2. WhoAmI
• Security Consultant with Payatu Technologies
• Experience in Web Pentesting, VAPT and Mobile Appsec (Android
Only)
• Currently learning IOT
3. Agenda
• Why IOT Top 10 ??
• Attack vectors
• IOT Architecture
• OWASP TOP 10 – IOT
• IOT Exploitation Anatomy (Pdf for Reference)
• References
4. Why Top 10 for IOT ??
• The internet of things (IoT) is the network of physical devices,
vehicles, buildings and other items—embedded with electronics,
software, sensors, actuators, and network connectivity that enable
these objects to collect and exchange data(Wikipedia)
• 26 Billion devices connected to Internet by 2020
• Current Security State - still in nascent stage.
• Thus, scope for hackers HIGH
7. Attack Vectors List
• All elements need to be considered
• Communication Protocol
• The Cloud
• The Mobile Application
• The Network Interfaces
• Web Interface
• Encryption
• Authentication/Authorization
• Physical ports(JTAG,UART,SPI,I2C)
• Enter the OWASP Internet of Things Top Ten Project
19. I4 | Lack of Transport Encryption |
Testing
• Unencrypted Services via the
Internet
• Unencrypted Services via the Local
Network
• Poorly Implemented SSL/TLS
• Misconfigured SSL/TLS
20. I4 | Lack of Transport Encryption | Make It
Secure
34. I9 | Insecure Software/Firmware |
Testing
• Encryption Not Used to Fetch Updates
• Update File not Encrypted
• Update Not Verified before Upload
• Firmware Contains Sensitive
Information
• No Obvious Update Functionality