
+ | * Category 1 - Medical & other life impacting systems, cars, what else? | ||
+ | * Category 2 - Non-life systems - Ovens, refrigerators, pedometers, thermostats | ||
+ | |||
+ | === Methodology to Determine Cat 1 vs Cat 2 === | ||
+ | Prescriptive process to determine if an IoT is cat 1 or cat 2 | ||
+ | * Ideas for consideration to determine cat 1 | ||
+ | ** A malfunction to the device results in immediate impact to safety/wellbeing of individuals | ||
+ | |||
+ | ToDo: Review other risk frameworks and determine applicability | ||
+ | |||
+ | == Expectations for Updates == | ||
+ | === Cat 1 === | ||
+ | Delivered under supervision | ||
+ | |||
+ | === Cat 2 === | ||
+ | * Delivered remotely | ||
+ | * Point of consideration - whether to allow users to delay update for X # of hours, force reboot, etc | ||
+ | |||
+ | = Examples of IoT Devices = | ||
+ | * Smart Appliances - [http://www.geappliances.com/connected-home-smart-appliances/ GE], [http://www.tmio.com/products/ tmio] | ||
+ | ** "Preheat your oven from the grocery store." | ||
+ | ** "The World's Finest Professional Cooking Ovens. Telephone, Cell Phone, and Internet Command & Control" | ||
+ | * Webcams | ||
+ | * Personal Health | ||
+ | ** Pedometers | ||
+ | * Locks | ||
+ | * Medical Devices | ||
+ | * Multiple Devices listed at these sites: | ||
+ | ** http://iotlist.co/ | ||
+ | |||
+ | = References= | ||
+ | * http://www.theinternetofthings.eu/ |
Latest revision as of 19:52, 26 August 2014
Note: This page is a work in progress to capture major ideas on the topic. It will be formalized as the community provides more information and review.
Background
Discussion on OWASP-Community mailing list - Internet of Things and criticality of patching
- Mailing List Archive - Thread starts at "Fwd: Reliable Patching as Top IoT Security Concern"
- Venture Beat Article by Michael Coates The Internet of Things will be vulnerable for years, and no one is incentivized to fix it
- OWASP Internet of Things Top 10 & #9 Insecure Software/Firmware
Major Topics
Seamless & Reliable Update vs Secure Update
Explain the difference in the intent of the topics
Different Categories of IoT Devices
Life impacting vs internet as a feature
- Category 1 - Medical & other life impacting systems, cars, what else?
- Category 2 - Non-life systems - Ovens, refrigerators, pedometers, thermostats
Methodology to Determine Cat 1 vs Cat 2
Prescriptive process to determine if an IoT is cat 1 or cat 2
- Ideas for consideration to determine cat 1
- A malfunction to the device results in immediate impact to safety/wellbeing of individuals
ToDo: Review other risk frameworks and determine applicability
Expectations for Updates
Cat 1
Delivered under supervision
Cat 2
- Delivered remotely
- Point of consideration - whether to allow users to delay update for X # of hours, force reboot, etc
Examples of IoT Devices
- Smart Appliances - GE, tmio
- "Preheat your oven from the grocery store."
- "The World's Finest Professional Cooking Ovens. Telephone, Cell Phone, and Internet Command & Control"
- Webcams
- Personal Health
- Pedometers
- Locks
- Medical Devices
- Multiple Devices listed at these sites: