This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Updating and Patching The Internet of Things

Revision as of 18:29, 26 August 2014 by MichaelCoates (talk | contribs) (Examples of IoT Devices)

Jump to: navigation, search

Note: This page is a work in progress to capture major ideas on the topic. It will be formalized as the community provides more information and review.


Discussion on OWASP-Community mailing list - Internet of Things and criticality of patching

Major Topics

Seamless & Reliable Update vs Secure Update

Explain the difference in the intent of the topics

Different Categories of IoT Devices

Life impacting vs internet as a feature

  • Category 1 - Medical & other life impacting systems, cars, what else?
  • Category 2 - Non-life systems - Ovens, refrigerators, pedometers, thermostats

Methodology to Determine Cat 1 vs Cat 2

Prescriptive process to determine if an IoT is cat 1 or cat 2

  • Ideas for consideration to determine cat 1
    • A malfunction to the device results in immediate impact to safety/wellbeing of individuals

ToDo: Review other risk frameworks and determine applicability

Expectations for Updates

Cat 1

Delivered under supervision

Cat 2

  • Delivered remotely
  • Point of consideration - whether to allow users to delay update for X # of hours, force reboot, etc

Examples of IoT Devices

  • Smart Appliances - GE, tmio
    • "Preheat your oven from the grocery store."
    • "The World's Finest Professional Cooking Ovens. Telephone, Cell Phone, and Internet Command & Control"
  • Webcams
  • Pedometers
  • Medical Devices
  • Multiple Devices listed at these sites: