OWASP has an extensive list of 10 vulnerabilities that could affect the Internet of Things. As presented on its official website, the list covers a variety of areas that developers should focus on if they want greater protection. Since the IoT continues to be a strong driving force in technology, businesses should seize the chance to build stronger software while they still can. Within the next five years, billions of new devices could become connected, including more refrigerators, cars and thermostats.
The organization firmly believes that these issues don’t exist in one place, but instead require a comprehensive analysis including the end device, the cloud and several other components. To reduce vulnerabilities, developers should implement necessary changes ahead of time.
Let’s look at the first five entries on the OWASP IoT vulnerabilities list, and what makes them so dangerous:
- #1 Insecure Web Interface: As OWASP notes, this is an easy-to-exploit weakness with the potential to create an opportunity for further attacks. Developers can wrongly overlook certain aspects of an interface and render the entire system a target. A key way to assess vulnerabilities could be to look at individual elements someone might use to gain unwanted access. Because the IoT links formerly separate devices together, individual flaws could be magnified.
- #2 Insufficient Authentication/Authorization: This is a broad category of issues that ranges from poor password security to improper delegation of credentials to specific users. There New devices could also put special restrictions on passwords. In a piece for ITWorld, Paul Roberts noted that the resolution on the small screen of an Apple Watch “have made conventional alphanumeric passwords impractical.” Developers can avoid this by not only requiring stronger passwords, but also by establishing an easy means of enabling two-factor authentication and other secure login features.
- #3 Insecure Network Services: They may not be a common security weakness, but poorly protected services leave software at risk of Denial of Service attacks. These are infamous and can debilitate a server. The fact that new, previously unconnected devices are expected to communicate with each other leaves them and their networks at risk. OWASP specifically cites “network device fuzzing” as a possible means of DoS attack and urges companies to address this vulnerability specifically through Network security efforts.
- #4 Lack of Transport Encryption: When an IoT device transmits information, it could leave data unencrypted and exposed. A Symantec report that cited the OWASP list noted that the “lack of encryption raises a major privacy concern,” with important credentials easily visible to attackers. “IoT devices often have less memory and slower CPUs, so they may be unable to use the same encryption methods as a traditional computer does, but that is no excuse for the lack of strong encryption,” the report adds. This is classified as an easily detectable weakness that could stem from either the Internet or a local network.
- #5 Privacy Concerns: If that sounds vague, it’s because the IoT presents several possible ways to harbor sensitive details. By collecting credit card data, bank account information or even something as innocuous as a date of birth, a device could gather valuable information in a way that makes it easy to obtain. Some of the tactics for addressing this concern could bleed over into other categories, such as stronger encryption methods and a better means of assigning authorization to the correct users.
PSC will help developers gain the software assurance they need as the IoT continues to grow. Be sure to visit this blog soon for the second post in this series, where we look at the rest of the list.Share