OWASP IoT Top 10

Alexa!! Can you please play a song for me!!
We are surrounded by technologies that are growing at a fast pace, and we enjoy using the technology and getting used to it. Nowadays, the hot technology currently available in the market and usage increasing exponentially is IoT 


Explosion of IoT

IoT is a broad term used for a network of objects, devices, or items embedded with sensors and can communicate with one another. The concept of the Internet of things came back in 1999, and the first IoT device was a coca-cola machine placed in Carnegie Melon University. By the year 2013, the Internet of Things had evolved into a system using multiple technologies ranging from the Internet to wireless communication and from micro-electromechanical systems to embedded systems.The usage of IoT technologies has increased from 13 percent in 2014 to around 25 percent today! And the worldwide number of IoT-connected devices is expected to increase to 43 billion by 2023.

In addition to that, the focus has to be placed on the Hype cycle for the IoT. In Era of toying, the technology moves towards adoption, with 65% growth in 2020 and 90% enterprises, 80% for manufacturing, and 90% for cars connected.
Applications of IoT


Example of an IoT device
A digital device can be converted into an IoT if connected to the Internet and have sensors such as smartwatches, smart bulbs, smart T.V, a smart plug, etc

Security Risk in IoT
According to OWASP, the Internet of Things Project designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of things and to enable users in any context to make better security decisions during whole proccess.

Weak, Guessable, or Hardcoded Passwords
The most significant security risk is weak, guessable and hardcoded default passwords, significantly when most users do not change the default passwords upon setting up the IoT devices. Additionally, IoT devices often share the same default passwords, so if an attacker has the password for one device, it might have others.

Insecure Network Services
IoT devices run various services. When these devices are connected to the Internet, they become even more dangerous. This can lead to the breach of confidentiality, integrity, and availability of information or allow unauthorized remote control. However, there is another way of securing this by using secure services such as HTTPS, SFTP, etc., as these protocols rely on encryption and do not let the data flow in clear text as it is dangerous.

Insecure Ecosystem Interfaces
This refers to various devices surrounding the IoT device such as the web interface, back-end API, the cloud, and the mobile interface- everything with a sort of interaction with the device to function correctly. There is a fair chance of the device being affected if any other device in close exchange with IoT is affected.

Lack of secure update mechanisms
The inability to securely update the device is also one of the significant vulnerabilities in IoT. This includes lack of firmware validations, lack of secure delivery, i.e., the traffic will be transmitted in clear text, i.e., not encrypted, insufficient anti-rollback mechanisms, and lack of notifications security changes due to updates.

Use of Insecure or Outdated components
The device can also be compromised if there is the usage of insecure or deprecated software components. This includes insecure customization of Operating system platforms and the use of third-party software or hardware-components from a compromised supply chain.

Insufficient privacy protection
User’s personal information, such as credit card numbers or personally identifiable information, is stored in IoT devices, and that data is not always adequately protected or secured. This data is often stored within the database of the manufacturer in addition to on the actual devices. Attackers are frequently targeting both IoT as well as the IoT’s database. We can limit the storage of our personal information in IoT.

Insecure Data Transfer and Storage
Data is being transferred in clear text, i.e., unencrypted can lead to a man-in-the-middle attack. This could be static data as well as data in transit or data during processing. The lack of encryption and access control leaves the data susceptible to attackers, and both must be implemented to achieve complete security.

Lack of Device Management
Device management becomes essential when there are plenty of devices. There is a lack of security support on devices, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.

Insecure Default Settings
Devices or systems shipped with insecure default settings cannot make the system more secure by restricting operators’ modifying configurations.

Lack of Physical Hardening
Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.