IOT

Use of :

• Easily bruteforced

• Publicly available

• Unchangeable credentials

Including backdoors in firmware or client software that grants unauthorized access.

Unneeded or insecure network services running on the device itself, especially:

• Those exposed to the Internet

• Any that compromise the confidentiality, integrity/authenticity, or availability of information

• Any service that allows unauthorized remote control

See OWASP TOP 10, insecure interfaces in the ecosystem outside the device :

• Web

• Backend API

• Cloud

• Mobile

Common issues :

• Lack of authentication

• Lack of authorization

• Lacking or weak encryption

• Lack of input and output filtering

Lack of ability to securely update the device.

• Lack of firmware validation on device

• Lack of secure delivery (un-encrypted in transit)

• Lack of anti-rollback mechanisms

• Lack of notifications of security changes due to updates

Use of deprecated or insecure software components/libraries that could allow the device to be compromised.

• Insecure customization of operating system platforms

• Third-party software libraries from a compromised supply chain

• Third-party hardware components from a compromised supply chain

Examples : HeartBleed, Spectre, Meltdown

User’s personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission.

Examples : location, emails, addresses.

Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing.

Examples : lack of HSTS, no disk encryption

Examples : no update mechanism, no logging.

Bad filesystem permissions

Exposed services running as root

Easily Available Debug Port Discovery