IoT Security

Created by Miroslav Biňas / mirek

## When was the last time you updated the firmware on your home WiFi router?
## The "S" in IoT stands for "Security".
[![OWASP Logo](images/logo-owasp.png)](https://owasp.org)
[![OWASP Top 10 Project](images/owasp.top.ten.png)](https://owasp.org/www-project-top-ten/) notes: * https://blog.omnetworks.com.np/owasp-top-10-understanding-the-most-critical-application-security-risks/
[![OWASP IoT Top 10 Project](images/owasp.iot.top.ten.jpg)](https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Top_10) notes: * https://www.appsealing.com/owasp-iot-top-10/
### #1 Weak, guessable or hard coded passwords
> Use of easily bruteforced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems.
[![Prieskum spoločnosti NordVPN](images/nordvpn.png)](https://s1.nordcdn.com/nord/misc/0.42.0/vpn/brand/your-smart-devices-put-you-at-risk.pdf)
### Common Insecure credentials * `admin/admin` * `guest/guest` * `user/password` * `root/toor` * `test/test` * `student/student`
## [defpass.com](https://defpass.com/)
[![](images/baby.monitor.iot.hacking.jpg)](https://nordvpn.com/blog/baby-monitor-iot-hacking/) [Hacker terrorizes family by hijacking baby monitor](https://nordvpn.com/blog/baby-monitor-iot-hacking/)
[![have I been pwned](images/have.i.been.pwned.png)](https://haveibeenpwned.com)
## How to Mitigate Risk? * `.gitignore` credential/config files * use environment variables * when UI is available * avoid to use default credentials! * ask for login and password on first run! * invalid credentials message always (don't help attacker by telling him the login is ok)
### #2 Insecure network services
> Unneeded or insecure network services running on the device itself, especially those exposed to the internet, that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control...
``` $ nmap 192.168.1.1 Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-03 18:51 CET Nmap scan report for 192.168.1.1 Host is up (0.00057s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds ```
## How to Mitigate Risk? * turn off unwanted services * create separate network for IoT solution * use secure communication channel * problem with microcontrollers
### #3 Insecure ecosystem interfaces
> Insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.
## How to Mitigate Risk? * use secure and reliable authentication and authorization mechanism with auditing system * use existing one instead of creating your own * use encrypted communication * use filtering of incomming and outgoing network communication on network interfaces
[![OWASP Top 10 Project](images/owasp.top.ten.png)](https://owasp.org/www-project-top-ten/) notes: * https://blog.omnetworks.com.np/owasp-top-10-understanding-the-most-critical-application-security-risks/
### #4 Lack of secure update mechanisms
> Lack of ability to securely update the device. This includes lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.
![AEG combi microwave unusable after update: device thinks it is a steam oven](images/aeg.combi.microwave.jpg) [AEG combi microwave unusable after update: device thinks it is a steam oven](https://taketonews.com/aeg-combi-microwave-unusable-after-update-device-thinks-it-is-a-steam-oven/) (March, 2022)
### #5 Use of insecure or outdated components
> Use of deprecated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms, and the use of third-party software or hardware components from a compromised supply chain.
## How to Mitigate Risk? * use up-to-date libraries * (often) check your softvare and your platform for vulnerabilities * part of CI/CD pipeline
### #6 Insufficient privacy protection
> User’s personal information stored on the device or in the ecosystem that is used **insecurely**, **improperly**, or without **permission**.
## How to Mitigate Risk? * store critical data securely with proper permissions * use encryption * use filesystem encryption
### #7 Insecure data transfer and storage
> Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing.
## How to Mitigate Risk? * secure data in transfer * encrypt data on storage * protect data against unauthorized access (RBA, tokens, password, two factor auth.) * check data integrity (with signatures, CRC check)
### #8 Lack of device management
> Lack of security support on devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.
### #9 Insecure default settings
> Devices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations.
notes: * https://www.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space
### #10 Lack of physical hardening
> Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.
## Questions?