“OWASP Internet of

Things Top 10”

Let’s Grow Smart…
 HELLO!
2
3

INTRODUCTION
Let’s start with the overview
4 Work on IoT & Motivation : OWASP

▸ IoT Security Is So Hot Right Now.

▸ BlackHat 2017 - 8 Talks

▸ BlackHat 2018 - 14 Talks

OWASP IoT
Top 10 ▸ BlackHat 2019 - 8 Talks

▸ The <<Open Web Application $ecurity Project>>, or

OWASP, has released the OWASP Top 10 Internet of
Thing$ 2018 list of the highest priority issues. (The
Last List was published in 2014, since then not
updated even once.)
5 Work on IoT & Motivation : OWASP

▸ The OWASP Internet of Things Project was started in

2014, to help Developers, Manufacturers, Enterprises,
and Consumers to make better decisions regarding
the creation and use of IoT systems, which
represents the top ten things to avoid when building,
OWASP IoT deploying, or managing IoT systems.
Top 10
We Need to Think !!!!!!!!
 OWASP Internet of Things Top 10

OWASP - Internet of Things { Top 10 2018 }

Weak, Guessable, or Hardcoded Passwords

Use of easily bruteforced, publicly available, or unchangeable credentials,
including backdoors in firmware or client software that grants
unauthorized access to deployed systems.
 OWASP Internet of Things Top 10

OWASP - Internet of Things { Top 10 2018 }

Insecure Network Services

Unneeded or insecure network services running on the device itself,
especially those exposed to the internet, that compromise the
confidentiality, integrity/authenticity, or availability of information or
allow unauthorized remote control
 OWASP Internet of Things Top 10

OWASP - Internet of Things { Top 10 2018 }

Insecure Ecosystem Interfaces

Insecure web, backend API, cloud, or mobile interfaces in the ecosystem
outside of the device that allows compromise of the device or its related
components. Common issues include a lack of authentication/
authorization, lacking or weak encryption, and a lack of input and output
filtering.
 OWASP Internet of Things Top 10

OWASP - Internet of Things { Top 10 2018 }

Lack of Secure Update Mechanism

Lack of ability to securely update the device. This includes lack of
firmware validation on device, lack of secure delivery (un-encrypted in
transit), lack of anti-rollback mechanisms, and lack of notifications of
security changes due to updates.
 OWASP Internet of Things Top 10

OWASP - Internet of Things { Top 10 2018 }

Use of Insecure or Outdated Components

Use of deprecated or insecure software components/libraries that could
allow the device to be compromised. This includes insecure customization
of operating system platforms, and the use of third-party software or
hardware components from a compromised supply chain
 OWASP Internet of Things Top 10

OWASP - Internet of Things { Top 10 2018 }

Insufficient Privacy Protection

User’s personal information stored on the device or in the ecosystem that is
used insecurely, improperly, or without permission.
 OWASP Internet of Things Top 10

OWASP - Internet of Things { Top 10 2018 }

Insecure Data Transfer and Storage

Lack of encryption or access control of sensitive data anywhere within the
ecosystem, including at rest, in transit, or during processing.
 OWASP Internet of Things Top 10

OWASP - Internet of Things { Top 10 2018 }

Lack of Device Management

Lack of security support on devices deployed in production, including asset
management, update management, secure decommissioning, systems
monitoring, and response capabilities
 OWASP Internet of Things Top 10

OWASP - Internet of Things { Top 10 2018 }

Insecure Default Settings

Devices or systems shipped with insecure default settings or lack the
ability to make the system more secure by restricting operators from
modifying configurations.
 OWASP Internet of Things Top 10

OWASP - Internet of Things { Top 10 2018 }

Lack of Physical Hardening

Lack of physical hardening measures, allowing potential attackers to gain
sensitive information that can help in a future remote attack or take local
control of the device.
17

IoT Attack Surface

(Entity Scenario)
Let’s start with the overview
18 IoT Attack Surface

▸ Prerequisites :
▹ IoT Architechture
▹ Devices Used
▹ Communication Channels

IoT Attack ▸ Keywords : IoT Ecosystem

Surface
(Entity ▸ The attack surface by components can be divided into
Based) three or four( if we include communication as an
attack surface) major areas as follows:

(Next Slide)
19 IoT Attack Surface

IoT Attack
Surface
(Entity
Based)
▸ Mobile
▸ Cloud
▸ Communication
▸ Device
20 IoT Attack Surface
Mobile :

▸ Mobile app communicates with the IoT ecosystem to

send commands and read data, it becomes one of the
entry point into the IoT ecosystem.

IoT Attack ▸ Attack Surfaces can be specified as :

Surface ▹ Storage
(Entity ▹ Authentication
Based) ▹ Encryption
▹ Communication
▹ Generic mobile vulnerabilities – OWASP Mobile
Top 10
21 IoT Attack Surface
Cloud:

▸ The cloud is one of the very important pieces of IoT as

usually data from all the instances of the product line
converges here.

IoT Attack ▸ Attack Surfaces can be specified as :

Surface ▹ Storage
(Entity ▹ Authentication
Based) ▹ Encryption
▹ Communication
▹ APIs
▹ Generic Web/cloud vulnerabilities – OWASP Web
Top 10
22 IoT Attack Surface
Device:

▸ Device are game changer for IoT tech : ).

▸ It interfaces with the physical world an also

communicates with the virtual world.
IoT Attack
Surface ▸ It is the first stop for physical world data.
(Entity
Based) ▸ In future devices may use user’s crypto currencies
directly through their wallet or a separate temporary
wallet to purchase items, repairs etc.
23 IoT Attack Surface
Device:

▸ Attack Surfaces can be specified as :

▹ Storage
▹ Authentication
IoT Attack ▹ Encryption
Surface ▹ Communication
(Entity ▹ Sensor interface
Based) ▹ Peripheral interfaces
▹ Hardware interfaces
▹ Human machine Interface
24 IoT Attack Surface
Communication :

▸ It's an Intangible Attack Surface.

▸ There are endless list of communication protocols

that the IoT ecosystem can use on wired as well as
IoT Attack wireless medium.
Surface
(Entity ▸ Attack Surfaces can be specified as :
Based)
▹ Storage
▹ Authentication
▹ Deviation from the protocol standard
▹ Protocol implementation anomalies
25 IoT Attack Surface
Communication :

▸ The ha rd wa re int erfa ces a llow for t he a ct ua l

communication.

▸ But, the actual data communication / packets are

IoT Attack defined by the upper layers which are implemented in
Surface the software.
(Entity
Based) ▸ Although, the flaws in the protocol may result in
attacks on the protocol end points residing on the
mobile, the device or the cloud.
26 IoT Attack Surface
Communication - Common protocols that are used in
various IoT products : “WEB”

▸ The web or in technical terms HTTP(S) is the most

common protocol used for communication and is
used everywhere.
IoT Attack
Surface ▸ The attack surface on web is huge.
(Entity
Based) ▸ But, In general the attack surface, vulnerabilities and
mitigation techniques have mostly been standardized
as it has been under research for more than two
decades now.
27 IoT Attack Surface
Communication - Common protocols that are used in
various IoT products : “Others”

▸ There are many protocols, some domain specific,

some generic and some for efficiency reasons.

IoT Attack ▸ History tells us that all protocols will have their share
Surface of implementation flaws, protocol design flaws and
(Entity configuration flaws. (Task of Pentester)
Based)
28 IoT Attack Surface
Communication - Common protocols that are used in
various IoT products : “Others”

▸ CoAP : https://en.wikipedia.org/wiki/Constrained_Application_Protocol
▸ MQTT : https://en.wikipedia.org/wiki/MQTT
▸ AMQP : https://en.wikipedia.org/wiki/Advanced_Message_Queuing_Protocol
IoT Attack ▸ WebSocket : https://en.wikipedia.org/wiki/WebSocket
Surface ▸ CANbus : https://en.wikipedia.org/wiki/CAN_bus
(Entity ▸ DNP3 : https://en.wikipedia.org/wiki/DNP3
Based) ▸ HL7 : https://en.wikipedia.org/wiki/Health_Level_7
▸ XMPP : https://en.wikipedia.org/wiki/XMPP
▸ UPnP : https://en.wikipedia.org/wiki/Universal_Plug_and_Play
▸ <Your Named Protocol>
29 IoT Attack Surface
Device Attach Surface :

SD Card

USB

Storage
IoT Attack
Surface Non-volatile
(Entity Memory
Based)
Volatile Memory

Microcontroller
Internal Memory
30 IoT Attack Surface
Device Attach Surface :

UART

Microcontroller

H/W Communication
IoT Attack Debug Port

Interface
Surface
(Entity I2C
Based)
SPI

Sensor
31 IoT Attack Surface
Device Attach Surface :

WiFi

N/W Communication
IoT Attack

Interface
Surface
(Entity Ethernet
Based)

Radio
32

Any Questions?
33

THANKS!