Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Null mumbai-iot top 10

96 views

Published on

Covering IoT Top 10 issues

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Null mumbai-iot top 10

  1. 1. Internet of Things Top Ten
  2. 2. WhoAmI • Security Consultant with Payatu Technologies • Experience in Web Pentesting, VAPT and Mobile Appsec (Android Only) • Currently learning IOT
  3. 3. Agenda • Why IOT Top 10 ?? • Attack vectors • IOT Architecture • OWASP TOP 10 – IOT • IOT Exploitation Anatomy (Pdf for Reference) • References
  4. 4. Why Top 10 for IOT ?? • The internet of things (IoT) is the network of physical devices, vehicles, buildings and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data(Wikipedia) • 26 Billion devices connected to Internet by 2020 • Current Security State - still in nascent stage. • Thus, scope for hackers  HIGH
  5. 5. Attack Vectors???? Lets have a look at the architecture and derive all the attack vectors
  6. 6. IOT Architecture
  7. 7. Attack Vectors List • All elements need to be considered • Communication Protocol • The Cloud • The Mobile Application • The Network Interfaces • Web Interface • Encryption • Authentication/Authorization • Physical ports(JTAG,UART,SPI,I2C) • Enter the OWASP Internet of Things Top Ten Project
  8. 8. OWASP IOT TOP 10
  9. 9. I1 | Insecure Web Interface
  10. 10. I1 | Insecure Web Interface | Testing • Account Enumeration • Weak Default Credentials • Credentials Exposed in Network Traffic • Cross-site Scripting (XSS) • SQL-Injection • Session Management • Account Lockout
  11. 11. I1 | Insecure Web Interface | Make It Secure
  12. 12. I2 | Insufficient Authentication/Authorization
  13. 13. I2 | Insufficient Authentication/Authorization | Testing • Lack of Password Complexity • Poorly Protected Credentials • Lack of Two Factor Authentication • Insecure Password Recovery • Privilege Escalation • Lack of Role Based Access Control
  14. 14. I2 | Insufficient Authentication/Authorization | Make It Secure
  15. 15. I3 | Insecure Network Services
  16. 16. I3 | Insecure Network Services | Testing • Vulnerable Services • Buffer Overflow • Open Ports via UPnP • Exploitable UDP Services • Denial-of-Service • DoS via Network Device Fuzzing
  17. 17. I3 | Insecure Network Services | Make It Secure
  18. 18. I4 | Lack of Transport Encryption
  19. 19. I4 | Lack of Transport Encryption | Testing • Unencrypted Services via the Internet • Unencrypted Services via the Local Network • Poorly Implemented SSL/TLS • Misconfigured SSL/TLS
  20. 20. I4 | Lack of Transport Encryption | Make It Secure
  21. 21. I5 | Privacy Concerns
  22. 22. I5 | Privacy Concerns | Testing • Collection of Unnecessary Personal Information
  23. 23. I5 | Privacy Concerns | Make It Secure
  24. 24. I6 | Insecure Cloud Interface
  25. 25. I6 | Insecure Cloud Interface | Testing • Account Enumeration • No Account Lockout • Credentials Exposed in Network Traffic
  26. 26. I6 | Insecure Cloud Interface | Make It Secure
  27. 27. I7 | Insecure Mobile Interface
  28. 28. I7 | Insecure Mobile Interface | Testing • Account Enumeration • No Account Lockout • Credentials Exposed in Network Traffic
  29. 29. I7 | Insecure Mobile Interface | Make It Secure
  30. 30. I8 | Insufficient Security Configurability
  31. 31. I8 | Insufficient Security Configurability | Testing • Lack of Granular Permission Model • Lack of Password Security Options • No Security Monitoring • No Security Logging
  32. 32. I8 | Insufficient Security Configurability | Make It Secure
  33. 33. I9 | Insecure Software/Firmware
  34. 34. I9 | Insecure Software/Firmware | Testing • Encryption Not Used to Fetch Updates • Update File not Encrypted • Update Not Verified before Upload • Firmware Contains Sensitive Information • No Obvious Update Functionality
  35. 35. I9 | Insecure Software/Firmware | Make It Secure
  36. 36. I10 | Poor Physical Security
  37. 37. I10 | Poor Physical Security | Testing • Access to Software via USB Ports • Removal of Storage Media
  38. 38. I10 | Poor Physical Security | Make It Secure
  39. 39. References • OWASP - https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#ta b=Main • IOT Security Anatomy - https://github.com/mdsecresearch/Publications/blob/master/presentation s/An%20Anatomy%20of%20IoT%20Security_OWASPMCR_Nov2016.pdf (Content May not load properly. Just download the pdf) • Insinuater.net • Peerlyst • Reddit Link – www.reddit.com/r/theinternetofshit
  40. 40. THANK YOU 

×