Guest blog post by vozag
Emergence of IoT presents security challenges more challenging than any industrial systems have seen.
Open Web Application Security Project (OWASP) is a reputed international organization which focuses on improving the security of the software. It sponsors the hugely popular Top ten project which publishes the top ten security risks for web applications all over the world.
The “OWASP Internet of Things (IoT) Top 10” project defines the top ten security surface areas presented by IoT systems. The project aims to provide practical security recommendations for builders, breakers, and users of IoT systems.
Last year HP which started this project used it as a baseline to evaluate top ten IoT devices which are were widely used and released a report. The study concluded that on an average each device studied had 25 vulnerabilities listed as a part of project.
The top 10 vulnerabilities impact of each vulnerability and the link in the order listed in project are given below:
Insecure web interfaces can result in data loss or corruption, lack of accountability, or denial of access and can lead to complete device takeover.
Insufficient authentication/authorization can result in data loss or corruption, lack of accountability, or denial of access and can lead to complete compromise of the device and/or user accounts.
Insecure network services can result in data loss or corruption, denial of service or facilitation of attacks on other devices.
Lack of transport encryption can result in data loss and depending on the data exposed, could lead to complete compromise of the device or user accounts.
Collection of personal data along with a lack of protection of that data can lead to compromise of a user's personal data.
An insecure cloud interface could lead to compromise of user data and control over the device.
An insecure mobile interface could lead to compromise of user data and control over the device.
Insufficient security configurability could lead to compromise of the device whether intentional or accidental and/or data loss.
Insecure software/firmware could lead to compromise of user data, control over the device and attacks against other devices.
Insufficient physical security could lead to compromise of the device itself and any data stored on that device.