Cyber Security | OWASP IoT Top-10 2020

1.Weak, Guessable, or Hardcoded Passwords :-

Use of:
● Easily bruteforced
● Publicly available
● Unchangeable credentials
Including backdoors in firmware or client software that
grants unauthorized access

Image for post

Easily Guess Password

2.Insecure Network Services:-

Unneeded or insecure network services running on the
device itself, especially:
● Those exposed to the Internet
● Any that compromise the confidentiality,
integrity/authenticity, or availability of information
● Any service that allows unauthorized remote control

Image for post

3.Insecure Ecosystem Interfaces :-

Insecure interfaces in the
ecosystem outside the
● Web
● Backend API
● Cloud
● Mobile
Common issues
● Lack of authentication
● Lack of authorization
● Lacking or weak
● Lack of input and output

Image for post

4.Lack of Secure Update Mechanism :-

Lack of ability to securely update the device.
● Lack of firmware validation on device
● Lack of secure delivery (un-encrypted in transit)
● Lack of anti-rollback mechanisms
● Lack of notifications of security changes due to updates

Image for post

5.Use of Insecure or Outdated Components :-

Use of deprecated or insecure software components/libraries
that could allow the device to be compromised.
● Insecure customization of operating system platforms
● Third-party software libraries from a compromised supply
● Third-party hardware components from a compromised
supply chain

Image for post

6.Insufficient Privacy Protection :-

User’s personal information stored on the device or in the
ecosystem that is used insecurely, improperly, or without

Image for post

7.Insecure Data Transfer and Storage :-

Lack of encryption or access control of sensitive data
anywhere within the ecosystem, including at rest, in transit, or
during processing

Image for post

8.Lack of Device Management :-

Lack of security support on devices deployed in production,
including asset management, update management, secure
decommissioning, systems monitoring, and response

Image for post

9.Insecure Default Settings :-

Devices or systems shipped with insecure default settings or
lack the ability to make the system more secure by restricting
operators from modifying configurations.

Image for post

10.Lack of Physical Hardening :-

Lack of physical hardening measures, allowing potential
attackers to gain sensitive information that can help in a
future remote attack or take local control of the device.

Image for post

Leave a Reply

error: Content is protected !!