The OWASP IoT Top 10 list is a classification of the most common security risks that can make Internet of Things (IoT) devices vulnerable to cyberattacks. These risks range from insecure web interfaces to broken authentication and authorization mechanisms. According to a CSO study, 61% of organizations have experienced an IoT security incident. In this blog post, we will explore the OWASP IoT Top 10 list of common vulnerabilities, from what is the OWASP Top 10 IoT list to what is the current OWASP IoT list and what can manufacturers do to remediate these vulnerabilities.
What is the OWASP IoT Top 10?
The OWASP Internet of Things Project is a part of the OWASP Top Ten Project. The OWASP IoT Top Ten is a classification of the most common security risks that can make Internet of Things (IoT) devices vulnerable. These risks range from insecure web interfaces to broken authentication and authorization mechanisms. The OWASP Internet of Things Project is designed to help manufacturers, developers, and users better understand the security risks associated with IoT devices and to provide guidance on how to prevent or mitigate these risks.
What is the current OWASP IoT Top 10 list?
Following is the latest OWASP IoT Top 10 list of vulnerabilities :
1. Weak, guessable, or hardcoded passwords
One of the most common security risks that can affect IoT devices is weak or easily guessed passwords. Many IoT devices come with factory-default passwords that are either easy-to-guess, publicly available, or unchangeable. This is the case for most IoT devices with a web interface.
Hardcoded Passwords, also known as embedded credentials, are plain-text passwords or other secrets in the very source code of the device firmware. If an attacker gains access to the source code, they will have access to all of the passwords and secrets used by the device.
Examples of weak, guessable, or hardcoded passwords include the following:
How to mitigate this risk: If an IoT device uses any of these passwords, change it to a strong and unique password following top password security best practices; Change the devices’ default passwords using a password manager to consistently generate and store strong, unique passwords.
2. Insecure network services
Insecure or unneeded device network services exposed to the public Internet can lead to the compromising of the confidentiality, integrity, and availability of their information. IoT security that is often compromised through default passwords can lead to these devices being used by botnets, which can execute attacks such as Distributed Denial-of-Service (DDoS), data theft, or ransomware.
Examples of insecure network services can include the following:
How to mitigate this risk: Address these IoT security vulnerabilities by limiting connective services to the strict minimum required and using secure protocols in any case.
3. Insecure ecosystem of interfaces
An ecosystem of interfaces can be defined as any communication interface used by the device that is not part of the device itself. Common issues of such an ecosystem include the following:
- Lack of authentication/authorization.
- Lack of encryption (or using weak encryption).
- Lack of input and output filtering.
Among the examples of an insecure ecosystem are the following:
- Insecure web interface
- Insecure mobile app
- Insecure cloud interface
- Insecure API
How to mitigate this risk: When possible, encrypt all communications using SSL/TLS; Also, put in place authentication and authorization mechanisms to ensure that only authorized users can access the device interfaces, as well as the filtering of input and output data to prevent the injection or extraction of malicious data.
4. Lack of secure update mechanism
The lack of mechanism to securely update the device includes the following:
- Lack of firmware validation on the device.
- Lack of secure update delivery (unencrypted data in transit).
- Lack of anti-rollback mechanisms, which prevent the downgrading of software to an older version.
- Lack of notifications of security changes due to updates.
The lack of any secure update mechanism, software and firmware updates can be subject to the unauthorized modification of a system, system component, its intended behavior, or data, either at the source or in transit.
How to mitigate this risk: Ensure all updates are digitally signed and delivered through secure channels, as well as the signature verified before being applied; In addition, integrate mechanisms stopping hackers from rolling back updates and inform users of any immediate critical security updates to be applied.
5. Use of insecure or outdated components
Deprecated or insecure software components/libraries, as listed below, could lead to the overall compromise of the device:
- Insecure customization of operating systems.
- Third-party software or hardware components from a compromised supply chain.
- Injection of any types of weaknesses used as an entry point for an attack.
- Legacy or outdated versions of software, which are exposing the device to well-known vulnerabilities previously patched in older versions.
Components of a software with known vulnerabilities that have not yet been patched should be avoided until they can be updated. Examples of deprecated or insecure software components can include the following:
- Bouncy Castle
How to mitigate this risk: Refrain from using legacy technology, replacing it as quickly as possible; In the case of legacy devices set up with insecure identities, add in a security layer after deployment using a secure gateway and keep up with updates as well as properly test out new software before their implementation.
6. Insufficient privacy protection
Users’ personal information stored within the device or within the ecosystem being used insecurely, improperly, or without permission. Privacy protection is a critical compliance risk for many standards, including the following:
- GDPR, or General Data Protection Regulation, which requires businesses to protect the personal data and privacy of European Union (E.U.) citizens for transactions occurring within their member states.
- PCI-DSS, or the Payment Card Industry Data Security Standard, which requires any business processing, storing, or transmitting credit card information to protect cardholders’ data.
Examples of insufficient privacy protection can be a security vulnerability due to insecure local data storage or even the unauthorized collection and storage of personal data.
How to mitigate this risk: Ensure that any personal data collected is done so with the user’s permission and is stored securely using encryption; In addition, ensure local data storage is encrypted and that its access is restricted to only those who need it.
7. Insecure data transfer and storage
Lack of encryption or proper access control of sensitive data at any phases within the ecosystem, including at rest, in transit, or during processing. Examples of insecure data transfer and storage can include the following:
- Sending data over an unsecured network connection without encryption.
- Storing data in an unencrypted database or file.
- Failing to properly restrict access to sensitive data based on a need-to-know or role-based access.
- Not verifying the integrity of stored data, resulting in possible tampering or corruption.
How to mitigate this risk: Restrict access to sensitive data in general and ensure that all data is encrypted either at rest, in transit, or in processing.
8. Lack of device management
Lack of security support on devices deployed in production environments, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities. Examples of a lack of device management can include the following:
- Failing to track or monitor devices.
- Not having the ability to remotely update or patch devices.
- Lack of visibility into devices and their configurations.
- Inability to properly decommission a device when it is no longer needed, resulting in orphaned devices that could still be used to access sensitive data or networks.
- Not having systems in place to detect and respond to security incidents.
How to mitigate this risk: Implement proper device management protocols, including asset tracking, update and patch management, secure decommissioning, systems monitoring, and response capabilities.
9. Insecure default settings
Devices or systems launched with insecure default settings or that cannot be made more secure by restricting operators from changing them. Examples of insecure default settings include default passwords that are either well-known or easily guessed, the use of hardcoded or easily guessable default administrative credentials, or the lack of proper access control mechanisms, such as not requiring strong authentication for administrator accounts.
How to mitigate this risk: Ensure that all devices and systems are deployed with secure default settings and that administrators are properly trained on how to configure them securely; In addition, manufacturers should provide guidance on how to securely configure their products.
10. Lack of physical hardening
Lack of physical hardening measures, allowing potential attackers to obtain sensitive information that could be leveraged to launch a future remote attack or to take local control of the device. Examples of a lack of physical hardening can include the following:
- Not using tamper-resistant hardware.
- Using easily guessable or default passwords for physical access control mechanisms, such as locks and keys.
- Failing to properly protect devices from unauthorized physical access, resulting in possible tampering, theft, or destruction of the device.
How to mitigate this risk: Implement physical security controls to protect devices from unauthorized access, tampering, theft, or destruction; These security controls can include the use of tamper-resistant hardware.
Mitigating IoT device security vulnerabilities is a complex task that requires a multi-faceted approach. Manufacturers need to take into account the OWASP IoT Top 10 risks when designing and developing their products and should consider implementing security controls to mitigate these risks early in the process. Conducting regular IoT penetration tests in a variety of contexts, from your mobile application’s security to your cloud-hosted APIs, will help you keep your IoT network secure.
Contact us if you need help improving your IoT device security.