Many of us know and rely upon the well-known OWASP Top 10, the vetted list of the most critical web application security risks. First published in 2003, the OWASP Top 10 is commonly referenced in other security standards and protocols which contain a software development component, including Payment Card Industry – Data Security Standard (PCI-DSS), the Center for Internet Security (CIS), the Cloud Security Alliance (CSA) and the National Institute for Standards and Technology (NIST).
OWASP has now published a new project that is very timely for an emerging technology – the OWASP Internet of Things (IoT) Top 10 2018. According to the group’s web site, the “OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying or assessing IoT technologies.” Its goal is to be a single, unified list of risks, threats and vulnerabilities to avoid for the primary stakeholders in the IoT space.
Note: For an excellent deep dive into what constitutes the Internet of Things, check out the IEEE publication Towards a definition of the Internet of Things (IoT).
With the increasing number of security breaches and incidents related to IoT, this list is most welcome. Let’s take a brief look at the new OWASP Top 10 for IoT.
- Weak, Guessable, or Hardcoded Passwords – this vulnerability opens up the possibility of brute force attacks, as well as backdoor access to systems and data on the device and in the network ecosystem.
- Insecure Network Services – specifically, network services on the device that are not needed or are not secured properly and which undermine the confidentiality, integrity, and availability (CIA triad) of information.
- Insecure Ecosystem Interfaces – related to the use of interfaces to which the device connects, this risk involves web, backend API, cloud and mobile interfaces and leaves the systems vulnerable to sensitive data exposure.
- Lack of Secure Update Mechanisms – this vulnerability results in devices which are unable to securely update or securely rollback, and do not notify the user of the security impacts of updates.
- Use of Insecure or Outdated Components – this threat comes from the failure to obtain software components or libraries from reliable supply chains, or from insecure customizations of operating system platforms, and leaves the device vulnerable to Remote Code Execution (RCE) and data breaches.
- Insufficient Privacy Protection – this vulnerability is specific to the user’s data on the device that the user may not realize is being captured or that is not properly protected from misuse or loss.
- Insecure Data Transfer and Storage – this risk come from the failure to protect data at all stages – at rest, in transit and during processing – and is often the result of poor or missing data encryption.
- Lack of Device Management – this vulnerability is via a device that is in production and is not securely supported through protocols such as asset management and decommissioning, update management and system monitoring.
- Insecure Default Settings – this risk includes the device, the software on the device, as well as the network ecosystem into which the device is promoted to production. It may involve a failure to change the default settings or not allow changes to be made to security configurations.
- Lack of Physical Hardening – a failure to adequately address advanced security measures to “harden” the device or its network ecosystem to limit outside access to systems data that could be used in a remote attack or to take control of the device.
If you are getting a sense of déjà vu while reading this list, then you are most likely very familiar with the OWASP Top 10 for Web Application Security. A number of the items on the list are ones that are directly correlated to risks in application development. This makes perfect sense since there is a software component to IoT. This means the IoT has the same risks for common issues such as malware or denial of service attacks.
We also see there are risks, vulnerabilities and threats that are specific to the hardware device and the networks with which it interfaces. This is what makes securing the IoT so challenging. There is a large attack surface to be protected and there are multiple threat vectors which must be addressed. These issues are made worse due to the pressure to get new IoT devices to market as quickly as possible. We are seeing shortcuts taken in coding and testing which leave these devices vulnerable at multiple points. With the capturing of biometric data by a number of these devices, these risks are even more critical.
If your organization is involved in the development, manufacturing, testing or deployment of IoT devices, or the creation, maintenance and support of the network ecosystems on which these devices run, be sure to share this list with your teams. It is a good idea to review and address these issues as part of your product development and management strategies.
If you are a consumer who uses these devices, you should become familiar with the risks which may be inherent in this new technology and choose devices which allow you to set their security profile. Choose wisely when purchasing these devices and always consider the information they may be collecting and sharing about you. Remember, you are the best advocate for your digital identity and its security.