OWASP IoT Top 10 2018

In the first 6 months of 2021, there were more than 1.5 trillion attacks on IoT devices. In 2020, there were already 639 million. This means that in 1 year, the number of attacks on IoT devices has increased by more than 100%. The OWASP IoT Top 10 was released in 2018. Security experts around the world collaborated to identify the top 10 vulnerabilities. These top 10 obviously do not cover all vulnerabilities found in these devices. However, these are the most common and contribute to a good foundation for the security testing we offer.

Weak Guessable, or Hardcoded Passwords (I1)

Many IoT devices are released with default login credentials. These are also sometimes hardcoded, meaning the user cannot change the login credentials. These passwords are often found in user manuals. Malicious parties can therefore find them. In addition, default login credentials are often easy to crack or guess.

Insecure Network Services (l2)

An IoT device can have different network interfaces. For example, Bluetooth and Wi-Fi. These network interfaces are often not disabled when not in use. This gives malicious actors the ability to exploit the device. This can lead to data leaks and unauthorized access.

Insecure Ecosystem Interfaces (l3)

The ecosystem of an IoT device consists of several components. An example of these components are APIs, cloud, or mobile applications. These components often lack (proper) encryption, authentication, user input and output filtering.

Lack of Secure Update Mechanism (l4)

IoT devices are often updated after production, these updates are there to improve the device, to remove bugs in the software, or to remove vulnerabilities. The ability to securely update the device is often overlooked. The device is supposed to check the firmware, so the device knows if the firmware is malicious. In addition, updates are often performed without any encryption. And the user is often not notified when an update is available, this causes many devices to be out of date.

Use of Insecure or Outdated Components (l5)

The IoT device often uses third-party libraries and curated operating systems. This makes it more difficult to keep everything up-to-date. In addition, third-party libraries may also contain vulnerabilities; this is often not apparent at first glance.

Insufficient Privacy Protection (l6)

When data is stored on a device, it is important that it is done properly. Often the user is unaware of the data being stored. In addition, the data is often stored without encryption.

Insecure Data Transfer and Storage (l7)

In the device ecosystem, data is sent, usually without encryption. It is also often the case that access control is not properly configured. As a result, a user or a malicious party may have access to data that they are not supposed to see.

Lack of Device Management (l8)

After the IoT devices are sold, it is important that the company has an ability to manage the devices. It often happens that the companies cannot (fully) do this. This involves managing updates, secure decommissioning, and response capabilities.

Insecure Default Settings (l9)

IoT devices are often released with default, hard-coded settings. It is difficult or impossible for the user to change them. This gives an advantage to the malicious party. The malicious party can find vulnerabilities on one device and exploit them on different devices.

Lack of Physical Hardening (l10)

If an IoT device is not physically secure, this can be a great advantage to the malicious party. Among other things, it can use UART, JTAG and SWD exploitation to find sensitive data and vulnerabilities. These can then be used in future attacks.