Jan 14, 2019
Aaron Guzman: @scriptingxss
https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive
https://www.owasp.org/index.php/IoT_Attack_Surface_Areas
OWASP SLACK: https://owasp.slack.com/
https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg
Team of 10 or so… list of “do’s and don’ts”
Sub-projects? Embedded systems, car hacking
Embedded applications best practices? *potential show*
Standards: https://xkcd.com/927/
CCPA: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act
California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327
How did you decide on the initial criteria?
- Weak, Guessable, or Hardcoded passwords
- Insecure Network Services
- Insecure Ecosystem interfaces
- Lack of Secure Update mechanism
- Use of insecure or outdated components
- Insufficient Privacy Mechanisms
- Insecure data transfer and storage
- Lack of device management
- Insecure default settings
- Lack of physical hardening
2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014)
2014 list:
- I1 Insecure Web Interface
- I2 Insufficient Authentication/Authorization
- I3 Insecure Network Services
- I4 Lack of Transport Encryption
- I5 Privacy Concerns
- I6 Insecure Cloud Interface
- I7 Insecure Mobile Interface
- I8 Insufficient Security Configurability
- I9 Insecure Software/Firmware
- I10 Poor Physical Security
BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3
OWASP SLACK: https://owasp.slack.com/
What didn’t make the list? How do we get Devs onboard with these?
How does someone interested get involved with OWASP Iot working group?
https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices
https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf
https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf