OWASP Top 10 Vulnerabilities IoT Security: Lack of Physical Hardening

secure-coding-practices
Secure Coding Practices 2021: Mobile Applications With Mobile Vulnerabilities
January 14, 2021
need of cybersecurity
Need of Cybersecurity as viewed by the Educational Boards of India
January 25, 2021

January 19, 2021

With ever increases attack surfaces with IoT devices, physical hardening is also one of the important aspects of IoT Security. Many times these devices are being part of critical infrastructure and threat actors will desire to backdoor it abusing the OWASP top 10 vulnerabilities.

There are a majority of ways in which an Iot device can be compromised and exploited.

The OWASP top 10 vulnerabilities are such that even a person who has almost zero knowledge about hacking can abuse the vulnerabilities to their ease.

Let’s say your IoT product connects to the MQTT server remotely and exposes the root shell over UART, in this scenario an attacker can gain access to the device. After basic enumeration, they will find your credentials to connect to the MQTT instance on a device that you shipped to customers. And this MQTT server is being used for pushing sensor data and common for everyone since the same creds will be inside of the firmware on the production device. You can now understand how quickly one can escalate from physical to remote access in our own infrastructure.

One more example that can be added here is the case of smart locks. Often these fancy smart locks with fingerprint and mobile app-control lack a simple thing. Yes, you guess it right, it lacks physical hardening. See the video below really laughable case where you can just open the lock by removing three screws, despite having cool and advance technological features.

Amazing demonstration of missing physical hardening by LockPickingLawyer

My personal one is supply chain attacks, for this, I would like to point out the wallet. fail research by Thomas Roth. He had found multiple vulnerabilities in 2018 for hardware-based cryptocurrency storage devices by Ledger. And none of these devices had any implementation to notify customers about physical tampering. In his talk at 35c3, he showcased a hardware implant to trigger malicious code remotely and was able to fit it inside that small device, in order to steal bitcoin transactions.

check out his research https://wallet.fail/

Conclusion

Mitigation for this class of OWASP top 10 vulnerabilities is fairly simple and already around us when you open screws in consumer devices such as laptops and smartphones they come with a colour coating that turns screw blue after coming in contact with air. It acts as an indicator of service personal to determine the warranty status of the product. Fairly simple but it can show whether the device has tampered with or not.

  • Educate your customer about physical tampering
  • Show them the indicators that you implemented
  • Spread awareness about legitimate sources to purchase your products
  • Implement a cost-effective mechanism to instantly notify your customer about device tampering, notification delivery should be instant.

Enable Notifications OK No thanks