17 Apr, 2017

Internet of Things OWASP Top 10 2018 Released

by David Lindner

IoT or the Internet of Things has become a cornerstone of the American consumer and business markets as more and more connected devices are added to the mix every single day. Making sure these systems are secure is extremely important for both security and privacy.  Over the holidays, the 2018 OWASP IoT Top 10 was released.

# The New 2018 OWASP IoT Top 10:
I1.     Weak Guessable, or Hardcoded Passwords
I2.     Insecure Network Services
I3.     Insecure Ecosystem Interfaces
I4.     Lack of Secure Update Mechanism
I5.     Use of Insecure or Outdated Components
I6.  Insufficient Privacy Protection
I7.  Insecure Data Transfer and Storage
I8.     Lack of Device Management
I9.     Insecure Default Settings
I10. Lack of Physical Hardening
# Comparing the 2014 Top 10 to 2018 by color coding:
Top Ten 2014 IoT Top Ten 2018 IoT Top Ten
I1 Insecure Web Interface Weak Guessable, or Hardcoded Passwords
I2 Insufficient Authentication/Authorization Insecure Network Services
I3 Insecure Network Services Insecure Ecosystem Interfaces
I4 Lack of Transport Encryption Lack of Secure Update Mechanism
I5 Privacy Concerns Use of Insecure or Outdated Components (NEW)
I6 Insecure Cloud Interface Insufficient Privacy Protection
I7 Insecure Mobile Interface Insecure Data Transfer and Storage
I8 Insufficient Security Configurability   Lack of Device Management 
I9 Insecure Software/Firmware Insecure Default Settings (NEW)
I10 Lack of Physical Hardening Poor Physical Security
Table 1 Above: Maps the 2014 to the 2018 OWASP IoT Top 10 lists. The color in the 2014 list maps to the same or common issue in the 2018 list. For example, you can see that Insecure Web Interface, Insecure Cloud Interface, and Insecure Mobile Interface have been rolled into one category in the 2018 list: Insecure Ecosystem Interfaces, but they are still covered in the 2018 list.
# 5 Key Takeaways

1. High-Level vs. More Focused Changes from 2014 to 2018.

The 2014 issues maintained a presence in the 2018 list. Some previous items such as Insecure Web Interface, Insecure Cloud Interface, and Insecure Mobile Interface were rolled into a high-level area: Insecure Ecosystem Interfaces. Lack of Transport Encryption from  the 2014 list t was rolled into a higher-level Insecure Data Transfer and Storage Issue in 2018. However, Insufficient Authentication/Authorization from 2014 was rolled way down to a very focused issue, Weak Guessable, or Hardcoded Passwords in 2018. I am not sure I fully follow the path of the Top 10 list when some things are very specific and some are extremely high-level.

2. Should I1: Weak, Guessable, or Hardcoded Passwords and I9: Insecure Default Settings be combined?

An argument could be made that I1: Weak, Guessable, or Hardcoaded Passwords and I9: Insecure Default Settings should be combined to make the Top 10 more consistent. If you look at the rest of the Top 10, it is a high-level list of control areas or "things”, yet in the case of I1, one specific issue was broken out. I have no problem with the issue as it is a big problem with IoT; however, I take issue with the inconsistency of the list and what each item represents. Weak passwords and default credentials with regard to Insecure Default Settings (I9) should have been combined in the 2018 list.

3. Is the 2018 list too broad?

For the most part the 2018 list is a very high-level, rolled-up list of "things." I agree with Insecure Ecosystem Interfaces, but I disagree with it being it's own "thing." It's too rolled up. Understanding an IoT ecosystem and all the different interfaces requires an understanding of risk and how the presented interfaces may affect the overall system if/when compromised. There is a reason Cloud, Web, Mobile, etc all have their own Top 10 lists. It's because they all present a different risk level and have subtle differences in security issues present in each. I3 is basically a HUGE bucket of other Top 10 lists for you to be aware of when assessing the security of your IoT ecosystem.

4. New Additions to the OWASP IoT Top 10 2018.

There are 2 NEW members in the 2018 IoT Top 10. Use of Insecure or Outdated Components and Insecure Default Settings make their first appearance. Both of these issues are top concerns anyone building, creating. or breaking IoT systems should be concerned about. Third party components will continue to be major pain points in any system, both from a software and a hardware perspective. Looking back at 2018, most of the successful IoT attacks were due to Insecure Default Settings, which most consumers don't know how to change, nor do they care to change them. Kudos to the team for adding these very important issues.

5. This is just a starting point.

As with any Top 10, the list should be taken and expanded upon for your use. It is a great starting point for anyone looking at their IoT system for security; however, this is just a starting point in securing your Internet of Things ecosystem

Most importantly, we'd like to extend a big thank you to the OWASP IoT 2018 team, as it takes countless hours of debate, research, deep understanding of the issues, and lots of writing to put together a Top 10. 

nVisium is pleased with the most recent changes to the IoT OWASP Top 10 and seeing how the IoT security space continues to evolve in 2019. nVisium looks forward to continuing to support our clients with IoT Security projects and continued Research and Development in the space. 

Questions for David Lindner or the nVisium team about this blog or ways nVisium can support your team on the IoT, web, mobile, or cloud security side in 2019? 

application security software security AppSec continuous security penetration testing AppDev nVisium security assessments application assessments software developer code review code remediation Internet of Things Security Internet of Things OWASP OWASP Top 10 IoT Assessments IoT security IoT OWASP Top 10 David LIndner OWASP IoT Top 10 2018 Internet of Things OWASP Top 10