Skip to main content

OWASP IoT (Internet of Things) Top 10 - A Walkthrough

OWASP IoT (Internet of Things) Top 10 - 2014

Introductions:

In Todays world things of everyday are becoming smart, every hour hundreds and thousands of smart devices are being added to the Internet whether it is a Toaster, Camera, Refrigerator, T.Vs, Cars etc. So it can be a target of attackers easily, here comes OWASP IoT Top 10 to address this issue.

OWASP IoT Top 10 is designed to make the everyday devices secure on same lines of guidelines by OWASP TOP 10 for applications.




The OWASP Internet of Things Top 10 - 2014 is as follows:
  • I1 – Insecure Web Interface
  • I2 – Insufficient Authentication/Authorization
  • I3 – Insecure Network Services
  • I4 – Lack of Transport Encryption
  • I5 – Privacy Concerns
  • I6 – Insecure Cloud Interface
  • I7 – Insecure Mobile Interface
  • I8 – Insufficient Security Configurability
  • I9 – Insecure Software/Firmware
  • I10 – Poor Physical Security

 How to test for OWASP IoT Top 10

 I1 – Insecure Web Interface:

Everyday devices have web server inbuilt for management purpose, but sometimes unfortunately these are not secure.
Recently TrendNet cameras provide real time video feed to anyone who access it. It has some login interface but attacker can easily bypass this and can have access to video feed.
A guy familiar with Application Security can test this as a web application, can check for CSRF, XSS, Sqli etc.

I2 – Insufficient Authentication/Authorization:

In this App Sec guy can test for weak passwords, sqli, etc to check for authentication/authorization flaw, like no password, password complexity, default password etc. Also we can check for any storage device attached with device to check for unencrypted sensitive info.

I3 – Insecure Network Services:

Insecure Network Services like telnet, ftp, finger etc are gone in the history, now a days organizations use SSH, SFTP etc secure services but unfortunately these everyday devices still use these insecure services. Even some devices have Hard-coded telnet log-ins which can be disastrous from Info Sec viewpoint.

I4 – Lack of Transport Encryption:

As in web application the sensitive info should be encrypted in transit as per OWASP Top 10 for applications same applies to IoT the credentials and data should be encrypted using HTTPS protocol and valid certificates.

I5 – Privacy Concerns:

While testing for privacy concerns like exposure of unencrypted private data, financial data etc, we should check for the technical aspects whether this lead to any privacy violation.

I6 – Insecure Cloud Interface:

IoT devices ask users to connect them to external cloud for sharing data. These remote web applications, API's etc also can have same vulnerabilities like a web applications. So we should go for these in addition to OWASP IoT Top 10 points.

I7 – Insecure Mobile Interface:

 Some IoT devices acts as Wireless Access Points like a smart TV for some streaming functionality, this can be very big issue as it can be reflected in a public WAP's. So addition to App Sec in OWASP IoT Top 10 points we have to look for some network security also like disabling the broadcast of SSID, Using strong encryption Algorithms etc.

I8 – Insufficient Security Configurability:

 Insufficient Security Configurability issue arises when IoT devices does not allow you to configure a particular security feature like Inability to enforce permission, Inability to enforce password policies etc.

I9 – Insecure Software/Firmware :

As per OWASP Insecure Software/Firmware issue related to when software/firmware is getting updated, its network should be secure so that update content could not be altered with.
Some time these software/Firmware have hard-coded credentials which can be very serious issue. One can check for these issues when software is getting updated through monitoring the network for some encryption.

I10 – Poor Physical Security:

Poor Physical Security relates to any IoT devices ports are available externally to do any malicious activity, this can be left by vendor for some configuration & maintenance purpose. This issue can lead to disassemble of device to access the storage device and can access the data on that storage device. So the defenses are encryption of data stored, physical protection of  usb ports and similar ports, disabling the unnecessary ports etc.

Comments

Post a Comment

Popular posts from this blog

Android Damn Vulnerable App by Security Compass

Tutorial of Android Damn Vulnerable App by Security Compass Introduction: Hi folks, today I am gonna show you some hands on or tutorial of the android app testing which I done during my R&D of android app security testing. Here I will show you from scratch setting up of Lab Server to testing of application. In this you will learn on below topics: 1)Insecure Connection (Traffic over HTTP) 2)Server Side Authorization Issue 3)Insecure File Storage 4)Insecure Logging 5)Encryption of data on device 6)Memory Protection Setting-up of lab (App & Server) First of all you have to download the base app which is damn vulnerable from here . After downloading zip and extracting it you have to build it in .apk format using Eclipse IDE. Now you have to install the app in the emulator before that you have to make sure that you installed SDK and its packages. To install the app you have to start emulator using AVD and clicking on "Start" or by command line emul...
25 comments
Read more

Drozer Commands - A Security & Attack Framework for Android

What is Drozer? Drozer is a Security & Attack Framework for Android Application Testing. Drozer is a tool that can be used for Mobile device review , Secure development of applications, BYOD approval and Mobile application testing. There are 2 Versions of Drozer an Open Source and other one Pro version having following features Gathering the information about the application Find the attack surface Test your Exposure to Public Exploits Execute dynamic code on a device, to avoid the need to compile and install small test scripts. Start Android emulators, provisioned with the drozer Agent and the app you want to investigate. Simulate sensor input, such as GPS, to emulators to test the full attack surface. View the attack surface as a graph. this will be helpful for the risk assessment reporting. Drozer is having agent & server architecture so to start with assessment we have to install the agent in the emulator or connected device. Command to install the Dr...
6 comments
Read more