Real World Implications of OWASP IoT Top 10 2018

# Real World Implications of OWASP IoT Top 10 2018 This paper proves the relevance of **OWASP IoT Top 10 2018** list and provides examples of vulnerable devices which in some way or another, utilizes the list. ## Timeline ```mermaid gantt title OWASP IoT Top 10 Journey section OWASP IoT Top 10 2014 :a1, 2014-01-01, 2018-01-12 IoT Top 10 2018 : 2018-01-12 , 2019-04-14 ``` # OWASP IoT Top 10 - Insecure Web Interface - Insufficient Authentication/Authorization - Insecure Network Services - Lack of Transport Encryption/Integrity Verification - Privacy Concerns - Insecure Cloud Interface - Insecure Mobile Interface - Insufficient Security Configurability - Insecure Software/Firmware - Poor Physical Security ## OWASP IoT Initiative ```graphviz digraph { compound=true rankdir=RL graph [ fontname="Source Sans Pro", fontsize=20 ]; node [ fontname="Source Sans Pro", fontsize=18]; edge [ fontname="Source Sans Pro", fontsize=12 ]; subgraph core { c [label="Vulnerabilities \n(CWEs)"] [shape=box] } c -> sync [ltail=session lhead=session] subgraph cluster1 { concentrate=true a [label="Developers,\nCustomers, Manufacturers, ..."] [shape=box] b [label="Infosec Community"] [shape=box] sync [label="IoT Devices" shape=plaintext ] b -> sync [dir="both"] sync -> a [dir="both"] label="OWASP IoT 2018" } } ``` # Correlating CWE(s) w/ OWASP IoT Top 10 - **Insecure Web Interface** **[CWE-20](https://cwe.mitre.org/data/definitions/20.html)** **[CWE-89](https://cwe.mitre.org/data/definitions/89.html)** **[CWE-601](https://cwe.mitre.org/data/definitions/601.html)** **[CWE-598](https://cwe.mitre.org/data/definitions/598.html)** **[CWE-650](https://cwe.mitre.org/data/definitions/650.html)** **[CWE-79](https://cwe.mitre.org/data/definitions/79.html)** **[CWE-352](https://cwe.mitre.org/data/definitions/352.html)** - **Insufficient Authentication/Authorization** **[CWE-276](https://cwe.mitre.org/data/definitions/276.html)** **[CWE-521](https://cwe.mitre.org/data/definitions/521.html)** **[CWE-312](https://cwe.mitre.org/data/definitions/312.html)** **[CWE-287](https://cwe.mitre.org/data/definitions/287.html)** **[CWE-284](https://cwe.mitre.org/data/definitions/284.html)** **[CWE-259](https://cwe.mitre.org/data/definitions/259.html)** **[CWE-598](https://cwe.mitre.org/data/definitions/598.html)** - **Insecure Network Services** **[CWE-120](https://cwe.mitre.org/data/definitions/120.html)** **[CWE-284](https://cwe.mitre.org/data/definitions/284.html)** **[CWE-20](https://cwe.mitre.org/data/definitions/20.html)** - **Lack of Transport Encryption/Integrity Verification** **[CWE-201](https://cwe.mitre.org/data/definitions/201.html)** **[CWE-327](https://cwe.mitre.org/data/definitions/327.html)** **[CWE-300](https://cwe.mitre.org/data/definitions/300.html)** **[CWE-200](https://cwe.mitre.org/data/definitions/200.html)** **[CWE-319](https://cwe.mitre.org/data/definitions/319.html)** - **Privacy Concerns** **[CWE-200](https://cwe.mitre.org/data/definitions/200.html)** **[CWE-359](https://cwe.mitre.org/data/definitions/359.html)** - **Insecure Cloud Interface** **[CWE-287](https://cwe.mitre.org/data/definitions/287.html)** **[CWE-307](https://cwe.mitre.org/data/definitions/307.html)** **[CWE-359](https://cwe.mitre.org/data/definitions/359.html)** **[CWE-598](https://cwe.mitre.org/data/definitions/598.html)** **[CWE-319](https://cwe.mitre.org/data/definitions/319.html)** - **Insecure Mobile Interface** **[CWE-312](https://cwe.mitre.org/data/definitions/312.html)** **[CWE-287](https://cwe.mitre.org/data/definitions/287.html)** **[CWE-359](https://cwe.mitre.org/data/definitions/359.html)** **[CWE-284](https://cwe.mitre.org/data/definitions/284.html)** **[CWE-613](https://cwe.mitre.org/data/definitions/613.html)** **[CWE-319](https://cwe.mitre.org/data/definitions/319.html)** - **Insufficient Security Configurability** **[CWE-15](https://cwe.mitre.org/data/definitions/15.html)** **[CWE-521](https://cwe.mitre.org/data/definitions/521.html)** **[CWE-295](https://cwe.mitre.org/data/definitions/295.html)** **[CWE-269](https://cwe.mitre.org/data/definitions/269.html)** **[CWE-285](https://cwe.mitre.org/data/definitions/285.html)** - **Insecure Software/Firmware** **[CWE-15](https://cwe.mitre.org/data/definitions/15.html)** **[CWE-798](https://cwe.mitre.org/data/definitions/798.html)** **[CWE-295](https://cwe.mitre.org/data/definitions/295.html)** - **Poor Physical Security** **[CWE-284](https://cwe.mitre.org/data/definitions/284.html)** **[CWE-20](https://cwe.mitre.org/data/definitions/20.html)** ## Common Weakness Enumeration (CWE) List Version 1.0 - **[CWE-201: Information Exposure Through Sent Data ](https://cwe.mitre.org/data/definitions/201.html)** - **[CWE-601: URL Redirection to Untrusted Site ('Open Redirect') ](https://cwe.mitre.org/data/definitions/601.html)** - **[CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') ](https://cwe.mitre.org/data/definitions/300.html)** - **[CWE-285: Improper Authorization ](https://cwe.mitre.org/data/definitions/285.html)** - **[CWE-319: Cleartext Transmission of Sensitive Information ](https://cwe.mitre.org/data/definitions/319.html)** - **[CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ](https://cwe.mitre.org/data/definitions/79.html)** - **[CWE-15: External Control of System or Configuration Setting ](https://cwe.mitre.org/data/definitions/15.html)** - **[CWE-20: Improper Input Validation ](https://cwe.mitre.org/data/definitions/20.html)** - **[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ](https://cwe.mitre.org/data/definitions/89.html)** - **[CWE-312: Cleartext Storage of Sensitive Information ](https://cwe.mitre.org/data/definitions/312.html)** - **[CWE-307: Improper Restriction of Excessive Authentication Attempts ](https://cwe.mitre.org/data/definitions/307.html)** - **[CWE-359: Exposure of Private Information ('Privacy Violation') ](https://cwe.mitre.org/data/definitions/359.html)** - **[CWE-284: Improper Access Control ](https://cwe.mitre.org/data/definitions/284.html)** - **[CWE-200: Information Exposure ](https://cwe.mitre.org/data/definitions/200.html)** - **[CWE-259: Use of Hard-coded Password ](https://cwe.mitre.org/data/definitions/259.html)** - **[CWE-650: Trusting HTTP Permission Methods on the Server Side ](https://cwe.mitre.org/data/definitions/650.html)** - **[CWE-352: Cross-Site Request Forgery (CSRF) ](https://cwe.mitre.org/data/definitions/352.html)** - **[CWE-276: Incorrect Default Permissions ](https://cwe.mitre.org/data/definitions/276.html)** - **[CWE-521: Weak Password Requirements ](https://cwe.mitre.org/data/definitions/521.html)** - **[CWE-287: Improper Authentication ](https://cwe.mitre.org/data/definitions/287.html)** - **[CWE-327: Use of a Broken or Risky Cryptographic Algorithm ](https://cwe.mitre.org/data/definitions/327.html)** - **[CWE-598: Information Exposure Through Query Strings in GET Request ](https://cwe.mitre.org/data/definitions/598.html)** - **[CWE-613: Insufficient Session Expiration ](https://cwe.mitre.org/data/definitions/613.html)** - **[CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ](https://cwe.mitre.org/data/definitions/120.html)** - **[CWE-798: Use of Hard-coded Credentials ](https://cwe.mitre.org/data/definitions/798.html)** - **[CWE-295: Improper Certificate Validation ](https://cwe.mitre.org/data/definitions/295.html)** - **[CWE-269: Improper Privilege Management ](https://cwe.mitre.org/data/definitions/269.html)** # Mapping of the IoT Top 10 (2014 vs 2018) ![](https://www.owasp.org/images/thumb/f/f0/2014_2018Mapping.png/1119px-2014_2018Mapping.png) # Examples of OWASP IoT Top 10 2018 List in Real World :fork_and_knife: | Type | Name of device | CWE | Security Impact | References | |------|----------------------------------------------------------------------|----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------| | I1 | AXIS Cameras | CWE-20: Improper Input Validation | An attacker can edit any file in the operation system with root privileges. | https://www.exploit-db.com/exploits/41625 | | I1 | Routers D-Link DIR-300 | CWE-352: Cross-Site Request Forgery (CSRF) | An attacker can change admin’s password and get root privilegies. | http://seclists.org/fulldisclosure/2016/Nov/1 | | I1 | Loxone Smart Home | CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | All device functions can be controlled via web-based commands by an attacker. | https://seclists.org/fulldisclosure/2015/May/55 | | I2 | In-Flight Entertainment Systems | CWE-287: Improper Authentication | An attacker can control the means of informing passengers. For example, it’s possible to spoof flight information values such as altitude or speed. | http://blog.ioactive.com/2016/12/in-flight-hacking-system.html | | I2 | DBPOWER U818A WIFI quadcopter drone | CWE-276: Incorrect Default Permissions | An attacker can read files from the device; for example, images and videos. | https://www.kb.cert.org/vuls/id/334207 | | I3 | Hikvision Wi-Fi IP Camera | CWE-284: Improper Access Control | An attacker can remotely exploit or disable the camera. | http://seclists.org/fulldisclosure/2017/Nov/43 | | I3 | Implantable Cardiac Device | CWE-284: Improper Access Control | An attacker can modify programming commands to the implanted device, which may result in rapid battery depletion and/or administration of inappropriate pacing or shocks. | https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm535843.htm | | I4 | Samsung Smart TV | CWE-200: Information Exposure | An attacker can monitor the wireless network and conduct a brute force guessing attack to recover the key and decrypt the traffic. | https://securitytracker.com/id/1034504 | | I4 | DJI Spark drone | CWE-327: Use of a Broken or Risky Cryptographic Algorithm | An attacker can obtain access to the settings of the device. | https://embedi.org/blog/dji-spark-hijacking/ | | I5 | iBaby M6 baby monitor | CWE-359: Exposure of Private Information (‘Privacy Violation’) | An attacker can view any user’s information, including video recording details. | https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf | | I6 | Western Digital My Cloud | CWE-287: Improper Authentication | An attacker can get full control over the device. | https://www.securify.nl/advisory/SFY20170102/authentication_bypass_vulnerability_in_western_digital_my_cloud.html | | I7 | Fitness-trackers (Fitbit, Apple, Xiaomi, Garmin, Samsung and others) | CWE-319: Cleartext Transmission of Sensitive Information | An attacker can spy on fitness tracker users. | https://openeffect.ca/fitness-tracker-privacy-and-security/ | | I7 | Segway Ninebot | CWE-359: Exposure of Private Information (‘Privacy Violation’) | An attacker can gain access to a user’s geolocation. | https://www.ioactive.com/pdfs/IOActive-Security-Advisory-Ninebot-Segway-miniPRO_Final.pdf | | I8 | Smart Nest Thermostat | CWE-269: Improper Privilege Management | An unauthorized attacker can access Nest account. | http://www.blackhat.com/docs/us-14/materials/us-14-Jin-Smart-Nest-Thermostat-A-Smart-Spy-In-Your-Home.pdf | | I8 | ADSL device ZTE ZXDSL | CWE-15: External Control of System or Configuration Setting | An attacker can reset the configuration of the device. | https://blogs.securiteam.com/index.php/archives/3546 | | I9 | Devices by GeoVision | CWE-295: Improper Certificate Validation | An attacker can update firmware and get full control over the device. | http://seclists.org/fulldisclosure/2018/Feb/5 | | I9 | iSmartAlarm | CWE-295: Improper Certificate Validation | An attacker can get a user’s passwords or personal data. | http://seclists.org/fulldisclosure/2017/Jul/19 | | I10 | Baby monitors Mi-Cam | CWE-284: Improper Access Control | An attacker can spy on users. | https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html | | I10 | Router TP-Link | CWE-284: Improper Access Control | An attacker can obtain root privilegies and make the devise a part of a botnet. | http://konukoii.com/blog/2018/02/16/5-min-tutorial-root-via-uart/ | ### Wrap up - IoT devices are very vulnerable - Most of the vulnerabilities belong to application security and can be corelated - ***OWASP IoT Initiative Rocks*** :fire: #### Thank you! :tada: ### References 1. CWE - CWE-928: Weaknesses in OWASP Top Ten (2013) (3.2) (https://cwe.mitre.org/data/definitions/928.html) 2. CWE - CWE-809: Weaknesses in OWASP Top Ten (2010) (3.2) (https://cwe.mitre.org/data/definitions/809.html) 3. CWE - CWE-629: Weaknesses in OWASP Top Ten (2007) (3.2) (https://cwe.mitre.org/data/definitions/629.html) 4. CWE - CWE-711: Weaknesses in OWASP Top Ten (2004) (3.2) (https://cwe.mitre.org/data/definitions/711.html) :::info **Find this document incomplete? :arrow_right_hook: @0x48piraj** ::: ###### TAGS : `Documentation` `IoT` `OWASP` `Security` `vulnerabilities`