Cyber Security | OWASP IoT Top-10 2020

1.Weak, Guessable, or Hardcoded Passwords :-

Use of:
● Easily bruteforced
● Publicly available
● Unchangeable credentials
Including backdoors in firmware or client software that
grants unauthorized access

Easily Guess Password

2.Insecure Network Services:-

Unneeded or insecure network services running on the
device itself, especially:
● Those exposed to the Internet
● Any that compromise the confidentiality,
integrity/authenticity, or availability of information
● Any service that allows unauthorized remote control

3.Insecure Ecosystem Interfaces :-

Insecure interfaces in the
ecosystem outside the
device:
● Web
● Backend API
● Cloud
● Mobile
Common issues
● Lack of authentication
● Lack of authorization
● Lacking or weak
encryption
● Lack of input and output
filtering

4.Lack of Secure Update Mechanism :-

Lack of ability to securely update the device.
● Lack of firmware validation on device
● Lack of secure delivery (un-encrypted in transit)
● Lack of anti-rollback mechanisms
● Lack of notifications of security changes due to updates

5.Use of Insecure or Outdated Components :-

Use of deprecated or insecure software components/libraries
that could allow the device to be compromised.
● Insecure customization of operating system platforms
● Third-party software libraries from a compromised supply
chain
● Third-party hardware components from a compromised
supply chain

6.Insufficient Privacy Protection :-

User’s personal information stored on the device or in the
ecosystem that is used insecurely, improperly, or without
permission.

7.Insecure Data Transfer and Storage :-

Lack of encryption or access control of sensitive data
anywhere within the ecosystem, including at rest, in transit, or
during processing

8.Lack of Device Management :-

Lack of security support on devices deployed in production,
including asset management, update management, secure
decommissioning, systems monitoring, and response
capabilities.

9.Insecure Default Settings :-

Devices or systems shipped with insecure default settings or
lack the ability to make the system more secure by restricting
operators from modifying configurations.

10.Lack of Physical Hardening :-

Lack of physical hardening measures, allowing potential
attackers to gain sensitive information that can help in a
future remote attack or take local control of the device.