An Introduction to the OWASP IoT Top 10
by Britt Kemp, on Apr 23, 2020 5:00:00 AM
You can’t mention the Internet of Things these days without security coming up as a second thought. The two are intertwined: IoT is ubiquitous, but its security shortcomings are nearly as well known, too.
Previously covered in our blog, the OWASP Top 10 is a set of common security pitfalls to watch for. OWASP also released a Top 10 list specifically dedicated to IoT security risk, which we’d like to highlight in this post. Below is our walkthrough of the OWASP IoT Top 10, as well as recommendations for IoT manufacturers to implement when creating smart devices.
1. WEAK, GUESSABLE, OR HARDCODED PASSWORDS
While it’s easy to harp on users for poor passwords, the onus here is really on manufacturers. Having weak, guessable, or hardcoded default passwords is a critical security risk when you consider that many users will not change their default passwords upon setting up their IoT devices. Additionally, IoT devices often share the same default passwords – so if you have the password for one device, you likely have the password to thousands of others, too.What IoT Manufacturers Can Do: Ensure that every device has a per-device unique set of credentials and that there are no development or debugging backdoors that remain post-development. Create strong and randomly generated user-facing default passwords and entirely disallow weak passwords (you can see more recommendations on password best practices in this Bishop Fox password guide).
2. INSECURE NETWORK SERVICES
IoT devices run services that perform various functions such as helping with device maintenance. When these services are connected to the internet, they are even more dangerous because, in some cases, exploitation of them can lead to data leaks and remote code execution.What IoT Manufacturers Can Do: Many of these services are unnecessary and end up introducing a slew of insecurities. For critical services, however, use secure protocols such as HTTPS, sFTP, and SSH, which use encryption and don’t rely on cleartext data like their insecure alternatives (HTTP, FTP, and Telnet).
3. INSECURE ECOSYSTEM INTERFACES
This entry refers to all the various interfaces that surround your device, but are not part of the device itself. Think of the web interface, the backend API, the cloud, and the mobile interface – all of which interact with your device so it can function as desired. If any of these interfaces are insecure, then your device can be adversely impacted by association.
What IoT Manufacturers Can Do: The traditional OWASP top 10 provides a useful baseline for securing your web service. AWS security guidance provides equally useful recommendations for AWS, such as provisioning according to the principle of least privilege and ensuring S3 buckets are private.
4. LACK OF SECURE UPDATE MECHANISMS
Many IoT devices are plagued by inadequate firmware validation on the device, a lack of secure delivery, insufficient anti-rollback mechanisms, and non-existent notifications regarding time-urgent security updates.What IoT Manufacturers Can Do: Check that updates to IoT devices are digitally signed, and are only applied if they are untampered with (that is, the digital signature is intact). By checking digital signatures, you can ensure that the firmware updates you are applying are legitimate, which prevents attacks resulting from compromised update servers. Allow only limited rollbacks (some rollback may be needed; in case a device is unusable). And finally, deliver updates over a secure channel like HTTPS.
5. USE OF INSECURE OR OUTDATED COMPONENTS
This entry particularly holds true for the Industrial Internet of Things (IIoT), which is often interlinked with legacy technology. Legacy technology tends to include systems that are expensive or technically difficult to update. Using outdated components that cannot be easily maintained leads to more vulnerabilities. The same issues apply to IoT. Using software that has vulnerabilities or software that can no longer be updated opens IoT devices to more security risk.
What IoT Manufacturers Can Do: The absolute best defense against vulnerabilities caused by insecure or outdated components is to simply not use legacy technology. Additionally, keep track of your hardware and software and have a plan for if any of those components reach “end of life” status, where they will no longer receive updates. That legacy technology should be replaced as soon as possible.
6. INSUFFICIENT PRIVACY PROTECTION
Many IoT devices store users’ personal information so as to operate or provide product features. Unfortunately, that personal data isn’t always properly protected and secured. This data is often stored within the manufacturer’s databases in addition to on the actual devices, adding another potentially vulnerable system. Attackers frequently target both IoT devices and their associated databases to access that valuable user data. A notable example of this would be when Orbivo’s database was compromised, exposing two billion user records.
What IoT Manufacturers Can Do: Store as little sensitive information as needed. For the data you absolutely need to store, establish and define a data protection policy. Even with these protections in place, it would be wise to create an incident response plan in the event of a data breach.
7. INSECURE DATA TRANSFER AND STORAGE
This refers to a lack of encryption and access control in regard to handling sensitive data. This could be data at rest, data in transit, or data during processing. The lack of encryption and access control leaves that data susceptible to attackers, and both must be implemented in to IoT devices to achieve true security.
What IoT Manufacturers Can Do: Implement both encryption and access controls into your devices for data no matter what stage it is in. And again, opt for HTTPS, sFTP, and SSH over their insecure counterparts. OWASP has provided some specific guidance for securely storing data in their “cheat sheets,” which you can read here.
8. LACK OF DEVICE MANAGEMENT
When you have only a few of a device, device management is trivial. But, when those few devices are multiplied by dozens, hundreds, or even thousands, device management can quickly become a nightmare.
What IoT Manufacturers Can Do: To be transparent, this is a challenge to troubleshoot. One possible solution is to provide devices integrations with popular asset management, bug-tracking, and patch management systems (think SolarWinds, ServiceNow, ManageEngine, and Fleetsmith). Don’t build your own similar system; instead, provide an interface that allows organizations to integrate with other widely used systems and conduct device management flexibly on the scale they need.
9. INSECURE DEFAULT SETTINGS
Insecure components are typically caused by not keeping up with patches or using legacy components in your environment that are affected by known security issues. While this sounds like more of a minor threat, in reality, known vulnerabilities that have gone overlooked in terms of remediation can lead to severe damage.
What IoT Manufacturers Can Do: With IoT no longer the novel concept it once was, there’s not much of an excuse for devices that are insecure out of the box. There’s enough existing knowledge available on how to ensure your device’s default security, and it must be put into action whenever possible. Make secure settings the default, and give users the option to change their settings if needed.
10. LACK OF PHYSICAL HARDENING
Insufficient physical hardening concerning IoT devices can be easy to overlook. But thanks to its inherent accessibility, IoT is left more exposed to potential physical threats than other technology.
What IoT Manufacturers Can Do: Start with the understanding that your users will open up the device, inspect it, and modify it. Most people won’t, but some will – and with enough motivation, they most likely will break your device. Consider what they would do and how they would do it; whether it be someone trying to disable a smart alarm system to pull off a robbery or someone circumventing a smart meter’s settings to reduce their electric bill. Consider how long a device could withstand a physical attack plus an attacker’s probable skill level, and build your learnings into the device.
None of these common security issues will be resolved overnight, especially as IoT continues to proliferate through all aspects of our lives – professionally and personally. However, by implementing solutions to these common problems in IoT devices, we can take a small step toward a (slightly) more secure world.