IoT Top 10 2018
In the first 6 months of 2021, more than 1.5 trillion attacks were carried out on IoT devices. In 2020, there were already 639 million. This means that in 1 year, the number of attacks on IoT devices has increased by more than 100%. The OWASP IoT Top 10 was released in 2018. Security experts around the world collaborated to identify the top 10 vulnerabilities. Of course, this top 10 does not cover all the vulnerabilities found in these devices. However, these are the most common and help provide a good basis for the security testing we offer.
Weak Guessable, or Hardcoded Passwords (I1)
A lot of IoT devices come with default weak credentials. Sometimes these are hardcoded, meaning the user will not be able to change them. These hardcoded passwords are often found in user manuals. Attackers can often guess or crack the weak credentials without a lot of effort.
Insecure Network Services (l2)
An IoT device can have multiple network interfaces. For example, Bluetooth and Wi-Fi. These network services are often not disabled or removed when not in use. Allowing attackers to use them to exploit the device. This can lead to data leaks or unauthorized remote control.
Insecure Ecosystem Interfaces (l3)
The ecosystem exists out of all the different services and devices that are used for the IoT device to work. Parts in the ecosystem can be API’s, cloud, or mobile interfaces. These parts often lack (good) encryption, authentication, and input/output filtering.
Lack of Secure Update Mechanism (l4)
IoT devices often get updated after production, these updates can be to improve the device, get rid of bugs or to patch security vulnerabilities. The ability to securely update the firmware is usually overlooked.
The firmware is not always validated by the device itself. So, if the firmware is malicious the device will not know. Next to that, the delivery of the updates is often not encrypted. And the user usually does not get notified when a new firmware update is available, leaving many devices with outdated software.
Use of Insecure or Outdated Components (l5)
The device uses third-party libraries and customized operating systems most of the time. These can be insecure and/or outdated. If that is the case, it can bring security issues.
Insufficient Privacy Protection (l6)
When there is user data stored on the device, it is important that this data is handled appropriately. So, when this is the case the user needs to be aware of the data being stored and the data should be encrypted.
Insecure Data Transfer and Storage (l7)
In the device ecosystem, data is sent, usually without encryption. It is also often the case that the access control is not properly configured. As a result, a user or a malicious party may be able to access data that they are not supposed to see.
Lack of Device Management (l8)
After the IoT devices are sold, it is important that the company has a capability to manage the devices. It often happens that the companies cannot (fully) do this. This involves managing updates, secure decommissioning, and response capabilities.
Insecure Default Settings (l9)
IoT devices are often released with default, hardcoded settings. The user will not be able to change these, or can do so with difficulty. This gives an advantage to the malicious party. The malicious party can find vulnerabilities on one device and exploit them on different devices.
Lack of Physical Hardening (l10)
If an IoT device is not physically secure, this can be a great advantage for the malicious party. Among other things, they can use UART, JTAG and SWD exploitation to find sensitive data and vulnerabilities. These can then be used in future attacks.