SlideShare a Scribd company logo

Null mumbai-iot top 10

Download as PPTX, PDF
Nitesh Malviya
Nitesh Malviya

Covering IoT Top 10 issues

Technology
1 of 40
Internet of Things Top Ten
WhoAmI • Security Consultant with Payatu Technologies • Experience in Web Pentesting, VAPT and Mobile Appsec (Android Only) • Currently learning IOT
Agenda • Why IOT Top 10 ?? • Attack vectors • IOT Architecture • OWASP TOP 10 – IOT • IOT Exploitation Anatomy (Pdf for Reference) • References
Why Top 10 for IOT ?? • The internet of things (IoT) is the network of physical devices, vehicles, buildings and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data(Wikipedia) • 26 Billion devices connected to Internet by 2020 • Current Security State - still in nascent stage. • Thus, scope for hackers  HIGH
Attack Vectors???? Lets have a look at the architecture and derive all the attack vectors
IOT Architecture
Attack Vectors List • All elements need to be considered • Communication Protocol • The Cloud • The Mobile Application • The Network Interfaces • Web Interface • Encryption • Authentication/Authorization • Physical ports(JTAG,UART,SPI,I2C) • Enter the OWASP Internet of Things Top Ten Project
OWASP IOT TOP 10
I1 | Insecure Web Interface
I1 | Insecure Web Interface | Testing • Account Enumeration • Weak Default Credentials • Credentials Exposed in Network Traffic • Cross-site Scripting (XSS) • SQL-Injection • Session Management • Account Lockout
I1 | Insecure Web Interface | Make It Secure
I2 | Insufficient Authentication/Authorization
I2 | Insufficient Authentication/Authorization | Testing • Lack of Password Complexity • Poorly Protected Credentials • Lack of Two Factor Authentication • Insecure Password Recovery • Privilege Escalation • Lack of Role Based Access Control
I2 | Insufficient Authentication/Authorization | Make It Secure
I3 | Insecure Network Services
I3 | Insecure Network Services | Testing • Vulnerable Services • Buffer Overflow • Open Ports via UPnP • Exploitable UDP Services • Denial-of-Service • DoS via Network Device Fuzzing
I3 | Insecure Network Services | Make It Secure
I4 | Lack of Transport Encryption
I4 | Lack of Transport Encryption | Testing • Unencrypted Services via the Internet • Unencrypted Services via the Local Network • Poorly Implemented SSL/TLS • Misconfigured SSL/TLS
I4 | Lack of Transport Encryption | Make It Secure
I5 | Privacy Concerns
I5 | Privacy Concerns | Testing • Collection of Unnecessary Personal Information
I5 | Privacy Concerns | Make It Secure
I6 | Insecure Cloud Interface
I6 | Insecure Cloud Interface | Testing • Account Enumeration • No Account Lockout • Credentials Exposed in Network Traffic
I6 | Insecure Cloud Interface | Make It Secure
I7 | Insecure Mobile Interface
I7 | Insecure Mobile Interface | Testing • Account Enumeration • No Account Lockout • Credentials Exposed in Network Traffic
I7 | Insecure Mobile Interface | Make It Secure
I8 | Insufficient Security Configurability
I8 | Insufficient Security Configurability | Testing • Lack of Granular Permission Model • Lack of Password Security Options • No Security Monitoring • No Security Logging
I8 | Insufficient Security Configurability | Make It Secure
I9 | Insecure Software/Firmware
I9 | Insecure Software/Firmware | Testing • Encryption Not Used to Fetch Updates • Update File not Encrypted • Update Not Verified before Upload • Firmware Contains Sensitive Information • No Obvious Update Functionality
I9 | Insecure Software/Firmware | Make It Secure
I10 | Poor Physical Security
I10 | Poor Physical Security | Testing • Access to Software via USB Ports • Removal of Storage Media
I10 | Poor Physical Security | Make It Secure
References • OWASP - https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#ta b=Main • IOT Security Anatomy - https://github.com/mdsecresearch/Publications/blob/master/presentation s/An%20Anatomy%20of%20IoT%20Security_OWASPMCR_Nov2016.pdf (Content May not load properly. Just download the pdf) • Insinuater.net • Peerlyst • Reddit Link – www.reddit.com/r/theinternetofshit
THANK YOU 

Recommended

Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmware
Nitesh Malviya
 
IoT and Its Application
IoT and Its ApplicationIoT and Its Application
IoT and Its Application
Dun Automation Academy
 
IoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architectureIoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architecture
Paul Fremantle
 
IoT Node-Red Presentation
IoT Node-Red PresentationIoT Node-Red Presentation
IoT Node-Red Presentation
The IOT Academy
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
veerababu penugonda(Mr-IoT)
 
Devising a practical approach to the Internet of Things
Devising a practical approach to the Internet of ThingsDevising a practical approach to the Internet of Things
Devising a practical approach to the Internet of Things
Gordon Haff
 
IoX - tech-intro-for-paris-hackathon
IoX - tech-intro-for-paris-hackathonIoX - tech-intro-for-paris-hackathon
IoX - tech-intro-for-paris-hackathon
Cisco DevNet
 
Internet of Things 101 - Part II
Internet of Things 101 - Part IIInternet of Things 101 - Part II
Internet of Things 101 - Part II
Yoonseok Hur
 

Recommended

Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmware
Nitesh Malviya
 
IoT and Its Application
IoT and Its ApplicationIoT and Its Application
IoT and Its Application
Dun Automation Academy
 
IoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architectureIoT World - creating a secure robust IoT reference architecture
IoT World - creating a secure robust IoT reference architecture
Paul Fremantle
 
IoT Node-Red Presentation
IoT Node-Red PresentationIoT Node-Red Presentation
IoT Node-Red Presentation
The IOT Academy
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
veerababu penugonda(Mr-IoT)
 
Devising a practical approach to the Internet of Things
Devising a practical approach to the Internet of ThingsDevising a practical approach to the Internet of Things
Devising a practical approach to the Internet of Things
Gordon Haff
 
IoX - tech-intro-for-paris-hackathon
IoX - tech-intro-for-paris-hackathonIoX - tech-intro-for-paris-hackathon
IoX - tech-intro-for-paris-hackathon
Cisco DevNet
 
Internet of Things 101 - Part II
Internet of Things 101 - Part IIInternet of Things 101 - Part II
Internet of Things 101 - Part II
Yoonseok Hur
 
Using FIWARE and Microsoft Azure for the development of IoT solutions
Using FIWARE and Microsoft Azure for the development of IoT solutionsUsing FIWARE and Microsoft Azure for the development of IoT solutions
Using FIWARE and Microsoft Azure for the development of IoT solutions
DunavNET
 
Track 5 session 1 - st dev con 2016 - need for security for iot
Track 5 session 1 - st dev con 2016 - need for security for iotTrack 5 session 1 - st dev con 2016 - need for security for iot
Track 5 session 1 - st dev con 2016 - need for security for iot
ST_World
 
Data in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathon
Cisco DevNet
 
Introduction to the Internet of Things
Introduction to the Internet of ThingsIntroduction to the Internet of Things
Introduction to the Internet of Things
Alexandru Radovici
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
WSO2
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open Standards
George Fletcher
 
Using an Open Source RESTful Backend for IoT Applications
Using an Open Source RESTful Backend for IoT ApplicationsUsing an Open Source RESTful Backend for IoT Applications
Using an Open Source RESTful Backend for IoT Applications
Jan Liband
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
veerababu penugonda(Mr-IoT)
 
eIoT-tech-intro-for-paris-hackathon
eIoT-tech-intro-for-paris-hackathoneIoT-tech-intro-for-paris-hackathon
eIoT-tech-intro-for-paris-hackathon
Cisco DevNet
 
Automatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoTAutomatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoT
automatskicorporation
 
An IoT gateway centric architecture to provide novel m2m services
An IoT gateway centric architecture to provide novel m2m servicesAn IoT gateway centric architecture to provide novel m2m services
An IoT gateway centric architecture to provide novel m2m services
Soumya Kanti Datta
 
Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016
Erez Metula
 
The iot academy_lpwan_lora
The iot academy_lpwan_loraThe iot academy_lpwan_lora
The iot academy_lpwan_lora
The IOT Academy
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
AllSeen Alliance
 
Cisco Paris DevNet Hackathon slideshow - Intro
Cisco Paris DevNet Hackathon slideshow - IntroCisco Paris DevNet Hackathon slideshow - Intro
Cisco Paris DevNet Hackathon slideshow - Intro
BeMyApp
 
Eclipse Kura Shoot a-pi
Eclipse Kura Shoot a-piEclipse Kura Shoot a-pi
Eclipse Kura Shoot a-pi
Eclipse Kura
 
Webinar: Secure Offline and Online Updates for Linux Devices
Webinar: Secure Offline and Online Updates for Linux DevicesWebinar: Secure Offline and Online Updates for Linux Devices
Webinar: Secure Offline and Online Updates for Linux Devices
Toradex
 
IBM IoT Architecture and Capabilities at the Edge and Cloud
IBM IoT Architecture and Capabilities at the Edge and Cloud IBM IoT Architecture and Capabilities at the Edge and Cloud
IBM IoT Architecture and Capabilities at the Edge and Cloud
Pradeep Natarajan
 
Protecting your home and office in the era of IoT
Protecting your home and office in the era of IoTProtecting your home and office in the era of IoT
Protecting your home and office in the era of IoT
Marian Marinov
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
CAS
 
Null mumbai-iot-workshop
Null mumbai-iot-workshopNull mumbai-iot-workshop
Null mumbai-iot-workshop
Nitesh Malviya
 
The future of the IoT will be cognitive
The future of the IoT will be cognitiveThe future of the IoT will be cognitive
The future of the IoT will be cognitive
Thorsten Schroeer
 

More Related Content

What's hot

Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
WSO2
 

What's hot (20)

Using FIWARE and Microsoft Azure for the development of IoT solutions
Using FIWARE and Microsoft Azure for the development of IoT solutionsUsing FIWARE and Microsoft Azure for the development of IoT solutions
Using FIWARE and Microsoft Azure for the development of IoT solutions
 
Track 5 session 1 - st dev con 2016 - need for security for iot
Track 5 session 1 - st dev con 2016 - need for security for iotTrack 5 session 1 - st dev con 2016 - need for security for iot
Track 5 session 1 - st dev con 2016 - need for security for iot
 
Data in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathonData in Motion - tech-intro-for-paris-hackathon
Data in Motion - tech-intro-for-paris-hackathon
 
Introduction to the Internet of Things
Introduction to the Internet of ThingsIntroduction to the Internet of Things
Introduction to the Internet of Things
 
Security challenges for IoT
Security challenges for IoTSecurity challenges for IoT
Security challenges for IoT
 
Internet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open StandardsInternet of Things: Identity & Security with Open Standards
Internet of Things: Identity & Security with Open Standards
 
Using an Open Source RESTful Backend for IoT Applications
Using an Open Source RESTful Backend for IoT ApplicationsUsing an Open Source RESTful Backend for IoT Applications
Using an Open Source RESTful Backend for IoT Applications
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
 
eIoT-tech-intro-for-paris-hackathon
eIoT-tech-intro-for-paris-hackathoneIoT-tech-intro-for-paris-hackathon
eIoT-tech-intro-for-paris-hackathon
 
Automatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoTAutomatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoT
 
An IoT gateway centric architecture to provide novel m2m services
An IoT gateway centric architecture to provide novel m2m servicesAn IoT gateway centric architecture to provide novel m2m services
An IoT gateway centric architecture to provide novel m2m services
 
Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016Iot top 10 vulnerabilities and misconceptions 2016
Iot top 10 vulnerabilities and misconceptions 2016
 
The iot academy_lpwan_lora
The iot academy_lpwan_loraThe iot academy_lpwan_lora
The iot academy_lpwan_lora
 
Identity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoTIdentity for IoT: An Authentication Framework for the IoT
Identity for IoT: An Authentication Framework for the IoT
 
Cisco Paris DevNet Hackathon slideshow - Intro
Cisco Paris DevNet Hackathon slideshow - IntroCisco Paris DevNet Hackathon slideshow - Intro
Cisco Paris DevNet Hackathon slideshow - Intro
 
Eclipse Kura Shoot a-pi
Eclipse Kura Shoot a-piEclipse Kura Shoot a-pi
Eclipse Kura Shoot a-pi
 
Webinar: Secure Offline and Online Updates for Linux Devices
Webinar: Secure Offline and Online Updates for Linux DevicesWebinar: Secure Offline and Online Updates for Linux Devices
Webinar: Secure Offline and Online Updates for Linux Devices
 
IBM IoT Architecture and Capabilities at the Edge and Cloud
IBM IoT Architecture and Capabilities at the Edge and Cloud IBM IoT Architecture and Capabilities at the Edge and Cloud
IBM IoT Architecture and Capabilities at the Edge and Cloud
 
Protecting your home and office in the era of IoT
Protecting your home and office in the era of IoTProtecting your home and office in the era of IoT
Protecting your home and office in the era of IoT
 
Introduction to IoT Security
Introduction to IoT SecurityIntroduction to IoT Security
Introduction to IoT Security
 

Viewers also liked

The Future of Authentication for IoT
The Future of Authentication for IoTThe Future of Authentication for IoT
The Future of Authentication for IoT
FIDO Alliance
 
Towards Rapid Implementation of Adaptive Robotic Systems
Towards Rapid Implementation of Adaptive Robotic SystemsTowards Rapid Implementation of Adaptive Robotic Systems
Towards Rapid Implementation of Adaptive Robotic Systems
MeshDynamics
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session
Avinash Sinha
 
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
Anand Bagmar
 

Viewers also liked (20)

Null mumbai-iot-workshop
Null mumbai-iot-workshopNull mumbai-iot-workshop
Null mumbai-iot-workshop
 
The future of the IoT will be cognitive
The future of the IoT will be cognitiveThe future of the IoT will be cognitive
The future of the IoT will be cognitive
 
A Secure Model of IoT Using Blockchain
A Secure Model of IoT Using BlockchainA Secure Model of IoT Using Blockchain
A Secure Model of IoT Using Blockchain
 
The Future of Authentication for IoT
The Future of Authentication for IoTThe Future of Authentication for IoT
The Future of Authentication for IoT
 
IOT Solutions and Challenges
IOT Solutions and ChallengesIOT Solutions and Challenges
IOT Solutions and Challenges
 
IBM Messaging and Collaboration Roadmap - Notes and Domino update - December ...
IBM Messaging and Collaboration Roadmap - Notes and Domino update - December ...IBM Messaging and Collaboration Roadmap - Notes and Domino update - December ...
IBM Messaging and Collaboration Roadmap - Notes and Domino update - December ...
 
Towards Rapid Implementation of Adaptive Robotic Systems
Towards Rapid Implementation of Adaptive Robotic SystemsTowards Rapid Implementation of Adaptive Robotic Systems
Towards Rapid Implementation of Adaptive Robotic Systems
 
Internet of Things (IoT)
Internet of Things (IoT)Internet of Things (IoT)
Internet of Things (IoT)
 
Artificial Intelligence
Artificial Intelligence Artificial Intelligence
Artificial Intelligence
 
PROYECTO LA NARANJA
PROYECTO LA NARANJAPROYECTO LA NARANJA
PROYECTO LA NARANJA
 
20170228 Facebook workshop - Gemeente Hoegaarden
20170228 Facebook workshop - Gemeente Hoegaarden20170228 Facebook workshop - Gemeente Hoegaarden
20170228 Facebook workshop - Gemeente Hoegaarden
 
Perspectivas IoT con arduino
Perspectivas IoT con arduinoPerspectivas IoT con arduino
Perspectivas IoT con arduino
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
 
My Null Android Penetration Session
My Null Android Penetration Session My Null Android Penetration Session
My Null Android Penetration Session
 
Jeremy Cowan's AWS user group presentation "AWS Greengrass & IoT demo"
Jeremy Cowan's AWS user group presentation "AWS Greengrass & IoT demo"Jeremy Cowan's AWS user group presentation "AWS Greengrass & IoT demo"
Jeremy Cowan's AWS user group presentation "AWS Greengrass & IoT demo"
 
Smart Gas Meters
Smart Gas MetersSmart Gas Meters
Smart Gas Meters
 
IBM Cognitive Manufacturing Overview Public
IBM Cognitive Manufacturing Overview PublicIBM Cognitive Manufacturing Overview Public
IBM Cognitive Manufacturing Overview Public
 
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
The What, Why and How of (Web) Analytics Testing (Web, IoT, Big Data)
 
Thinking Strategically About IoT
Thinking Strategically About IoTThinking Strategically About IoT
Thinking Strategically About IoT
 
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-Exploitation
 

Similar to Null mumbai-iot top 10

The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
Fatih Ozavci
 
Outsmarting the Smart City
Outsmarting the Smart CityOutsmarting the Smart City
Outsmarting the Smart City
Priyanka Aash
 
Next-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Next-Generation Cybersecurity for the Globally Connected Enterprise with TelosNext-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Next-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Amazon Web Services
 

Similar to Null mumbai-iot top 10 (20)

IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
 
Iot security
Iot securityIot security
Iot security
 
IoT Security by Sanjay Kumar
IoT Security by Sanjay KumarIoT Security by Sanjay Kumar
IoT Security by Sanjay Kumar
 
chapter-1_iot.pptx
chapter-1_iot.pptxchapter-1_iot.pptx
chapter-1_iot.pptx
 
IOT UNIT 1B.ppt
IOT UNIT 1B.pptIOT UNIT 1B.ppt
IOT UNIT 1B.ppt
 
Internet of things
Internet of thingsInternet of things
Internet of things
 
IoT - Rise of New Zombies Army
IoT - Rise of New Zombies ArmyIoT - Rise of New Zombies Army
IoT - Rise of New Zombies Army
 
intro to iot.pdf
intro to iot.pdfintro to iot.pdf
intro to iot.pdf
 
Minimizing Information Transparency
Minimizing Information TransparencyMinimizing Information Transparency
Minimizing Information Transparency
 
Internet of Things Architecture / Topology
Internet of Things Architecture / TopologyInternet of Things Architecture / Topology
Internet of Things Architecture / Topology
 
DEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopDEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshop
 
Internet of things applications covering industrial domain
Internet of things applications covering industrial domainInternet of things applications covering industrial domain
Internet of things applications covering industrial domain
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
 
IoT – Breaking Bad
IoT – Breaking BadIoT – Breaking Bad
IoT – Breaking Bad
 
Security Requirements in IoT Architecture
Security Requirements in IoT Architecture Security Requirements in IoT Architecture
Security Requirements in IoT Architecture
 
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
Outsmarting the Smart City: DISCOVERING AND ATTACKING THE TECHNOLOGY THAT RUN...
 
Outsmarting the Smart City
Outsmarting the Smart CityOutsmarting the Smart City
Outsmarting the Smart City
 
Atal io t introduction
Atal io t introductionAtal io t introduction
Atal io t introduction
 
Next-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Next-Generation Cybersecurity for the Globally Connected Enterprise with TelosNext-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Next-Generation Cybersecurity for the Globally Connected Enterprise with Telos
 
Octoblu, the IoT platform
Octoblu, the IoT platformOctoblu, the IoT platform
Octoblu, the IoT platform
 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Null mumbai-iot top 10

  • 2. WhoAmI • Security Consultant with Payatu Technologies • Experience in Web Pentesting, VAPT and Mobile Appsec (Android Only) • Currently learning IOT
  • 3. Agenda • Why IOT Top 10 ?? • Attack vectors • IOT Architecture • OWASP TOP 10 – IOT • IOT Exploitation Anatomy (Pdf for Reference) • References
  • 4. Why Top 10 for IOT ?? • The internet of things (IoT) is the network of physical devices, vehicles, buildings and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data(Wikipedia) • 26 Billion devices connected to Internet by 2020 • Current Security State - still in nascent stage. • Thus, scope for hackers  HIGH
  • 5. Attack Vectors???? Lets have a look at the architecture and derive all the attack vectors
  • 7. Attack Vectors List • All elements need to be considered • Communication Protocol • The Cloud • The Mobile Application • The Network Interfaces • Web Interface • Encryption • Authentication/Authorization • Physical ports(JTAG,UART,SPI,I2C) • Enter the OWASP Internet of Things Top Ten Project
  • 9. I1 | Insecure Web Interface
  • 10. I1 | Insecure Web Interface | Testing • Account Enumeration • Weak Default Credentials • Credentials Exposed in Network Traffic • Cross-site Scripting (XSS) • SQL-Injection • Session Management • Account Lockout
  • 11. I1 | Insecure Web Interface | Make It Secure
  • 13. I2 | Insufficient Authentication/Authorization | Testing • Lack of Password Complexity • Poorly Protected Credentials • Lack of Two Factor Authentication • Insecure Password Recovery • Privilege Escalation • Lack of Role Based Access Control
  • 14. I2 | Insufficient Authentication/Authorization | Make It Secure
  • 15. I3 | Insecure Network Services
  • 16. I3 | Insecure Network Services | Testing • Vulnerable Services • Buffer Overflow • Open Ports via UPnP • Exploitable UDP Services • Denial-of-Service • DoS via Network Device Fuzzing
  • 17. I3 | Insecure Network Services | Make It Secure
  • 18. I4 | Lack of Transport Encryption
  • 19. I4 | Lack of Transport Encryption | Testing • Unencrypted Services via the Internet • Unencrypted Services via the Local Network • Poorly Implemented SSL/TLS • Misconfigured SSL/TLS
  • 20. I4 | Lack of Transport Encryption | Make It Secure
  • 21. I5 | Privacy Concerns
  • 22. I5 | Privacy Concerns | Testing • Collection of Unnecessary Personal Information
  • 23. I5 | Privacy Concerns | Make It Secure
  • 24. I6 | Insecure Cloud Interface
  • 25. I6 | Insecure Cloud Interface | Testing • Account Enumeration • No Account Lockout • Credentials Exposed in Network Traffic
  • 26. I6 | Insecure Cloud Interface | Make It Secure
  • 27. I7 | Insecure Mobile Interface
  • 28. I7 | Insecure Mobile Interface | Testing • Account Enumeration • No Account Lockout • Credentials Exposed in Network Traffic
  • 29. I7 | Insecure Mobile Interface | Make It Secure
  • 30. I8 | Insufficient Security Configurability
  • 31. I8 | Insufficient Security Configurability | Testing • Lack of Granular Permission Model • Lack of Password Security Options • No Security Monitoring • No Security Logging
  • 32. I8 | Insufficient Security Configurability | Make It Secure
  • 33. I9 | Insecure Software/Firmware
  • 34. I9 | Insecure Software/Firmware | Testing • Encryption Not Used to Fetch Updates • Update File not Encrypted • Update Not Verified before Upload • Firmware Contains Sensitive Information • No Obvious Update Functionality
  • 35. I9 | Insecure Software/Firmware | Make It Secure
  • 36. I10 | Poor Physical Security
  • 37. I10 | Poor Physical Security | Testing • Access to Software via USB Ports • Removal of Storage Media
  • 38. I10 | Poor Physical Security | Make It Secure
  • 39. References • OWASP - https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#ta b=Main • IOT Security Anatomy - https://github.com/mdsecresearch/Publications/blob/master/presentation s/An%20Anatomy%20of%20IoT%20Security_OWASPMCR_Nov2016.pdf (Content May not load properly. Just download the pdf) • Insinuater.net • Peerlyst • Reddit Link – www.reddit.com/r/theinternetofshit