owasp top 10
TRANSCRIPT
IoT Intro ..!
IoT is simply the network of interconnected things/devices which are
embedded with sensors, software, network connectivity and necessary
electronics that enables them to collect and exchange data making
them responsive.
IoT Component..!
1. Hardware
2.software
3. Communication Infrastructure
1.IoT mobile application,
2.cloud APIs,
3.communication and protocols,
4.embedded hardware and firmware.
Main IoT Security Testing
...1 – Insecure Web Interface
...2 – Insufficient Authentication/Authorization
...3 – Insecure Network Services
...4 – Lack of Transport Encryption
...5 – Privacy Concerns
...6 – Insecure Cloud Interface
...7 – Insecure Mobile Interface
...8 – Insufficient Security Configurability
...9 – Insecure Software/Firmware
...10 – Poor Physical Security
OWASP Top 10 IoT:
What are they ..?
1. web login pages
2. cctv dvr login pages
still working on this..!
I1.Insecure Web Interface
..Weak credentials
..Weak passwords
..Capture plaintext credentials
..Internal and external vulnerability
I2.Insufficient Authentication/Authorization
..Weak passwords
..Weak password recovery
..Poorly protected credentials
..Internal and external vulnerability
I3.Insecure Network Services:
.. Attack vulnerable network services
.. Attack device itself
.. Bounce attacks off of the device
.. Buffer overflow attacks for Denial of Service
.. Sniffers and fuzzers and Scanners
Internet Using Devices
Telnet -- 23
FTP -- 21
Finger -- 79
TFTP -- 69
SMB -- 445
Common Ports for Devices :
I4 . Lack of Transport Encryption:
.. Easy view of unencrypted data passing between or over networks
.. Traditional crypto vulnerabilities associated with SSL and TSL i.e. Man In the Middle attacks etc.
.. Compromised Transport Layer means everything above it is vulnerable
I5 Privacy Concerns:
.. Insufficient authentication
.. Lack of transport encryption and storage of data in encrypted format
.. Insecure network services
.. Collection of unnecessary personal data
I6 Insecure Cloud Interface:
.. Insufficient authentication
.. Lack of transport encryption and storage of data in encrypted format
.. Attack likely from the Internet
.. Easy to guess credentials
.. Using password reset mechanism to see if account exist
.. Identify is SSL is in use
.. Account enumeration
I7.Insecure Mobile Interface:
.. account lockout mechanism
.. Insufficient authentication
.. Lack of transport encryption and storage of data in encrypted format
.. Attack likely from the Internet
.. Easy to guess credentials
.. Using password reset mechanism to see if account exists
.. Identify is SSL is in use
.. Account enumeration
I8.Insufficient Security Configurability:
.. Lack of granular ability to configure authorizations.
.. Weak passwords and credentials.
I9.Insecure Software/Firmware:
.. Insecure firmware software encrypted updates
.. Malicious updating
I10. Poor Physical Security
USB, SD cards, other storage devices that give access to the Operating System