internet of things top ten 2014-owasp
DESCRIPTION
iwasoTRANSCRIPT
![Page 1: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/1.jpg)
Internet of Things Top Ten
![Page 2: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/2.jpg)
Agenda
- Introduction
- Misconception
- Considerations
- The OWASP Internet of Things Top 10 Project
- The Top 10 Walkthrough
![Page 3: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/3.jpg)
26 Billion by 2020
- 30 fold increase from 2009 in Internet of Things install base
- Revenue exceeding $300 billion in 2020
- $1.9 trillion in global economic impact
*Gartner Internet of Things Report 2013
![Page 4: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/4.jpg)
Misconception | It’s all about the device
• It’s not just about the device, or the network, or the clients
• There are MANY surface areas involved
• Each of these need to be evaluated
![Page 5: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/5.jpg)
Considerations | A holistic approach is required
• All elements need to be considered• The Internet of Things Device• The Cloud• The Mobile Application• The Network Interfaces• The Software• Use of Encryption• Use of Authentication• Physical Security• USB ports
• Enter the OWASP Internet of Things Top Ten Project
![Page 6: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/6.jpg)
Internet of Things Top Ten Project | A complete IoT Review
• Review all aspects of Internet of Things
• Top Ten Categories
• Covers the entire device
• Without comprehensive coverage like this it would be like getting your physical but only checking one arm
• We must cover all surface area to get a good assessment of overall security
![Page 7: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/7.jpg)
I1 | Insecure Web Interface
![Page 8: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/8.jpg)
I1 | Insecure Web Interface | Testing
• Account Enumeration• Weak Default Credentials• Credentials Exposed in Network Traffic• Cross-site Scripting (XSS)• SQL-Injection• Session Management• Account Lockout
![Page 9: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/9.jpg)
I1 | Insecure Web Interface | Make It Secure
![Page 10: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/10.jpg)
I2 | Insufficient Authentication/Authorization
![Page 11: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/11.jpg)
I2 | Insufficient Authentication/Authorization | Testing
• Lack of Password Complexity• Poorly Protected Credentials• Lack of Two Factor Authentication• Insecure Password Recovery• Privilege Escalation• Lack of Role Based Access Control
![Page 12: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/12.jpg)
I2 | Insufficient Authentication/Authorization | Make It Secure
![Page 13: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/13.jpg)
I3 | Insecure Network Services
![Page 14: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/14.jpg)
I3 | Insecure Network Services | Testing
• Vulnerable Services• Buffer Overflow• Open Ports via UPnP• Exploitable UDP Services• Denial-of-Service• DoS via Network Device Fuzzing
![Page 15: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/15.jpg)
I3 | Insecure Network Services | Make It Secure
![Page 16: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/16.jpg)
I4 | Lack of Transport Encryption
![Page 17: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/17.jpg)
I4 | Lack of Transport Encryption | Testing
• Unencrypted Services via the Internet• Unencrypted Services via the Local
Network• Poorly Implemented SSL/TLS• Misconfigured SSL/TLS
![Page 18: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/18.jpg)
I4 | Lack of Transport Encryption | Make It Secure
![Page 19: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/19.jpg)
I5 | Privacy Concerns
![Page 20: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/20.jpg)
I5 | Privacy Concerns | Testing
• Collection of Unnecessary Personal Information
![Page 21: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/21.jpg)
I5 | Privacy Concerns | Make It Secure
![Page 22: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/22.jpg)
I6 | Insecure Cloud Interface
![Page 23: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/23.jpg)
I6 | Insecure Cloud Interface | Testing
• Account Enumeration• No Account Lockout• Credentials Exposed in Network
Traffic
![Page 24: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/24.jpg)
I6 | Insecure Cloud Interface | Make It Secure
![Page 25: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/25.jpg)
I7 | Insecure Mobile Interface
![Page 26: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/26.jpg)
I7 | Insecure Mobile Interface | Testing
• Account Enumeration• No Account Lockout• Credentials Exposed in Network
Traffic
![Page 27: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/27.jpg)
I7 | Insecure Mobile Interface | Make It Secure
![Page 28: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/28.jpg)
I8 | Insufficient Security Configurability
![Page 29: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/29.jpg)
I8 | Insufficient Security Configurability | Testing
• Lack of Granular Permission Model• Lack of Password Security Options• No Security Monitoring• No Security Logging
![Page 30: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/30.jpg)
I8 | Insufficient Security Configurability | Make It Secure
![Page 31: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/31.jpg)
I9 | Insecure Software/Firmware
![Page 32: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/32.jpg)
I9 | Insecure Software/Firmware | Testing
• Encryption Not Used to Fetch Updates• Update File not Encrypted• Update Not Verified before Upload• Firmware Contains Sensitive Information• No Obvious Update Functionality
![Page 33: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/33.jpg)
I9 | Insecure Software/Firmware | Make It Secure
![Page 34: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/34.jpg)
I10 | Poor Physical Security
![Page 35: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/35.jpg)
I10 | Poor Physical Security | Testing
• Access to Software via USB Ports• Removal of Storage Media
![Page 36: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/36.jpg)
I10 | Poor Physical Security | Make It Secure
![Page 37: Internet of Things Top Ten 2014-OWASP](https://reader031.vdocuments.us/reader031/viewer/2022020516/577c79301a28abe05491b388/html5/thumbnails/37.jpg)
Resources
• OWASP Internet of Things Top Ten
• Email List