Internet of Things (IoT) Top 10 2018

The OWASP IoT Top 10 - 2018 is now available.

I1 Weak Guessable, or Hardcoded Passwords

I2 Insecure Network Services

I3 Insecure Ecosystem Interfaces
I4 Lack of Secure Update Mechanism
I5 Use of Insecure or Outdated Components
I6 Insufficient Privacy Protection
I7 Insecure Data Transfer and Storage
I8 Lack of Device Management
I9 Insecure Default Settings
I10 Lack of Physical Hardening
0 2018
 Attack Surface

Ecosystem (general)

Device Memory

Device Physical Interfaces

Device Web Interface

Device Firmware
 Device Firmware

Device Network Services

Administrative Interface

Local Data Storage

 Local Data Storage

Cloud Web Interface

Third-party Backend APIs

Update Mechanism

Mobile Application

Vendor Backend APIs

Ecosystem Communication

Network Traffic
 Network Traffic

Authentication/
Authorization

Privacy

Hardware (Sensors)
 Vulnerability
Interoperability standards
Data governance
System wide failure
Individual stakeholder risks
Implicit trust between components
Enrollment security
Decommissioning system
Lost access procedures
Sensitive data
Cleartext usernames
Cleartext passwords
Third-party credentials
Encryption keys
Firmware extraction
User CLI
Admin CLI
Privilege escalation
Reset to insecure state
Removal of storage media
Tamper resistance
Debug port
UART (Serial)
JTAG / SWD
Device ID/Serial number exposure
Standard set of web application vulnerabilities, see:
OWASP Web Top 10
OWASP ASVS
OWASP Testing guide
Credential management vulnerabilities:
Username enumeration
Weak passwords
Account lockout
Known default credentials
Insecure password recovery mechanism
Sensitive data exposure (See OWASP Top 10 - A6 Sensitive data exposure):
Backdoor accounts
Hardcoded credentials
Encryption keys
Encryption (Symmetric, Asymmetric)
Sensitive information
Sensitive URL disclosure
Firmware version display and/or last update date
 Vulnerable services (web, ssh, tftp, etc.)
Verify for old sw versions and possible attacks (Heartbleed, Shellshock, old PHP versions etc)
Security related function API exposure
Firmware downgrade possibility
Information disclosure
User CLI
Administrative CLI
Injection
Denial of Service
Unencrypted Services
Poorly implemented encryption
Test/Development Services
Buffer Overflow
UPnP
Vulnerable UDP Services
DoS
Device Firmware OTA update block
Firmware loaded over insecure channel (no TLS)
Replay attack
Lack of payload verification
Lack of message integrity check
Credential management vulnerabilities:
Username enumeration
Weak passwords
Account lockout
Known default credentials
Insecure password recovery mechanism
Standard set of web application vulnerabilities, see:
OWASP Web Top 10
OWASP ASVS
OWASP Testing guide
Credential management vulnerabilities:
Username enumeration
Weak passwords
Account lockout
Known default credentials
Insecure password recovery mechanism
Security/encryption options
Logging options
Two-factor authentication
Check for insecure direct object references
Inability to wipe device
Unencrypted data
Data encrypted with discovered keys
Lack of data integrity checks
 Use of static same enc/dec key
Standard set of web application vulnerabilities, see:
OWASP Web Top 10
OWASP ASVS
OWASP Testing guide
Credential management vulnerabilities:
Username enumeration
Weak passwords
Account lockout
Known default credentials
Insecure password recovery mechanism
Transport encryption
Two-factor authentication
Unencrypted PII sent
Encrypted PII sent
Device information leaked
Location leaked
Update sent without encryption
Updates not signed
Update location writable
Update verification
Update authentication
Malicious update
Missing update mechanism
No manual update mechanism
Implicitly trusted by device or cloud
Username enumeration
Account lockout
Known default credentials
Weak passwords
Insecure data storage
Transport encryption
Insecure password recovery mechanism
Two-factor authentication
Inherent trust of cloud or mobile application
Weak authentication
Weak access controls
Injection attacks
Hidden services
Health checks
Heartbeats
Ecosystem commands
Deprovisioning
Pushing updates
LAN
 LAN to Internet
Short range
Non-standard
Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
Protocol fuzzing
Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
Reusing of session key, token, etc.
Device to device authentication
Device to mobile Application authentication
Device to cloud system authentication
Mobile application to cloud system authentication
Web application to cloud system authentication
Lack of dynamic authentication
User data disclosure
User/device location disclosure
Differential privacy
Sensing Environment Manipulation
Tampering (Physically)
Damage (Physicall)
 Vulnerability Attack Surface
Administrative Interface
Device Web Interface
Username Enumeration
Cloud Interface
Mobile Application
Administrative Interface
Device Web Interface
Weak Passwords
Cloud Interface
Mobile Application
Administrative Interface
Device Web Interface
Account Lockout
Cloud Interface
Mobile Application
Unencrypted Services Device Network Services

Administrative Interface
Two-factor Authentication
Cloud Web Interface
Mobile Application
Poorly Implemented Encryption Device Network Services
Update Sent Without Encryption Update Mechanism
Update Location Writable Update Mechanism
Denial of Service Device Network Services
Removal of Storage Media Device Physical Interfaces
No Manual Update Mechanism Update Mechanism
Missing Update Mechanism Update Mechanism
Firmware Version Display and/or Last Update Date Device Firmware
JTAG / SWD interface
In-Situ dumping
Intercepting a OTA update
Firmware and storage extraction
Downloading from the manufacturers web page
eMMC tapping
Unsoldering the SPI Flash / eMMC chip and reading it in a adapter
JTAG / SWD interface
Manipulating the code execution flow of the device
Side channel attacks like glitching

Obtaining console access Serial interfaces (SPI / UART)

Insecure 3rd party components Software

 Summary

Ability to collect a set of valid usernames by interacting with the authentication mechanism

Ability to set account passwords to '1234' or '123456' for example.

Usage of pre-programmed default passwords

Ability to continue sending authentication attempts after 3 - 5 failed login attempts

Network services are not properly encrypted to prevent eavesdropping or tampering by attackers

Lack of two-factor authentication mechanisms such as a security token or fingerprint scanner

Encryption is implemented however it is improperly configured or is not being properly updated, e.g. using SSL v2
Updates are transmitted over the network without using TLS or encrypting the update file itself
Storage location for update files is world writable potentially allowing firmware to be modified and distributed to all users
Service can be attacked in a way that denies service to that service or the entire device
Ability to physically remove the storage media from the device
No ability to manually force an update check for the device
No ability to update device
Current firmware version is not displayed and/or the last update date is not displayed

Firmware contains a lot of useful information, like source code and binaries of running services, pre-set passwords, ssh keys etc.

With the help of a JTAG adapter and gdb we can modify the execution of firmware in the device and bypass almost all software based security controls.
Side channel attacks can also modify the execution flow or can be used to leak interesting information from the device
By connecting to a serial interface, we will obtain full console access to a device
Usually security measures include custom bootloaders that prevent the attacker from entering single user mode, but that can also be bypassed.
Out of date versions of busybox, openssl, ssh, web servers, etc.
 Attack Surface

Ecosystem (general)

HL7

Device Memory

Device Physical Interfaces

Device Web Interface

Device Firmware
Device Network Services

Administrative Interface

Local Data Storage

Cloud Web Interface

 Cloud Web Interface

Third-party Backend APIs

Update Mechanism

Mobile Application

Vendor Backend APIs

Ecosystem Communication

Network Traffic

Authentication/Authorization
Authentication/Authorization

Data Flow

Hardware (Sensors)
 Vulnerability
Interoperability standards
Data governance
System wide failure
Individual stakeholder risks
Implicit trust between components
Enrollment security
Decommissioning system
Lost access procedures
XML Parsing
XSS
Information Disclosure
Sensitive data
Cleartext usernames
Cleartext passwords
Third-party credentials
Encryption keys
Firmware extraction
User CLI
Admin CLI
Privilege escalation
Reset to insecure state
Removal of storage media
Tamper resistance
Debug port
Device ID/Serial number exposure
Standard set of web vulnerabilities:
SQL injection
Cross-site scripting
Cross-site Request Forgery
Username enumeration
Credential management vulnerabilities:
Username enumeration
Weak passwords
Account lockout
Known default credentials
Insecure password recovery mechanism
Sensitive data exposure:
Backdoor accounts
Hardcoded credentials
Encryption keys
Encryption (Symmetric, Asymmetric)
Sensitive information
Sensitive URL disclosure
Firmware version display and/or last update date
Vulnerable services (web, ssh, tftp, etc.)
Security related function API exposure
 Firmware downgrade
Information disclosure
User CLI
Administrative CLI
Injection
Denial of Service
Unencrypted Services
Poorly implemented encryption
Test/Development Services
Buffer Overflow
UPnP
Vulnerable UDP Services
DoS
Device Firmware OTA update block
Replay attack
Lack of payload verification
Lack of message integrity check
Credential management vulnerabilities:
Username enumeration
Weak passwords
Account lockout
Known default credentials
Insecure password recovery mechanism
Standard web vulnerabilities:
SQL injection
Cross-site scripting
Cross-site Request Forgery
Username enumeration
Credential management vulnerabilities:
Username enumeration
Weak passwords
Account lockout
Known default credentials
Insecure password recovery mechanism
Security/encryption options
Logging options
Two-factor authentication
Inability to wipe device
Unencrypted data
Data encrypted with discovered keys
Lack of data integrity checks
Use of static same enc/dec key
Standard set of web vulnerabilities:
SQL injection
Cross-site scripting
Cross-site Request Forgery
Credential management vulnerabilities:
Username enumeration
 Weak passwords
Account lockout
Known default credentials
Insecure password recovery mechanism
Transport encryption
Two-factor authentication
Unencrypted PII sent
Encrypted PII sent
Device information leaked
Location leaked
Update sent without encryption
Updates not signed
Update location writable
Update verification
Update authentication
Malicious update
Missing update mechanism
No manual update mechanism
Implicitly trusted by device or cloud
Username enumeration
Account lockout
Known default credentials
Weak passwords
Insecure data storage
Transport encryption
Insecure password recovery mechanism
Two-factor authentication
Inherent trust of cloud or mobile application
Weak authentication
Weak access controls
Injection attacks
Hidden services
Health checks
Heartbeats
Ecosystem commands
Deprovisioning
Pushing updates
LAN
LAN to Internet
Short range
Non-standard
Wireless (WiFi, Z-wave, XBee, Zigbee, Bluetooth, LoRA)
Protocol fuzzing
Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
Reusing of session key, token, etc.
Device to device authentication
Device to mobile Application authentication
Device to cloud system authentication
Mobile application to cloud system authentication
Web application to cloud system authentication
Lack of dynamic authentication
What data is being captured?
How does it move within the ecosystem?
How is it protected in transit?
How is it protected at rest?
Who is that data shared with?
Sensing Environment Manipulation
Tampering (Physically)
Damaging (Physically)
Failure state analysis
 Section

Device Firmware Vulnerabilities

Manufacturer Recommendations

Device Firmware Guidance and Instruction

Device Firmware Tools

Vulnerable Firmware
 Vulnerability
Out-of-date core components
Unsupported core components
Expired and/or self-signed certificates
Same certificate used on multiple devices
Admin web interface concerns
Hardcoded or easy to guess credentials
Sensitive information disclosure
Sensitive URL disclosure
Encryption key exposure
Backdoor accounts
Vulnerable services (web, ssh, tftp, etc.)
Ensure that supported and up-to-date software is used by developers
Ensure that robust update mechanisms are in place for devices
Ensure that certificates are not duplicated across devices and product lines.
Ensure supported and up-to-date software is used by developers
Develop a mechanism to ensure a new certificate is installed when old ones expire
Disable deprecated SSL versions
Ensure developers do not code in easy to guess or common admin passwords
Ensure services such as SSH have a secure password created
Develop a mechanism that requires the user to create a secure admin password during initial device s
Ensure developers do not hard code passwords or hashes
Have source code reviewed by a third party before releasing device to production
Ensure industry standard encryption or strong hashing is used
Firmware file analysis
Firmware extraction
Dynamic binary analysis
Static binary analysis
Static code analysis
Firmware emulation
File system analysis
Firmwalker
Firmware Modification Kit
Angr binary analysis framework
Binwalk firmware analysis tool
Binary Analysis Tool
Firmadyne
Damn Vulnerable Router Firmware
 Event Category

Request Exceptions

Authentication Exceptions

Session Exceptions

Access Control Exceptions

Ecosystem Membership Exceptions

Device Access Events

Administrative Mode Events

Input Exceptions

Command Injection Exceptions

Honey Trap Exceptions

Reputation Exceptions
 Events
Attempt to Invoke Unsupported HTTP Method
Unexpected Quantity of Characters in Parameter
Unexpected Type of Characters in Parameter
Multiple Failed Passwords
High Rate of Login Attempts
Additional POST Variable
Deviation from Normal GEO Location
Modifying the Existing Cookie
Substituting Another User's Valid SessionID or Cookie
Source Location Changes During Session
Modifying URL Argument Within a GET for Direct Object Access Attempt
Modifying Parameter Within a POST for Direct Object Access Attempt
Forced Browsing Attempt
Traffic Seen from Disenrolled System
Traffic Seen from Unenrolled System
Failed Attempt to Enroll in Ecosystem
Multiple Attempts to Enroll in Ecosystem
Device Case Tampering Detected
Device Logic Board Tampering Detected
Device Entered Administrative Mode
Device Accessed Using Default Administrative Credentials
Double Encoded Character
Unexpected Encoding Used
Blacklist Inspection for Common SQL Injection Values
Abnormal Quantity of Returned Records
Honey Trap Resource Requested
Honey Trap Data Used
Suspicious or Disallowed User Source Location
Rank and ID
1 - CWE-119
2 - CWE-20
3 - CWE-22
4 - CWE-264
5 - CWE-200
6 - CWE-255
7 - CWE-287
8 - CWE-399
9 - CWE-79
10 - CWE-189
 Title
Improper Restriction of Operations within the Bounds of a Memory Buffer
Improper Input Validation
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Permissions, Privileges, and Access Controls
Information Exposure
Credentials Management
Improper Authentication
Resource Management Errors
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Numeric Errors
 Firmware software tools
Fortunately, most firmware analysis tools are free and open source. Some of the tools are actively updated while others may
but still work. The following are a number of firmware software tools which can analyze firmware images, disassemble images
to firmware processes during runtime:

Binwalk
Firmadyne
Firmwalker
Angr
Firmware-mod-toolkit
Firmware analysis toolkit
GDB
Radare2
Binary Analysis Tool (BAT)
Qemu
IDA Pro (optional)

Web application software tools

Burp Suite
OWASP Zed Attack Proxy (ZAP)
REST Easy Firefox plugin
Postman Chrome extension

Mobile application software tools

Android
Android testing virtual machine distribution:

Android SDK
Android emulator

Enjarify
JD-Gui
Mob-SF
SQLite browser
Burp Suite
OWASP ZAP
 iOS
idb
Xcode tools
Class-dump
Hopper (optional)
Mob-SF
SQLite browser
Burp Suite
OWASP ZAP
 Jailbroken iDevice
Cydia

openURL
dumpdecrypted
ipainstaller
SSL Kill Switch 2
Clutch2
Cycript

Radio analysis software

KillerBee Framework
Attify ZigBee Framework
GNU Radio
BLEAH
GQRX
Ubertooth tools
Blue Hydra
RTL-sdr
Hackrf packages
EZ-Wave
 Hardware tools Hardware analysis software
Here are some hardware analysis
Hardware testing tools require some upfront
tools that are all free. These tools
investment to get started. Here are the
enable us to access hardware
required and optional tools needed for
interfaces for things such as console
disassembling devices, finding ground, and
access or side-loading firmware onto
accessing device interfaces:
the device:

Multimeters

IFixit classic pro tech toolkit for hardware

OpenOCD
disassembly
Bus Pirate Spiflash
USB to serial adapters Minicom
Shikra, FTDI FT232, CP2102, PL2303,
Baudrate
Adafruit FTDI Friend
JTAG adapters
Shikra, JTAGulator, Arduino with JTAGenum,
JLINK, Bus Blaster
Logic analyzer (optional)
Saleae Logic or others
https://www.ifixit.com/Store/Tools/Classic-Pro-Tech-Toolkit-/IF145-072-1

http://int3.cc/products/the-shikra

https://www.sparkfun.com/products/12942

http://www.grandideastudio.com/jtagulator/

https://www.saleae.com/
Radio analysis hardware

Atmel RZ Raven USB (KillerBee

framework)

Attify Badge (alternatively, a

combination of a C232HM-DDHSL-
0 cable and Adafruit FTDI
Breakout)

HackRF One

Yardstick One
XBee with Xbee Shield

Ubertooth

BLe adapter