In the first 6 months of 2021, there were more than 1.5 trillion attacks on IoT devices. In 2020, there were already 639 million. This means that in 1 year, the number of attacks on IoT devices has increased by more than 100%. The OWASP IoT Top 10 was released in 2018. Security experts around the world collaborated to identify the top 10 vulnerabilities. These top 10 obviously do not cover all vulnerabilities found in these devices. However, these are the most common and contribute to a good foundation for the security testing we offer.
Many IoT devices are released with default login credentials. These are also sometimes hardcoded, meaning the user cannot change the login credentials. These passwords are often found in user manuals. Malicious parties can therefore find them. In addition, default login credentials are often easy to crack or guess.
An IoT device can have different network interfaces. For example, Bluetooth and Wi-Fi. These network interfaces are often not disabled when not in use. This gives malicious actors the ability to exploit the device. This can lead to data leaks and unauthorized access.
The ecosystem of an IoT device consists of several components. An example of these components are APIs, cloud, or mobile applications. These components often lack (proper) encryption, authentication, user input and output filtering.
IoT devices are often updated after production, these updates are there to improve the device, to remove bugs in the software, or to remove vulnerabilities. The ability to securely update the device is often overlooked. The device is supposed to check the firmware, so the device knows if the firmware is malicious. In addition, updates are often performed without any encryption. And the user is often not notified when an update is available, this causes many devices to be out of date.
The IoT device often uses third-party libraries and curated operating systems. This makes it more difficult to keep everything up-to-date. In addition, third-party libraries may also contain vulnerabilities; this is often not apparent at first glance.
When data is stored on a device, it is important that it is done properly. Often the user is unaware of the data being stored. In addition, the data is often stored without encryption.
In the device ecosystem, data is sent, usually without encryption. It is also often the case that access control is not properly configured. As a result, a user or a malicious party may have access to data that they are not supposed to see.
After the IoT devices are sold, it is important that the company has an ability to manage the devices. It often happens that the companies cannot (fully) do this. This involves managing updates, secure decommissioning, and response capabilities.
IoT devices are often released with default, hard-coded settings. It is difficult or impossible for the user to change them. This gives an advantage to the malicious party. The malicious party can find vulnerabilities on one device and exploit them on different devices.
If an IoT device is not physically secure, this can be a great advantage to the malicious party. Among other things, it can use UART, JTAG and SWD exploitation to find sensitive data and vulnerabilities. These can then be used in future attacks.