null mumbai-iot top 10
TRANSCRIPT
![Page 1: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/1.jpg)
Internet of Things Top Ten
![Page 2: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/2.jpg)
WhoAmI• Security Consultant with Payatu Technologies
• Experience in Web Pentesting, VAPT and Mobile Appsec (Android Only)
• Currently learning IOT
![Page 3: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/3.jpg)
Agenda• Why IOT Top 10 ??• Attack vectors• IOT Architecture• OWASP TOP 10 – IOT• IOT Exploitation Anatomy (Pdf for Reference)• References
![Page 4: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/4.jpg)
Why Top 10 for IOT ??• The internet of things (IoT) is the network of physical devices,
vehicles, buildings and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data(Wikipedia)
• 26 Billion devices connected to Internet by 2020
• Current Security State - still in nascent stage.
• Thus, scope for hackers HIGH
![Page 5: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/5.jpg)
Attack Vectors????Lets have a look at the architecture and derive all the attack vectors
![Page 6: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/6.jpg)
IOT Architecture
![Page 7: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/7.jpg)
Attack Vectors List• All elements need to be considered• Communication Protocol• The Cloud• The Mobile Application• The Network Interfaces• Web Interface• Encryption• Authentication/Authorization• Physical ports(JTAG,UART,SPI,I2C)
• Enter the OWASP Internet of Things Top Ten Project
![Page 8: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/8.jpg)
OWASP IOT TOP 10
![Page 9: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/9.jpg)
I1 | Insecure Web Interface
![Page 10: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/10.jpg)
I1 | Insecure Web Interface | Testing
• Account Enumeration• Weak Default Credentials• Credentials Exposed in Network
Traffic• Cross-site Scripting (XSS)• SQL-Injection• Session Management• Account Lockout
![Page 11: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/11.jpg)
I1 | Insecure Web Interface | Make It Secure
![Page 12: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/12.jpg)
I2 | Insufficient Authentication/Authorization
![Page 13: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/13.jpg)
I2 | Insufficient Authentication/Authorization | Testing
• Lack of Password Complexity• Poorly Protected Credentials• Lack of Two Factor Authentication• Insecure Password Recovery• Privilege Escalation• Lack of Role Based Access Control
![Page 14: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/14.jpg)
I2 | Insufficient Authentication/Authorization | Make It Secure
![Page 15: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/15.jpg)
I3 | Insecure Network Services
![Page 16: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/16.jpg)
I3 | Insecure Network Services | Testing
• Vulnerable Services• Buffer Overflow• Open Ports via UPnP• Exploitable UDP Services• Denial-of-Service• DoS via Network Device Fuzzing
![Page 17: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/17.jpg)
I3 | Insecure Network Services | Make It Secure
![Page 18: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/18.jpg)
I4 | Lack of Transport Encryption
![Page 19: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/19.jpg)
I4 | Lack of Transport Encryption | Testing
• Unencrypted Services via the Internet
• Unencrypted Services via the Local Network
• Poorly Implemented SSL/TLS• Misconfigured SSL/TLS
![Page 20: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/20.jpg)
I4 | Lack of Transport Encryption | Make It Secure
![Page 21: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/21.jpg)
I5 | Privacy Concerns
![Page 22: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/22.jpg)
I5 | Privacy Concerns | Testing
• Collection of Unnecessary Personal Information
![Page 23: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/23.jpg)
I5 | Privacy Concerns | Make It Secure
![Page 24: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/24.jpg)
I6 | Insecure Cloud Interface
![Page 25: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/25.jpg)
I6 | Insecure Cloud Interface | Testing
• Account Enumeration• No Account Lockout• Credentials Exposed in
Network Traffic
![Page 26: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/26.jpg)
I6 | Insecure Cloud Interface | Make It Secure
![Page 27: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/27.jpg)
I7 | Insecure Mobile Interface
![Page 28: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/28.jpg)
I7 | Insecure Mobile Interface | Testing
• Account Enumeration• No Account Lockout• Credentials Exposed in Network
Traffic
![Page 29: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/29.jpg)
I7 | Insecure Mobile Interface | Make It Secure
![Page 30: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/30.jpg)
I8 | Insufficient Security Configurability
![Page 31: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/31.jpg)
I8 | Insufficient Security Configurability | Testing
• Lack of Granular Permission Model• Lack of Password Security Options• No Security Monitoring• No Security Logging
![Page 32: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/32.jpg)
I8 | Insufficient Security Configurability | Make It Secure
![Page 33: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/33.jpg)
I9 | Insecure Software/Firmware
![Page 34: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/34.jpg)
I9 | Insecure Software/Firmware | Testing
• Encryption Not Used to Fetch Updates
• Update File not Encrypted• Update Not Verified before Upload• Firmware Contains Sensitive
Information• No Obvious Update Functionality
![Page 35: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/35.jpg)
I9 | Insecure Software/Firmware | Make It Secure
![Page 36: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/36.jpg)
I10 | Poor Physical Security
![Page 37: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/37.jpg)
I10 | Poor Physical Security | Testing
• Access to Software via USB Ports
• Removal of Storage Media
![Page 38: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/38.jpg)
I10 | Poor Physical Security | Make It Secure
![Page 39: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/39.jpg)
References• OWASP - https://
www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Main
• IOT Security Anatomy - https://github.com/mdsecresearch/Publications/blob/master/presentations/An%20Anatomy%20of%20IoT%20Security_OWASPMCR_Nov2016.pdf (Content May not load properly. Just download the pdf)
• Insinuater.net
• Peerlyst
• Reddit Link – www.reddit.com/r/theinternetofshit
![Page 40: Null mumbai-iot top 10](https://reader036.vdocument.in/reader036/viewer/2022062903/58e4bfe51a28abc24e8b49dd/html5/thumbnails/40.jpg)
THANK YOU