OWASP Top 10 Overview and Vulnerabilities

What is OWASP?

OWASP, also known as the Open Web Application Security Project, is an online platform that creates articles available freely, programs, documentation, tools, and techs from the web application security. It is a non-profit enterprise that is run by groups of people across the world. OWASP is not just limited to the web but also has other projects for Network security, Mobile app security, and IoT security as well.

What is the OWASP Top 10?

It represents the top 10 things to avoid when building, deploying, or managing IoT systems. The primary theme for the OWASP Top 10 is simplicity. 

Rather than having separate lists for risks vs. threats vs. vulnerabilities—or for developers vs. enterprises vs. consumers, the project team elected to have a single, unified list that captures the top things to avoid while dealing with IoT Security.

Variations of OWASP Top 10 Vulnerabilities.

Internet of Things (IoT) OWASP Top 10 2014:

• I1 Insecure Web Interface
• I2 Insufficient Authentication/Authorization
• I3 Insecure Network Services
• I4 Lack of Transport Encryption
• I5 Privacy Concerns
• I6 Insecure Cloud Interface
• I7 Insecure Mobile Interface
• I8 Insufficient Security Configurability
• I9 Insecure Software/Firmware
• I10 Poor Physical Security

Internet of Things (IoT) OWASP Top 10 2018:

• I1 Weak Guessable, or Hardcoded Passwords
• I2 Insecure Network Services
• I3 Insecure Ecosystem Interfaces
• I4 Lack of Secure Update Mechanism
• I5 Use of Insecure or Outdated Components
• I6 Insufficient Privacy Protection
• I7 Insecure Data Transfer and Storage
• I8 Lack of Device Management
• I9 Insecure Default Settings
• I10 Lack of Physical Hardening

Susceptible passwords rank the top in the list of security vulnerabilities. The expansion of the IoT ecosystem leads to managing more passwords along with the connections. A report on the internet listing the most obvious or predictable passwords are ‘’123456’’ and “passwords”. these two have topped the list for the fifth year straight!

Review of most recent OWASP Top 10 list

Weak, Predictable, or Strongly Coded Passwords

Using effortlessly brute-forced, available to the public, or unchangeable credentials, along with backdoors within the firmware or software of the client that gives unauthorized access to systems that are dispensed.

Insecure Network Services

Network Security is being used for quite a while now. Most of the organization’s network security platforms make use of Firewalls, Intrusion Detection Systems, and Web Application Firewalls. These are the barrier for intruders. 

 What about IoT? How do they adapt to the landscape?

It is vital to implement various security measures for the combined networks. Making sure that the Denial of Services attacks or any other attacks is not being done to hamper the user’s access.

Vulnerable Ecosystem Interfaces

A vulnerable web interface, cloud, mobile interface or API in the system may pose a threat to the device and the data within. Feeble encryption, weak filtering of input and output, lack of authorization are some of the common issues. 

Following is an example of the Barracuda Labs who performed a test of their mobile application and web network of one of the smart cameras which found the vulnerability which allowed the IoT device to gain access for:

• The validity of the certificate  is being ignored by the mobile application

• The Cross Site Scripting made the web application vulnerable.

• The files on the cloud server were bypassed with ease.

• The protection on the devices was not updated. 

• The server certificate’s validity was ignored by the device.

The default credentials need to be updated for security reasons, also ascertaining that the web network is exempt from Cross Site Scripting, SQL injection, or any CSRF attacks. The prevention of password attacks due to external force also should be enforced. 

For example, after a certain time of incorrect password attempts, the account should be obstructed from any further attempts to log in and recovered only through hardware reset.

Lack of Secure Update Mechanism

It is the inability to securely update the device. This includes the lack of firmware validation on the device, the lack of secure delivery (without encryption during transmission), the absence of mechanisms to prevent rollbacks, and the absence of notifications of security changes due to updates. The inability to update the device itself is a security weakness. Failure to install the update means that the devices remain vulnerable for an indefinite time.

The firmware or even the update in itself could be insecure. For example, the use of encrypted means is not done to receive the software or updated files are not encrypted enough or not being assessed for integrity pre hand, anti-rollback protection is not there or the notifications regarding the security changes are not given because of the updations. 

The manufacturer checking all these issues pre hand could be one of the resolutions to these issues. One has to check if their device is competent enough for the updations all together. Verify that the updates of the files are downloaded through a verified server with encrypted means and that the device is making use of secured architecture for the update installation.

Use of Insecure or Outdated Components

Using outdated or insecure software components or libraries that could compromise your device. This includes unsafe configuration of operating system platforms and the use of third-party software or hardware components from a compromised supply chain.

One vulnerable component can negate all configured security.
In early 2019, expert Paul Marrapiz identified vulnerabilities in the iLnkP2P P2P utility, which is installed on more than 2 million devices connected to the network: IP cameras, baby monitors, smart doorbells, and video recorders.

The first vulnerability CVE-2019-11219 allows an attacker to identify a device, the second is an authentication vulnerability in iLnkP2P CVE-2019-11220 – to intercept traffic in the clear, including video streams and passwords. For several months, Paul turned three times to the manufacturer and twice to the developer of the utility, but never received a response from them.

The only possible resolution to this issue could be to keep an eye on the security patches and keep the devices updated. If these do not come up, it is recommended to change the manufacturer. 

Inadequate protection of the privacy 

The data of the user that is saved on a device or any ecosystem is not being secured properly and without any permissions. 

IoT devices tend to gather intel about their environment including unsuspecting individuals.   Stolen or improperly processed user data can unintentionally discredit a person (for example, when improperly configured road cameras exposed unfaithful spouses), and can be abused in the future. 

To resolve the issue, one needs to check what all data is being collected by IoT devices, cloud interfaces, and Mobile applications. 

It is mandatory that the collected data is the only one that is necessary for the functioning of the device. Verify if there are proper permissions to store all the personal data and whether it is well protected; if the data storage policies are mandated. If there is any sort of negligence towards all these, the user may face problems with the law.

Data that IoT device can store:

• WiFi Passwords
• Geo-location information
• Device usage history which reveals the personal behaviour of the user
• Map of the house or building (Usual case with a smart vacuum cleaner)

Insecure Data Transfer and Storage

This is the lack of encryption or access control to sensitive data anywhere in the ecosystem, including during storage, during transmission, or during processing.

Internet of Things ( IoT) devices collect and store environmental data, including various personal information. A vulnerable password can be strengthened, but the hacked data from biometric devices can be hard to retrieve. 

IoT devices transmit the data along with storing them in an encrypted format at the same time.

If data transmission in the clear local network can be somehow explained, then in the case of a Wireless network or Internet transmission, it can become the property of anyone.

For much-secured communication, the user can make use of secure communication channels for the transfer of data but it is the manufacturer to make sure about the encryption of the stored passwords and rest database.   

Lack of Device Management

It is the lack of security support for devices deployed in production, including asset management, update management, secure decommissioning, system monitoring, and response. IoT devices are most often a black box. They lack the ability to find out the services running, what they interact with and to monitor the status of the work

Not all manufacturers give users IoT devices full control over the operating system and running applications, as well as checking the integrity and legitimacy of downloaded software or installing update patches on the OS.

During attacks, the device firmware can be reconfigured so that it can be repaired only by completely flashing the device. Silex malware is one similar example of the defects made use of. 

The solution to these problems can be the use of specialized software for managing devices of the Internet of things, for example, cloud solutions AWS, Google, IBM, etc.

Insecure Default Settings

The devices or systems come with unsafe default settings or are unable to make the system more secure by restricting users from changing configurations. The aim of any manufacturer is to spend less and use more. Many smart functions can be implemented within the device but, it can be quite challenging to configure security. 

For example, checking passwords for reliability is not supported by it, with varied rights, it cannot create accounts like users or administrators. For notifying the user about encryptions, logging ad other various security events, there isn’t any setting. 

Lack of Physical Hardening

The most consistent thing about devices is that we are used to using them on a daily basis. this could lead use switching of the handling of the devices from time to time. 

On top of device usage, there is also the aspect of how accessible a device is and what level of device access is really required. Do you need a USB port on your fridge at home? If so, do you need two USB ports? Physical access to a device is probably the easiest way to infiltrate and create some kind of damage (depending on the device). We wouldn’t even call it hacking but rather basic theft.

Conclusion

Whenever you are considering developing IoT related consumer products, make sure to consider implementing practices from OWASP IoT Top 10 in your DevOps life cycle.