OWASP TOP 10 vulnerabilities of IoT devices

By the end of 2018, the number of connected IoT devices exceeded 22 billion . Of the 7.6 billion people on Earth, 4 billion have access to the Internet. It turns out that for each person there are 5.5 devices of the Internet of things.



On average, about 5 minutes pass between the time the IoT device connects to the network and the time of the first attack. Moreover, most of the attacks on smart devices are automated .



Of course, such sad statistics could not leave indifferent specialists in the field of cybersecurity. The international non-profit organization OWASP (Open Web Application Security Project) was concerned about the safety of the Internet of things back in 2014, having released the first version of OWASP Top 10 IoT. An updated version of the “ TOP 10 vulnerabilities of the Internet of things devices ” with updated threats was released in 2018. This project is designed to help manufacturers, developers, and consumers understand IoT security issues and make more informed information security decisions when creating IoT ecosystems.



10. Inadequate physical security

The lack of physical protection measures, allowing potential attackers to obtain confidential information, which in the future can help implement a remote attack or gain local control over the device.

One of the security challenges of the IoT ecosystem is that its components are distributed in space and are often installed in public or insecure locations. This allows attackers to gain access to the device and take it under control locally or use it to access the rest of the network.



An attacker can copy the settings (IP network, MAC address, etc.) and put his device in place of the original one to listen or reduce network performance. It can hack an RFID reader, set a hardware bookmark, infect with malware, steal the necessary data, or simply physically disable the IoT device.



The solution to this problem is one - to complicate physical access to devices. They can be installed in protected areas, at a height or use vandal-proof protected cabinets.



9. Insecure default settings

Devices or systems come with unsafe default settings or are unable to make the system more secure by restricting users from changing configurations.

Any manufacturer wants to earn more and spend less. The device can be implemented with many smart functions, but it is not possible to configure security.



For example, it does not support checking passwords for reliability, it is not possible to create accounts with various rights - administrator and users, there are no settings for encryption, logging and notifying users about security events.



8. The inability to control the device

Lack of security support for devices deployed in production, including asset management, update management, secure decommissioning, system monitoring, and response.

IoT devices are most often a black box. They have not implemented the ability to monitor the status of work, to identify which services are running and with what interact.



Not all manufacturers give users of IoT devices full control over the operating system and running applications, as well as checking the integrity and legitimacy of downloaded software or installing update patches on the OS.



During attacks, the device firmware can be reconfigured so that it can be repaired only by completely flashing the device. A similar disadvantage was used, for example, by Silex malware .



The solution to these problems can be the use of specialized software for managing devices of the Internet of things, for example, cloud solutions AWS, Google, IBM, etc.



7. Insecure data transfer and storage

Lack of encryption or access control to sensitive data anywhere in the ecosystem, including during storage, during transmission or during processing.

Internet of Things devices collect and store environmental data, including various personal information. A compromised password can be replaced, but stolen data from a biometric device - fingerprint, retina, face biometry - no.



At the same time, IoT devices can not only store their data in unencrypted form, but also transmit them over the network. If data transmission in the clear in the local network can be somehow explained, then in the case of a wireless network or Internet transmission, it can become the property of anyone.



The user himself can use secure communication channels for data transfer, but the device manufacturer should take care of encrypting the stored passwords, biometric and other important data.



6. Inadequate privacy protection

User’s personal information stored on a device or ecosystem that is used insecurely, improperly or without permission.

This TOP-10 item echoes the previous one: all personal data must be stored and transmitted in a secure manner. But this paragraph considers privacy in a deeper sense, namely from the point of view of protecting privacy secrets.



IoT devices collect information about what and who surrounds them, including this also applies to unsuspecting people. Stolen or improperly processed user data can either unintentionally discredit a person (for example, when improperly configured road cameras exposed unfaithful spouses), and can be used in blackmail.



To solve the problem, you need to know exactly what data is collected by the IoT device, mobile application and cloud interfaces.



You need to make sure that only the data necessary for the functioning of the device is collected, check whether there is permission to store personal data and whether it is protected, and whether data storage policies are prescribed. Otherwise, if these conditions are not observed, the user may have problems with the law.



5. Use of unsafe or obsolete components

Using outdated or insecure software components or libraries that could compromise your device. This includes unsafe configuration of operating system platforms and the use of third-party software or hardware components from a compromised supply chain.

One vulnerable component can negate all configured security.

In early 2019, expert Paul Marrapiz identified vulnerabilities in the iLnkP2P P2P utility, which is installed on more than 2 million devices connected to the network: IP cameras, baby monitors, smart doorbells, and video recorders.

The first vulnerability CVE-2019-11219 allows an attacker to identify a device, the second is an authentication vulnerability in iLnkP2P CVE-2019-11220 - to intercept traffic in the clear, including video streams and passwords.



For several months, Paul turned three times to the manufacturer and twice to the developer of the utility, but never received a response from them.



The solution to this problem is to monitor the release of security patches and update the device, and if they do not come out ... change the manufacturer.



4. Lack of secure update mechanisms

The inability to securely update the device. This includes the lack of firmware validation on the device, the lack of secure delivery (without encryption during transmission), the absence of mechanisms to prevent rollbacks, and the absence of notifications of security changes due to updates.

The inability to update the device itself is a security weakness. Failure to install the update means that the devices remain vulnerable for an indefinite time.



But in addition, the update itself and firmware may also be unsafe. For example, if encrypted channels are not used to receive the software, the update file is not encrypted or is not checked for integrity before installation, there is no anti-rollback protection (protection against reverting to a previous, more vulnerable version), or there are no notifications about security changes due to updates.



The solution to this problem is also on the side of the manufacturer. But you can check if your device is capable of updating at all. Make sure that the update files are downloaded from the verified server via an encrypted channel, and that your device uses a secure update installation architecture.



3. Unsafe ecosystem interfaces

An insecure web interface, API, cloud or mobile interfaces in the ecosystem outside the device, which allows you to compromise the device or its related components. Common problems include lack of authentication or authorization, lack or weak encryption, and lack of input and output filtering.

Using unsafe web interfaces, APIs, cloud and mobile interfaces allows you to compromise a device or its related components even without connecting to it.



For example, Barracuda Labs conducted an analysis of the mobile application and web interface of one of the “smart” cameras and found vulnerabilities that allow to obtain a password for the Internet of things device:

• The mobile application ignored the validity of the server certificate.
• The web application was vulnerable to cross-site scripting.
• It was possible to bypass files on a cloud server.
• Device updates were not protected.
• The device ignored the validity of the server certificate.

For protection, it is necessary to change the default user and password, make sure that the web interface is not subject to cross-site scripting, SQL injection or CSRF attacks.

Also, protection against password attacks by brute force should be implemented. For example, after three attempts to enter the password incorrectly, the account should be blocked and allow password recovery only through a hardware reset.



2. Insecure network services

Unnecessary or insecure network services running on the device itself, especially open to an external network, jeopardizing confidentiality, integrity, authenticity, accessibility of information, or allowing unauthorized remote control.

Unnecessary or insecure network services jeopardize device security, especially if they have access to the Internet.



Insecure network services may be susceptible to buffer overflow and DDoS attacks. Open network ports can be scanned for vulnerabilities and insecure connection services.



One of the most popular vectors of attacks and infection of IoT devices so far is brute force on non-disabled Telnet services and on SSH . After gaining access to these services, attackers can download malicious software to the device or gain access to valuable information.





1. Weak, guessable or hard-coded password

The use of easily crackable, publicly available or immutable credentials, including backdoors in embedded software or client software that provides unauthorized access to deployed systems.

Surprisingly, until then, the biggest vulnerability is the use of weak passwords, default passwords or passwords leaked to the network.

Despite the obvious need for a strong password, some users still do not change the default passwords. In June 2019, Silex malware took advantage of this, which within one hour turned into a brick about 2000 IoT devices.

Before that, the well-known botnet and worm Mirai managed to infect 600 thousand devices of the Internet of things, using a database of 61 standard login-password combinations.



The solution is to change the password!



findings



When users purchase IoT devices, they think primarily about their “smart” capabilities, not about security.



Indeed, in the same way, when buying a car or a microwave, we hope that the device is “ safe in design ” for use.



As long as the security of IoT is not regulated by law (so far, such laws are only in the process of inception ), manufacturers will not spend extra money on it.

It turns out that the only way to motivate the manufacturer is not to buy vulnerable devices.



And for this we need ... to think about their safety.