OWASP Internet of Things
The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.
The project looks to define a structure for various IoT sub-projects separated into the following categories - Seek & Understand, Validate & Test, and Governance. Right now, you can find the following active and upcoming OWASP Internet of Things projects:
Internet of Things Page Archive
Not what you are looking for? Please have a look at the Internet of Things Page Archive.
Start a new IoT security project
Want to start a new IoT security project? Follow https://www.owasp.org/index.php/Category:OWASP_Project#Starting_a_New_Project or contact one of the leaders of the active projects.
Seek & Understand
- Daniel Miessler
- Aaron Guzman
- Vishruta Rudresh
- Craig Smith
Top ten things to avoid when building, deploying or managing IoT systems.
|OWASP IoT Top 10 2018||Description|
|I1 Weak, Guessable, or Hardcoded Passwords||Use of easily bruteforced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems.|
|I2 Insecure Network Services||Unneeded or insecure network services running on the device itself, especially those exposed to the internet, that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control.|
|I3 Insecure Ecosystem Interfaces||Insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.|
|I4 Lack of Secure Update Mechanism||Lack of ability to securely update the device. This includes lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.|
|I5 Use of Insecure or Outdated Components||Use of deprecated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms, and the use of third-party software or hardware components from a compromised supply chain|
|I6 Insufficient Privacy Protection||User’s personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission.|
|I7 Insecure Data Transfer and Storage||Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing|
|I8 Lack of Device Management||Lack of security support on devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.|
|I9 Insecure Default Settings||Devices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations.|
|I10 Lack of Physical Hardening||Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.|
- Aaron Guzman
- José A. Rivas
Provides mappings of the OWASP IoT Top 10 2018 to industry publications and sister projects.
|OWASP IoT Top 10 2014||OWASP IoT Top 10 2018 Mapping|
|I1 Insecure Web Interface||I3 Insecure Ecosystem Interfaces|
|I2 Insufficient Authentication/Authorization||I1 Weak, Guessable, or Hardcoded Passwords
I3 Insecure Ecosystem Interfaces
I9 Insecure Default Settings
|I3 Insecure Network Services||I2 Insecure Network Services|
|I4 Lack of Transport Encryption/Integrity Verification||I7 Insecure Data Transfer and Storage|
|I5 Privacy Concerns||I6 Insufficient Privacy Protection|
|I6 Insecure Cloud Interface||I3 Insecure Ecosystem Interfaces|
|I7 Insecure Mobile Interface||I3 Insecure Ecosystem Interfaces|
|I8 Insufficient Security Configurability||I9 Insecure Default Settings|
|I9 Insecure Software/Firmware||I4 Lack of Secure Update Mechanism
I5 Use of Insecure or Outdated Components
|I10 Poor Physical Security||I10 Lack of Physical Hardening|
- Aaron Guzman
- Fotios Chantzis
- Paulino Calderon
IoTGoat is a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the top 10 vulnerabilities as documented by OWASP: https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project.
- OWASP IoTGoat v1.0 is out! Please send us your feedback!
Validate & Test
- Luca Rotsch
- Aaron Guzman
The OWASP IoT Security Testing Guide provides a comprehensive methodology for penetration tests in the IoT field offering flexibility to adapt innovations and developments on the IoT market while still ensuring comparability of test results. The guide provides an understanding of communication between manufacturers and operators of IoT devices as well as penetration testing teams that’s facilitated by establishing a common terminology.
The methodology, the underlying models and the catalog of test cases present tools that can be used separately and in conjunction with each other.
Check out the projects GitHub for more details: https://github.com/OWASP/owasp-istg
- Aaron Guzman
The Firmware Security Testing Methodology (FSTM) is composed of nine stages tailored to enable security researchers, software developers, consultants, hobbyists, and Information Security professionals with conducting firmware security assessments.
|1. Information gathering and reconnaissance||Acquire all relative technical and documentation details pertaining to the target device’s firmware|
|2. Obtaining firmware||Attain firmware using one or more of the proposed methods listed|
|3. Analyzing firmware||Examine the target firmware’s characteristics|
|4. Extracting the filesystem||Carve filesystem contents from the target firmware|
|5. Analyzing filesystem contents||Statically analyze extracted filesystem configuration files and binaries for vulnerabilities|
|6. Emulating firmware||Emulate firmware files and components|
|7. Dynamic analysis||Perform dynamic security testing against firmware and application interfaces|
|8. Runtime analysis||Analyze compiled binaries during device runtime|
|9. Binary Exploitation||Exploit identified vulnerabilities discovered in previous stages to attain root and/or code execution|
- Matt Brown
ByteSweep is a Free Software IoT security analysis platform. This platform will allow IoT device makers, large and small, to conduct fully automated security checks before firmware is shipped.
- Craig Smith
The Firmware Analysis Project provides: Security testing guidance for vulnerabilities in the “Device Firmware” attack surface, Steps for extracting file systems from various firmware files, Guidance on searching a file systems for sensitive of interesting data, Information on static analysis of firmware contents, Information on dynamic analysis of emulated services (e.g. web admin interface), Testing tool links, and a site for pulling together existing information on firmware analysis
Catalogue of IoT regulatory policies and Certifications