Nitesh Malviya, profile picture
Uploaded byNitesh Malviya
PPTX, PDF218 views

Null mumbai-iot top 10

This document discusses the top 10 security risks for internet of things (IoT) devices. It begins with an introduction to IoT and why security is important given the rapid growth in the number of connected devices. It then outlines the main attack vectors for IoT systems based on their common architecture. The bulk of the document details the top 10 IoT risks according to the OWASP IoT project: 1) insecure web interface, 2) insufficient authentication/authorization, 3) insecure network services, 4) lack of transport encryption, 5) privacy concerns, 6) insecure cloud interface, 7) insecure mobile interface, 8) insufficient security configurability, 9) insecure software/firmware updates, and 10) poor physical security

Embed presentation

Download to read offline
Internet of Things Top Ten
WhoAmI • Security Consultant with Payatu Technologies • Experience in Web Pentesting, VAPT and Mobile Appsec (Android Only) • Currently learning IOT
Agenda • Why IOT Top 10 ?? • Attack vectors • IOT Architecture • OWASP TOP 10 – IOT • IOT Exploitation Anatomy (Pdf for Reference) • References
Why Top 10 for IOT ?? • The internet of things (IoT) is the network of physical devices, vehicles, buildings and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data(Wikipedia) • 26 Billion devices connected to Internet by 2020 • Current Security State - still in nascent stage. • Thus, scope for hackers  HIGH
Attack Vectors???? Lets have a look at the architecture and derive all the attack vectors
IOT Architecture
Attack Vectors List • All elements need to be considered • Communication Protocol • The Cloud • The Mobile Application • The Network Interfaces • Web Interface • Encryption • Authentication/Authorization • Physical ports(JTAG,UART,SPI,I2C) • Enter the OWASP Internet of Things Top Ten Project
OWASP IOT TOP 10
I1 | Insecure Web Interface
I1 | Insecure Web Interface | Testing • Account Enumeration • Weak Default Credentials • Credentials Exposed in Network Traffic • Cross-site Scripting (XSS) • SQL-Injection • Session Management • Account Lockout
I1 | Insecure Web Interface | Make It Secure
I2 | Insufficient Authentication/Authorization
I2 | Insufficient Authentication/Authorization | Testing • Lack of Password Complexity • Poorly Protected Credentials • Lack of Two Factor Authentication • Insecure Password Recovery • Privilege Escalation • Lack of Role Based Access Control
I2 | Insufficient Authentication/Authorization | Make It Secure
I3 | Insecure Network Services
I3 | Insecure Network Services | Testing • Vulnerable Services • Buffer Overflow • Open Ports via UPnP • Exploitable UDP Services • Denial-of-Service • DoS via Network Device Fuzzing
I3 | Insecure Network Services | Make It Secure
I4 | Lack of Transport Encryption
I4 | Lack of Transport Encryption | Testing • Unencrypted Services via the Internet • Unencrypted Services via the Local Network • Poorly Implemented SSL/TLS • Misconfigured SSL/TLS
I4 | Lack of Transport Encryption | Make It Secure
I5 | Privacy Concerns
I5 | Privacy Concerns | Testing • Collection of Unnecessary Personal Information
I5 | Privacy Concerns | Make It Secure
I6 | Insecure Cloud Interface
I6 | Insecure Cloud Interface | Testing • Account Enumeration • No Account Lockout • Credentials Exposed in Network Traffic
I6 | Insecure Cloud Interface | Make It Secure
I7 | Insecure Mobile Interface
I7 | Insecure Mobile Interface | Testing • Account Enumeration • No Account Lockout • Credentials Exposed in Network Traffic
I7 | Insecure Mobile Interface | Make It Secure
I8 | Insufficient Security Configurability
I8 | Insufficient Security Configurability | Testing • Lack of Granular Permission Model • Lack of Password Security Options • No Security Monitoring • No Security Logging
I8 | Insufficient Security Configurability | Make It Secure
I9 | Insecure Software/Firmware
I9 | Insecure Software/Firmware | Testing • Encryption Not Used to Fetch Updates • Update File not Encrypted • Update Not Verified before Upload • Firmware Contains Sensitive Information • No Obvious Update Functionality
I9 | Insecure Software/Firmware | Make It Secure
I10 | Poor Physical Security
I10 | Poor Physical Security | Testing • Access to Software via USB Ports • Removal of Storage Media
I10 | Poor Physical Security | Make It Secure
References • OWASP - https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#ta b=Main • IOT Security Anatomy - https://github.com/mdsecresearch/Publications/blob/master/presentation s/An%20Anatomy%20of%20IoT%20Security_OWASPMCR_Nov2016.pdf (Content May not load properly. Just download the pdf) • Insinuater.net • Peerlyst • Reddit Link – www.reddit.com/r/theinternetofshit
THANK YOU 

More Related Content

PPTX
Null mumbai-reversing-IoT-firmware
byNitesh Malviya
 
PDF
IoT and Its Application
byDun Automation Academy
 
PPTX
IoT World - creating a secure robust IoT reference architecture
byPaul Fremantle
 
PDF
IoT Node-Red Presentation
byThe IoT Academy
 
PDF
Owasp top 10
byveerababu penugonda(Mr-IoT)
 
PPTX
Devising a practical approach to the Internet of Things
byGordon Haff
 
PDF
IoX - tech-intro-for-paris-hackathon
byCisco DevNet
 
PPTX
Internet of Things 101 - Part II
byYoonseok Hur
 
Null mumbai-reversing-IoT-firmware
byNitesh Malviya
 
IoT and Its Application
byDun Automation Academy
 
IoT World - creating a secure robust IoT reference architecture
byPaul Fremantle
 
IoT Node-Red Presentation
byThe IoT Academy
 
Owasp top 10
byveerababu penugonda(Mr-IoT)
 
Devising a practical approach to the Internet of Things
byGordon Haff
 
IoX - tech-intro-for-paris-hackathon
byCisco DevNet
 
Internet of Things 101 - Part II
byYoonseok Hur
 

What's hot

PPTX
Using FIWARE and Microsoft Azure for the development of IoT solutions
byDunavNET
 
PDF
Track 5 session 1 - st dev con 2016 - need for security for iot
byST_World
 
PDF
Data in Motion - tech-intro-for-paris-hackathon
byCisco DevNet
 
PPTX
Introduction to the Internet of Things
byAlexandru Radovici
 
PDF
Security challenges for IoT
byWSO2
 
PPTX
Internet of Things: Identity & Security with Open Standards
byGeorge Fletcher
 
PPTX
Using an Open Source RESTful Backend for IoT Applications
byJan Liband
 
PDF
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
byveerababu penugonda(Mr-IoT)
 
PDF
eIoT-tech-intro-for-paris-hackathon
byCisco DevNet
 
PPTX
Automatski - The Internet of Things - Security in IoT
byautomatskicorporation
 
PDF
An IoT gateway centric architecture to provide novel m2m services
bySoumya Kanti Datta
 
PPTX
Iot top 10 vulnerabilities and misconceptions 2016
byErez Metula
 
PDF
The iot academy_lpwan_lora
byThe IoT Academy
 
PDF
Identity for IoT: An Authentication Framework for the IoT
byAllSeen Alliance
 
PDF
Cisco Paris DevNet Hackathon slideshow - Intro
byBeMyApp
 
PDF
Eclipse Kura Shoot a-pi
byEclipse Kura
 
PDF
Webinar: Secure Offline and Online Updates for Linux Devices
byToradex
 
PPTX
IBM IoT Architecture and Capabilities at the Edge and Cloud
byPradeep Natarajan
 
PDF
Protecting your home and office in the era of IoT
byMarian Marinov
 
PPTX
Introduction to IoT Security
byCAS
 
Using FIWARE and Microsoft Azure for the development of IoT solutions
byDunavNET
 
Track 5 session 1 - st dev con 2016 - need for security for iot
byST_World
 
Data in Motion - tech-intro-for-paris-hackathon
byCisco DevNet
 
Introduction to the Internet of Things
byAlexandru Radovici
 
Security challenges for IoT
byWSO2
 
Internet of Things: Identity & Security with Open Standards
byGeorge Fletcher
 
Using an Open Source RESTful Backend for IoT Applications
byJan Liband
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
byveerababu penugonda(Mr-IoT)
 
eIoT-tech-intro-for-paris-hackathon
byCisco DevNet
 
Automatski - The Internet of Things - Security in IoT
byautomatskicorporation
 
An IoT gateway centric architecture to provide novel m2m services
bySoumya Kanti Datta
 
Iot top 10 vulnerabilities and misconceptions 2016
byErez Metula
 
The iot academy_lpwan_lora
byThe IoT Academy
 
Identity for IoT: An Authentication Framework for the IoT
byAllSeen Alliance
 
Cisco Paris DevNet Hackathon slideshow - Intro
byBeMyApp
 
Eclipse Kura Shoot a-pi
byEclipse Kura
 
Webinar: Secure Offline and Online Updates for Linux Devices
byToradex
 
IBM IoT Architecture and Capabilities at the Edge and Cloud
byPradeep Natarajan
 
Protecting your home and office in the era of IoT
byMarian Marinov
 
Introduction to IoT Security
byCAS
 

Viewers also liked

PPTX
Null mumbai-iot-workshop
byNitesh Malviya
 
PDF
The future of the IoT will be cognitive
byThorsten Schroeer
 
PPTX
A Secure Model of IoT Using Blockchain
byAltoros
 
PDF
The Future of Authentication for IoT
byFIDO Alliance
 
PDF
IOT Solutions and Challenges
byMeshDynamics
 
PDF
IBM Messaging and Collaboration Roadmap - Notes and Domino update - December ...
byEd Brill
 
PDF
Towards Rapid Implementation of Adaptive Robotic Systems
byMeshDynamics
 
PDF
Internet of Things (IoT)
byVeronika Khyzhniak
 
PPT
Artificial Intelligence
byMuhammad Ahad
 
PPTX
PROYECTO LA NARANJA
byonidiasdecole
 
PPTX
20170228 Facebook workshop - Gemeente Hoegaarden
byI Like Media
 
PDF
Perspectivas IoT con arduino
byMSc Aldo Valdez Alvarado
 
PPTX
Fuzzing | Null OWASP Mumbai | 2016 June
bynullowaspmumbai
 
PDF
My Null Android Penetration Session
byAvinash Sinha
 
PPTX
Jeremy Cowan's AWS user group presentation "AWS Greengrass & IoT demo"
byAWS Chicago
 
PDF
Smart Gas Meters
byCNRFID
 
PDF
IBM Cognitive Manufacturing Overview Public
byThorsten Schroeer
 
PDF
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
byAnand Bagmar
 
PDF
Thinking Strategically About IoT
byHolly Cummins
 
PPTX
Null mumbai-Android-Insecure-Data-Storage-Exploitation
byNitesh Malviya
 
Null mumbai-iot-workshop
byNitesh Malviya
 
The future of the IoT will be cognitive
byThorsten Schroeer
 
A Secure Model of IoT Using Blockchain
byAltoros
 
The Future of Authentication for IoT
byFIDO Alliance
 
IOT Solutions and Challenges
byMeshDynamics
 
IBM Messaging and Collaboration Roadmap - Notes and Domino update - December ...
byEd Brill
 
Towards Rapid Implementation of Adaptive Robotic Systems
byMeshDynamics
 
Internet of Things (IoT)
byVeronika Khyzhniak
 
Artificial Intelligence
byMuhammad Ahad
 
PROYECTO LA NARANJA
byonidiasdecole
 
20170228 Facebook workshop - Gemeente Hoegaarden
byI Like Media
 
Perspectivas IoT con arduino
byMSc Aldo Valdez Alvarado
 
Fuzzing | Null OWASP Mumbai | 2016 June
bynullowaspmumbai
 
My Null Android Penetration Session
byAvinash Sinha
 
Jeremy Cowan's AWS user group presentation "AWS Greengrass & IoT demo"
byAWS Chicago
 
Smart Gas Meters
byCNRFID
 
IBM Cognitive Manufacturing Overview Public
byThorsten Schroeer
 
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
byAnand Bagmar
 
Thinking Strategically About IoT
byHolly Cummins
 
Null mumbai-Android-Insecure-Data-Storage-Exploitation
byNitesh Malviya
 

Similar to Null mumbai-iot top 10

PPT
IoT security (Internet of Things)
bySanjay Kumar (Seeking options outside India)
 
PPT
IoT Security by Sanjay Kumar
byOWASP Delhi
 
PDF
IoT – Breaking Bad
byNUS-ISS
 
PPTX
IoT-Device-Security.pptx
byZahidHussainqaisar
 
PPTX
IoT-Device-Security-DRAFT-slide-presentation
byAuliaArifWardana
 
PPTX
IoT - Rise of New Zombies Army
byMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PPTX
IoT Security, Threats and Challenges By V.P.Prabhakaran
byKoenig Solutions Ltd.
 
PDF
The bad, the ugly and the weird about IoT
bySpeck&Tech
 
PPTX
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
byRapid7
 
PPTX
pptt.pptx
byAdityaRajput317826
 
PPTX
Iot(security)
byShreya Pohekar
 
PDF
Securing the Internet of Things
byChristopher Frenz
 
PPTX
IoT Security: Debunking the "We Aren't THAT Connected" Myth
bySecurity Innovation
 
PDF
Securing the Internet of Things
bySyam Madanapalli
 
PDF
Ryan Wilson - ryanwilson.com - IoT Security
byRyan Wilson
 
PDF
IoT_Security and impelementation in school
byteguhwibowo67
 
PPTX
Iot cyber security
bysajid mehmood
 
PPTX
Security challenges for internet of things
byMonika Keerthi
 
PPTX
IoT Security Briefing FBI 07 23-2017 final
byFrank Siepmann
 
PPTX
Security in IoT
bygr9293
 
IoT security (Internet of Things)
bySanjay Kumar (Seeking options outside India)
 
IoT Security by Sanjay Kumar
byOWASP Delhi
 
IoT – Breaking Bad
byNUS-ISS
 
IoT-Device-Security.pptx
byZahidHussainqaisar
 
IoT-Device-Security-DRAFT-slide-presentation
byAuliaArifWardana
 
IoT - Rise of New Zombies Army
byMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
IoT Security, Threats and Challenges By V.P.Prabhakaran
byKoenig Solutions Ltd.
 
The bad, the ugly and the weird about IoT
bySpeck&Tech
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
byRapid7
 
pptt.pptx
byAdityaRajput317826
 
Iot(security)
byShreya Pohekar
 
Securing the Internet of Things
byChristopher Frenz
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
bySecurity Innovation
 
Securing the Internet of Things
bySyam Madanapalli
 
Ryan Wilson - ryanwilson.com - IoT Security
byRyan Wilson
 
IoT_Security and impelementation in school
byteguhwibowo67
 
Iot cyber security
bysajid mehmood
 
Security challenges for internet of things
byMonika Keerthi
 
IoT Security Briefing FBI 07 23-2017 final
byFrank Siepmann
 
Security in IoT
bygr9293
 

Recently uploaded

PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Making Search Less Taxing: Leveraging Semantics and Keywords in Hybrid Search
byEnterprise Knowledge
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
final.pdf
byomarbishtawi04
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Making Search Less Taxing: Leveraging Semantics and Keywords in Hybrid Search
byEnterprise Knowledge
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
final.pdf
byomarbishtawi04
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 

Null mumbai-iot top 10

  • 1.
  • 2.
    WhoAmI • Security Consultantwith Payatu Technologies • Experience in Web Pentesting, VAPT and Mobile Appsec (Android Only) • Currently learning IOT
  • 3.
    Agenda • Why IOTTop 10 ?? • Attack vectors • IOT Architecture • OWASP TOP 10 – IOT • IOT Exploitation Anatomy (Pdf for Reference) • References
  • 4.
    Why Top 10for IOT ?? • The internet of things (IoT) is the network of physical devices, vehicles, buildings and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data(Wikipedia) • 26 Billion devices connected to Internet by 2020 • Current Security State - still in nascent stage. • Thus, scope for hackers  HIGH
  • 5.
    Attack Vectors???? Lets havea look at the architecture and derive all the attack vectors
  • 6.
  • 7.
    Attack Vectors List •All elements need to be considered • Communication Protocol • The Cloud • The Mobile Application • The Network Interfaces • Web Interface • Encryption • Authentication/Authorization • Physical ports(JTAG,UART,SPI,I2C) • Enter the OWASP Internet of Things Top Ten Project
  • 8.
  • 9.
    I1 | InsecureWeb Interface
  • 10.
    I1 | InsecureWeb Interface | Testing • Account Enumeration • Weak Default Credentials • Credentials Exposed in Network Traffic • Cross-site Scripting (XSS) • SQL-Injection • Session Management • Account Lockout
  • 11.
    I1 | InsecureWeb Interface | Make It Secure
  • 12.
  • 13.
    I2 | InsufficientAuthentication/Authorization | Testing • Lack of Password Complexity • Poorly Protected Credentials • Lack of Two Factor Authentication • Insecure Password Recovery • Privilege Escalation • Lack of Role Based Access Control
  • 14.
    I2 | InsufficientAuthentication/Authorization | Make It Secure
  • 15.
    I3 | InsecureNetwork Services
  • 16.
    I3 | InsecureNetwork Services | Testing • Vulnerable Services • Buffer Overflow • Open Ports via UPnP • Exploitable UDP Services • Denial-of-Service • DoS via Network Device Fuzzing
  • 17.
    I3 | InsecureNetwork Services | Make It Secure
  • 18.
    I4 | Lackof Transport Encryption
  • 19.
    I4 | Lackof Transport Encryption | Testing • Unencrypted Services via the Internet • Unencrypted Services via the Local Network • Poorly Implemented SSL/TLS • Misconfigured SSL/TLS
  • 20.
    I4 | Lackof Transport Encryption | Make It Secure
  • 21.
    I5 | PrivacyConcerns
  • 22.
    I5 | PrivacyConcerns | Testing • Collection of Unnecessary Personal Information
  • 23.
    I5 | PrivacyConcerns | Make It Secure
  • 24.
    I6 | InsecureCloud Interface
  • 25.
    I6 | InsecureCloud Interface | Testing • Account Enumeration • No Account Lockout • Credentials Exposed in Network Traffic
  • 26.
    I6 | InsecureCloud Interface | Make It Secure
  • 27.
    I7 | InsecureMobile Interface
  • 28.
    I7 | InsecureMobile Interface | Testing • Account Enumeration • No Account Lockout • Credentials Exposed in Network Traffic
  • 29.
    I7 | InsecureMobile Interface | Make It Secure
  • 30.
    I8 | InsufficientSecurity Configurability
  • 31.
    I8 | InsufficientSecurity Configurability | Testing • Lack of Granular Permission Model • Lack of Password Security Options • No Security Monitoring • No Security Logging
  • 32.
    I8 | InsufficientSecurity Configurability | Make It Secure
  • 33.
    I9 | InsecureSoftware/Firmware
  • 34.
    I9 | InsecureSoftware/Firmware | Testing • Encryption Not Used to Fetch Updates • Update File not Encrypted • Update Not Verified before Upload • Firmware Contains Sensitive Information • No Obvious Update Functionality
  • 35.
    I9 | InsecureSoftware/Firmware | Make It Secure
  • 36.
    I10 | PoorPhysical Security
  • 37.
    I10 | PoorPhysical Security | Testing • Access to Software via USB Ports • Removal of Storage Media
  • 38.
    I10 | PoorPhysical Security | Make It Secure
  • 39.
    References • OWASP - https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#ta b=Main •IOT Security Anatomy - https://github.com/mdsecresearch/Publications/blob/master/presentation s/An%20Anatomy%20of%20IoT%20Security_OWASPMCR_Nov2016.pdf (Content May not load properly. Just download the pdf) • Insinuater.net • Peerlyst • Reddit Link – www.reddit.com/r/theinternetofshit
  • 40.