Owasp top 10

OWASP Top 10
IoT
(Internet of Things)
G4H/owasp/null meet

Who Am I..?
Veerababu
Maintainer at
@Veeru_rockstar

Agenda..!
.. IoT Introduction
.. IoT Owasp Top 10
.. Q&A
.. References

IoT Intro ..!
IoT is simply the network of interconnected things/devices which are
embedded with sensors, software, network connectivity and necessary
electronics that enables them to collect and exchange data making
them responsive.
IoT Component..!
1. Hardware
2.software
3. Communication Infrastructure

1.IoT mobile application,
2.cloud APIs,
3.communication and protocols,
4.embedded hardware and firmware.
Main IoT Security Testing

...1 – Insecure Web Interface
...2 – Insufficient Authentication/Authorization
...3 – Insecure Network Services
...4 – Lack of Transport Encryption
...5 – Privacy Concerns
...6 – Insecure Cloud Interface
...7 – Insecure Mobile Interface
...8 – Insufficient Security Configurability
...9 – Insecure Software/Firmware
...10 – Poor Physical Security
OWASP Top 10 IoT:

What are they ..?
1. web login pages
2. cctv dvr login pages
still working on this..!
I1.Insecure Web Interface
..Weak credentials
..Weak passwords
..Capture plaintext credentials
..Internal and external vulnerability

I2. Insufficient Authentication/Authorization:

I2.Insufficient Authentication/Authorization
..Weak passwords
..Weak password recovery
..Poorly protected credentials
..Internal and external vulnerability

still using default password "admin" and "1234"
Web interface accepting denial of login attempts

I3.Insecure Network Services:
.. Attack vulnerable network services
.. Attack device itself
.. Bounce attacks off of the device
.. Buffer overflow attacks for Denial of Service
.. Sniffers and fuzzers and Scanners

Internet Using Devices
Telnet -- 23
FTP -- 21
Finger -- 79
TFTP -- 69
SMB -- 445
Common Ports for Devices :

VNC related exploits and payloads:

Port Number :
8000
Port Number : 1072

I4 .Lack of Transport Encryption:

I4 . Lack of Transport Encryption:
.. Easy view of unencrypted data passing between or over networks
.. Traditional crypto vulnerabilities
associated with SSL and TSL i.e. Man In the Middle attacks etc.
.. Compromised Transport Layer means everything above it is
vulnerable

I5 Privacy Concerns:
.. Insufficient authentication
.. Lack of transport encryption and storage of data in encrypted format
.. Insecure network services
.. Collection of unnecessary personal data

What are possible to attacks..?

I6 Insecure Cloud Interface:
.. Attack likely from the Internet
.. Easy to guess credentials
.. Using password reset mechanism to see if account exist
.. Identify is SSL is in use
.. Account enumeration

Cloud login page .. i didn't test anything..?

I7.Insecure Mobile Interface:
.. account lockout mechanism
.. Attack likely from the Internet
.. Easy to guess credentials
.. Using password reset mechanism to see if account exists
.. Identify is SSL is in use
.. Account enumeration

I8.Insufficient Security Configurability:

I8.Insufficient Security Configurability:
.. Lack of granular ability to configure authorizations.
.. Weak passwords and credentials.

I9.Insecure Software/Firmware:

I9.Insecure Software/Firmware:
.. Insecure firmware software encrypted updates
.. Malicious updating

Firmware Update .. Is It Safe..?

I10. Poor Physical Security
USB, SD cards, other storage devices that give access to the Operating System

References ..!!
1. https://www.owasp.org/index.php/Top_IoT_Vulnerabilities
2. http://www.securityfocus.com/bid/70574
3. http://internetofthingswiki.com/internet-of-things-definition/
4. http://iotpentest.com/
5. http://iotsecuritylab.com/

Owasp top 10

More Related Content

What's hot

Viewers also liked

Similar to Owasp top 10

Recently uploaded

Owasp top 10