What is OWASP?
OWASP, also known as the Open Web Application Security Project, is an online platform that creates articles available freely, programs, documentation, tools, and technologies for web application security. It is a non-profit enterprise that is run by groups of people across the world. OWASP is not just limited to the web but also has other projects for network security, mobile app security, and IoT security as well.
What is OWASP IOT Top 10?
It represents the top 10 things to avoid when building, deploying, or managing IoT systems. The primary theme for the OWASP Top 10 is simplicity.
Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers, the project team elected to have a single, unified list that captures the top things to avoid while dealing with IoT Security.
OWASP IOT Top 10 Vulnerabilities Updated:
- Weak Guessable, or Hardcoded Passwords
- Insecure Network Services
- Insecure Ecosystem Interfaces
- Lack of Secure Update Mechanism
- Use of Insecure or Outdated Components
- Insufficient Privacy Protection
- Insecure Data Transfer and Storage
- Lack of Device Management
- Insecure Default Settings
- Lack of Physical Hardening
1. Weak Guessable or Hardcoded Passwords
Susceptible passwords are top security vulnerabilities. The expansion of IoT requires managing more passwords and connections. Common weak passwords include “123456” and “password,” which have topped the list for five consecutive years.
- Example: Weak passwords can be brute-forced or exploited through hardcoded backdoors in device firmware.
Mitigation: Employ strong, unique passwords and avoid hardcoding credentials. Implement account lockout mechanisms after multiple failed login attempts.
2. Insecure Network Services
Network security has been a critical aspect of safeguarding systems for many years. Organizations typically use Firewalls, Intrusion Detection Systems (IDS), and Web Application Firewalls (WAFs) as barriers to prevent unauthorized access and attacks.
- Example: IoT devices can be vulnerable to attacks such as Denial of Service (DoS) if they are not adequately protected by current network security measures.
Mitigation: To protect IoT devices, implement secure network protocols and services. Ensure that network security measures are up-to-date and robust to safeguard against various threats, including DoS attacks.
3. Insecure Ecosystem Interfaces
Vulnerabilities in web interfaces, cloud platforms, mobile interfaces, or APIs can expose devices and data to significant risks. Common issues include weak encryption, insufficient input and output filtering, and lack of proper authorization.
Example: Barracuda Labs identified several vulnerabilities in a smart camera’s mobile app and web network:
- Ignored certificate validity by the mobile app
- Cross-Site Scripting (XSS) vulnerability
- Easy bypassing of cloud server files
- Outdated device protection
- Ignored server certificate validity by the device
Mitigation:
- Update default credentials to enhance security.
- Ensure that web networks are protected against Cross-Site Scripting (XSS), SQL injection, and CSRF attacks.
- Implement account lockout mechanisms after a set number of incorrect login attempts to prevent unauthorized access. Accounts should be recoverable only through a hardware reset.
4. Lack of Secure Update Mechanism
This vulnerability arises from the inability to securely update a device. It encompasses issues such as lack of firmware validation, unencrypted delivery of updates, absence of rollback prevention mechanisms, and no notifications about security changes due to updates. Without secure update mechanisms, devices remain vulnerable indefinitely, as attackers can exploit unpatched vulnerabilities.
Example: Insecure firmware or update mechanisms might include:
- Lack of encryption for software updates
- Updates not assessed for integrity beforehand
- Absence of anti-rollback protection
- Lack of notifications about security changes from updates
Mitigation:
- Manufacturers should ensure updates are securely validated and encrypted.
- Verify that updates are downloaded from a trusted, verified server.
- Ensure the device uses a secure architecture for installing updates.
- Confirm that devices can receive and correctly apply updates.
5. Use of Insecure or Outdated Components
Using outdated or insecure software components or libraries can compromise your device. This includes unsafe configurations of operating system platforms and the use of third-party software or hardware from compromised supply chains.
Example: In early 2019, expert Paul Marrapiz identified vulnerabilities in the iLnkP2P P2P utility, which is installed on over 2 million devices, including IP cameras, baby monitors, smart doorbells, and video recorders.
- CVE-2019-11219: Allows an attacker to identify a device.
- CVE-2019-11220: An authentication vulnerability in iLnkP2P that enables interception of clear-text traffic, including video streams and passwords.
Mitigation:
- Regularly monitor and apply security patches for components.
- Keep devices updated to mitigate vulnerabilities.
- If timely updates or patches are not provided, consider changing the manufacturer to ensure continued security.
6. Insufficient Privacy Protection
Inadequate protection of privacy occurs when user data saved on a device or within an ecosystem is not properly secured and is collected without appropriate permissions.
Example: IoT devices often gather information about their environment, including unsuspecting individuals. For instance, improperly configured road cameras have exposed personal details about unfaithful spouses. Such stolen or mishandled data can discredit individuals and may be misused in the future.
Mitigation: To address privacy protection issues, follow these steps:
- Review Data Collection: Examine what data is being collected by IoT devices, cloud interfaces, and mobile applications.
- Limit Data Collection: Ensure that only data necessary for the device’s functionality is collected.
- Verify Permissions: Confirm that proper permissions are in place for storing personal data.
- Ensure Protection: Make sure that the data is protected according to established storage policies.
- Legal Compliance: Address any negligence in these practices to avoid potential legal issues.
Examples of Data IoT Devices Can Store:
- WiFi passwords
- Geo-location information
- Device usage history, revealing personal behavior
- Maps of homes or buildings (e.g., from smart vacuum cleaners)
7. Insecure Data Transfer and Storage
Insecure data transfer and storage refer to the lack of encryption or access control over sensitive data within an ecosystem. This vulnerability can occur during data storage, transmission, or processing.
Example: IoT devices collect and store environmental data, including personal information. While a compromised password can be updated or strengthened, data from biometric devices that has been hacked can be difficult to recover.
Challenges:
- Data Transmission: IoT devices may transmit data without adequate encryption, making it vulnerable, especially over wireless networks or the Internet.
- Data Storage: If data is not stored securely, it can be accessed by unauthorized individuals.
Mitigation:
- Encrypt Data: Ensure data is encrypted during transmission and storage. This includes using secure communication channels for data transfer.
- Access Control: Implement strict access controls to protect data from unauthorized access.
- Secure Storage: Manufacturers should ensure that sensitive data, such as passwords and other personal information, is encrypted and stored securely.
Review Practices: Regularly review and update security practices to address new vulnerabilities and threats.
Additional Notes:
- While local network transmission might be somewhat protected, wireless or Internet transmissions require robust encryption to prevent unauthorized access.
- Users should rely on secure communication channels, but manufacturers play a crucial role in ensuring encryption for stored data.
8. Lack of Device Management
Lack of device management refers to inadequate security support for devices deployed in production. This includes challenges in asset management, update management, secure decommissioning, system monitoring, and response. IoT devices are often treated as a “black box,” which means users cannot easily determine the services running on the device, what it interacts with, or monitor its operational status.
Challenges:
- Limited User Control: Not all manufacturers provide users with full control over the operating system and running applications. This limits the ability to check the integrity and legitimacy of downloaded software or install update patches on the operating system.
- Firmware Vulnerabilities: During attacks, device firmware can be reconfigured, necessitating a complete device reset (flashing) to repair. For instance, Silex malware exploited vulnerabilities that led to such issues.
Example:
- Silex Malware: This malware is a notable example where vulnerabilities were exploited, requiring a complete reset of the affected devices.
Solution:Specialized Device Management Software: Implementing specialized software for managing IoT devices can address these challenges. Examples of effective solutions include cloud-based platforms like AWS, Google Cloud, and IBM.
9. Insecure Default Settings
Devices or systems often come with unsafe default settings and may lack the ability to improve security by restricting users from changing configurations. Manufacturers frequently aim to minimize costs and maximize functionality, which can make it challenging to configure security properly.
Example: Devices might not support checking passwords for reliability, lack the ability to create different types of accounts (such as user or administrator accounts), and may not offer settings for notifying users about encryption, logging, and other security events.
Mitigation: Ensure that devices allow secure configuration changes and enforce strong default security settings.
10. Lack of Physical Hardening
Devices are often handled daily, which can lead to inconsistent management and potential security risks. Additionally, the accessibility of a device, such as having unnecessary USB ports, can create vulnerabilities. For instance, a USB port on a home fridge may not be essential and could pose a risk. Physical access to devices often provides an easy route for unauthorized tampering or theft, which is more about basic theft than sophisticated hacking.
Mitigation: To enhance security, restrict physical access to devices and implement protective measures, such as tamper-resistant hardware, to prevent unauthorized access, tampering, or theft.
Conclusion
Whenever you are considering developing IoT related consumer products, make sure to consider implementing practices from OWASP IoT Top 10 in your DevOps life cycle.