11 April, 2018

Reflecting upon OWASP TOP-10 IoT Vulnerabilities

It’s no secret the implementation of security mechanisms and services in embedded devices is far from perfect. Known categories of vulnerabilities of smart devices are well described in Top IoT Vulnerabilities.

To prove the relevance of this list, we’ve provided examples of vulnerable devices for each type. We hope, it’ll demonstrate the full scale of danger smart-gadget users face on a daily basis. You can see that examples for each category of OWASP are absolutely different and vary from children’s toys and alarms to cars and fridges.

Some examples can be attributed to several categories at once since they have a lot of security imperfections at the same time. This serves a proof to the security of IoT devices being poor.

Note: OWASP uses the first letter of IT field name, and puts in the names of its vulnerability categories. Thus, we have:

  • “A” stands for Application
  • “I” means IoT
  • “M” is short for Mobile

I1 Insecure Web Interface

A potential cybercriminal can implement XSS, CSRF, SQLi vulnerabilities in the web interface of a smart device. Moreover, there are always “default usernames and passwords” and “no account lockout”.

Type of device Name of device CWE Security impact
Heatmiser Thermostat CWE-598: Information Exposure Through Query Strings in GET Request An attacker can get access to the settings and, consequently, change any of them; for example, time or temperature.
Industrial wireless access point Moxa AP CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) An attacker can get an authenticated session that never expires.
AXIS cameras CWE-20: Improper Input Validation An attacker can edit any file in the operation system with root privileges.
Belkin’s smart home products CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) & CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) An attacker can hijack the phone and steal sensitive personal data.
Routers D-Link DIR-300 CWE-352: Cross-Site Request Forgery (CSRF) An attacker can change admin’s password and get root privilegies.
AVTECH IP Camera, NVR, DVR CWE-352: Cross-Site Request Forgery (CSRF) An attacker can modify all settings of the device via CSRF; for example, change users passwords.
AGFEO smart home ES 5xx/6xx CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) An attacker can read all the files stored in the operating system. The configuration of the device can be changed and arbitrary updates can be uploaded.
Loxone Smart Home CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) All device functions can be controlled via web-based commands by an attacker.
Switch TP-Link TL-SG108E CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) An attacker can store XSS on the device and make its administrator execute arbitrary javascript code in a browser.
Hanbanggaoke IP Camera CWE-650: Trusting HTTP Permission Methods on the Server Side An attacker can change the administrator’s password and obtain root privilegies.
Routers Netgear CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) Anyone on the internet can exploit the cockup to get control over the router, change its DNS settings, redirect browsers to malicious sites.

I2 Insufficient Authentication/Authorization

Typically, this type of vulnerabilities implies that an attacker can get control over a smart device by using weak passwords, insecurities of password recovery mechanisms, and lack of two-factor authentication mechanism.

Type of device Name of device CWE Security impact
Digital video recorder Mvpower CWE-521: Weak Password Requirements & CWE-284: Improper Access Control Virtually anyone can get access to the DVR’s settings because a login and password are blank.
DBPOWER U818A WIFI quadcopter drone CWE-276: Incorrect Default Permissions An attacker can read files from the device; for example, images and videos.
iSmartAlarm CWE-287: Improper Authentication An attacker can send commands to the alarm, set it alarm on/off and activate the alarm wake-up calls.
DblTek GoIP CWE-598: Information Exposure Through Query Strings in GET Request An attacker can send commands to GoIP to change configuration; for example, turn it off.
Nuuo NVR (network video recorder) and Netgear CWE-259: Use of Hard-coded Password An attacker can get root privilegies and use the device to change the settings of external cameras and spy on users.
Sony IPELA Engine IP Cameras CWE-287: Improper Authentication An attacker can use cameras to send manipulated images/video, add cameras into a Mirai-like botnet or to simply spy on users.
Western Digital My Cloud CWE-287: Improper Authentication An attacker can get complete control over the device.
Vacuum Cleaner LG CWE-287: Improper Authentication An attacker can remotely activate and access the vacuum’s realtime video stream.
Eminent EM6220 Camera CWE-312: Cleartext Storage of Sensitive Information An attacker can obtain root access and spy on the camera’s user.
LIXIL Satis Toilet CWE-259: Use of Hard-coded Password An attacker can cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to a user.
In-Flight Entertainment Systems CWE-287: Improper Authentication An attacker can control the means of informing passengers. For example, it’s possible to spoof flight information values such as altitude or speed.
FUEL Drill CWE-259: Use of Hard-coded Password An attacker can get root access and change the drill’s settings.

I3 Insecure Network Services

The main obstacles here are “unnecessary ports are open”, “ports exposed to the Internet via UPnP”, and “network services vulnerable to DoS”. In addition, not disabled telnet may be used as an attack vector.

Type of device Name of device CWE Security impact
Smart Massager CWE-284: Improper Access Control An attacker can change parameters of the massager, which can lead to quite a painful experience and injuries like sudden muscle reflex, skin burn or even damage to nerves or the death of its user.
Implantable Cardiac Device CWE-284: Improper Access Control An attacker can modify programming commands to the implanted device, which may result in rapid battery depletion and/or administration of inappropriate pacing or shocks.
Hikvision Wi-Fi IP Camera CWE-284: Improper Access Control An attacker can remotely exploit or disable the camera.
Foscam C1 Indoor HD Cameras CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) Remote code execution on cameras. This may result in the leakage a user’s personal data.
Toy Furby CWE-284: Improper Access Control An attacker can change firmware and use Furby to spy on children.
Toy My Friend Cayla CWE-284: Improper Access Control An attacker can collect information about users and spy on them.
iSmartAlarm CWE-20: Improper Input Validation An attacker can freeze the SmartAlarm’s cube, and it will stop responding.
iSPY Camera Tank CWE-284: Improper Access Control An attacker can log in to the device as an anonimous user and obtain access to the whole file system.

I4 Lack of Transport Encryption/Integrity Verification

Sensitive information is passed in clear text, SSL/TLS is not available or not configured properly. It’s possible to use proprietary encryption protocols on a device. The devices in this category are vulnerable to the MiTM-attack.

Type of device Name of device CWE Security impact
Owlet Wi-Fi baby heart monitor CWE-201: Information Exposure Through Sent Data An attacker can spy on babies and their parents.
Samsung fridge CWE-300: Channel Accessible by Non-Endpoint (‘Man-in-the-Middle’) An attacker can steal a user’s Google credentials.
Volkswagen car CWE CATEGORY: Cryptographic Issues An attacker can clone the remote control and gain unauthorized access to a car.
HS-110 Smart Plug CWE-201: Information Exposure Through Sent Data An attacker can control the state of plug; for example, switch its LED off.
Loxone Smart Home CWE-201: Information Exposure Through Sent Data An attacker can control every device within a smart home system and steal a user’s credentials.
Samsung Smart TV CWE-200: Information Exposure An attacker can monitor the wireless network and conduct a brute force guessing attack to recover the key and decrypt the traffic.
Routers Dlink 850L CWE-319: Cleartext Transmission of Sensitive Information Attacker can remotely control the device.
Skaterboards Boosted, Revo, E-Go CWE-300: Channel Accessible by Non-Endpoint (‘Man-in-the-Middle’) An attacker can send various commands to the board to direct it.
LIFX smart LED light bulbs CWE-327: Use of a Broken or Risky Cryptographic Algorithm An attacker can capture and decrypt the traffic, including network configurations.
DJI Spark drone CWE-327: Use of a Broken or Risky Cryptographic Algorithm An attacker can obtain access to the settings of the device.

I5 Privacy Concerns

OWASP describes this vulnerability as “too much personal information is collected”, “collected information is not properly protected”, and “end user is not given a choice to allow collection of certain types of data”.

Type of device Name of device CWE Security impact
Gator 2 smartwatch CWE-359: Exposure of Private Information (‘Privacy Violation’) An attacker can gain access to data that contains the information about software version, IMEI, time, location method (GPS vs Wi-Fi), location coordinates, battery charge.
Routers D-Link DIR-600 and DIR-300 CWE-200: Information Exposure An attacker can read sensitive information about the device or make it a part of a botnet.
Samsung Smart TV CWE-200: Information Exposure An attacker can find binary-files of audio recordings.
Home security camera CWE-359: Exposure of Private Information (‘Privacy Violation’) Users’ private photos may be stolen by an attacker and published on the Internet.
Smart sex toys We-Vibe CWE-359: Exposure of Private Information (‘Privacy Violation’) An attacker can take information about the temperature of the device and the vibration intensity.
iBaby M6 baby monitor CWE-359: Exposure of Private Information (‘Privacy Violation’) An attacker can view any user’s information, including video recording details.

I6 Insecure Cloud Interface

Typically, this type of vulnerabilities means that, if you have access to the Internet, you can obtain private data. On the one hand, private data stored in the cloud is poorly encrypted. On the other hand, encryption may be strong but then there will be no two-factor authentication, or a user will be allowed to use a weak password.

Type of device Name of device CWE Security impact
Seagate Personal Cloud Home Media Storage CWE-598: Information Exposure Through Query Strings in GET Request An attacker can inject arbitrary system commands and steal a user’s private data.
iCloud CWE-307: Improper Restriction of Excessive Authentication Attempts An attacker can gain access to a user’s private photos stored in the cloud.
Vtech gadgets CWE-359: Exposure of Private Information (‘Privacy Violation’) An attacker can get access to the information about users and blackmail them.
Western Digital My Cloud CWE-287: Improper Authentication An attacker can get full control over the device.
Routers Dlink 850L CWE-319: Cleartext Transmission of Sensitive Information An attacker can obtain full control over the device.

I7 Insecure Mobile Interface

The main obstacles here are “weak passwords”, “no two-factor authentication” and “no account lockout mechanism”. This type of vulnerabilities is common for the IoT devices managed by a smartphone.

Type of device Name of device CWE Security impact
Amazon key CWE-284: Improper Access Control An attacker can unlock doors.
Smart sex toys Vibratissimo CWE-359: Exposure of Private Information (‘Privacy Violation’) & CWE-287: Improper Authentication An attacker can obtain access to a user’s personal data, including explicit images, chat logs, sexual orientation, email addresses, and passwords in clear text
Smart Webcam CWE-312: Cleartext Storage of Sensitive Information An attacker can use the app, just as a user would; for example, turn on audio, mic, and speakers to communicate with children or get undisturbed access to a real-time footage from kids’ bedroom.
Smart Sockets CWE-319: Cleartext Transmission of Sensitive Information An attacker can rip off the installed software and plant malicious software in its place.
Fitness-trackers (Fitbit, Apple, Xiaomi, Garmin, Samsung and others) CWE-319: Cleartext Transmission of Sensitive Information An attacker can spy on fitness tracker users.
Wink and Insteon smart home systems CWE-613: Insufficient Session Expiration An attacker can take user’s credentials and manipulate with connected devices.
Segway Ninebot CWE-359: Exposure of Private Information (‘Privacy Violation’) An attacker can gain access to a user’s geolocation.

I8 Insufficient Security Configurability

The essence of this vulnerability is security mechanisms are not used to their full by a device, because a user can’t manage or use them. Sometimes a user simply has no clue about the existense of these mechanisms and, consequently, doesn’t even think about setting a device to a more secure configuration.

Type of device Name of device CWE Security impact
ADSL device ZTE ZXDSL CWE-15: External Control of System or Configuration Setting An attacker can reset the configuration of the device.
Stuffed toys CWE-521: Weak Password Requirements Voice recordings of children and their parents are not safely stored, which makes them easily searchable on the Internet.
Canon Printers CWE-269: Improper Privilege Management & CWE-295: Improper Certificate Validation An attacker can obtain access to an unprotecded device and update its firmware.
Parrot AR.Drone 2.0 CWE-285: Improper Authorization This drone can be controlled with a mobile app via WiFi by an attacker.
Smart Nest Thermostat CWE-269: Improper Privilege Management An unauthorized attacker can access Nest account.

I9 Insecure Software/Firmware

An attacker has an opportunity to install any firmware (be it an official or a custom one) because the integrity or authenticity is not checked. Moreover, an attacker can obtain full access to a device via wireless communication.

Type of device Name of device CWE Security impact
Router D-Link DIR8xx CWE-295: Improper Certificate Validation An attacker can update the router’s firmware to make the device a part of a botnet.
Devices by GeoVision CWE-295: Improper Certificate Validation An attacker can update firmware and get full control over the device.
ikettle Smarter Coffee machines CWE-15: External Control of System or Configuration Setting An attacker can get full control over the device; for example, turn it on and make it work for a long time, which may cause fire at a user’s home.
Billion Router 7700NR4 CWE-798: Use of Hard-coded Credentials An attacker can gain full control over the device.
iSmartAlarm CWE-295: Improper Certificate Validation An attacker can get a user’s passwords or personal data.
Routers Dlink 850L CWE-798: Use of Hard-coded Credentials An attacker can get full control over the device.

I10 Poor Physical Security

If you disassemble a smart device you can find its MCU, external memory, etc. Moreover, there are JTAG or other connectors (UART, I2C, SPI), which make it possible for an attacker to read or write firmware or external memory.

Type of device Name of device CWE Security impact
Devices by D-Link CWE-284: Improper Access Control An attacker can get access to a user’s private information; for example, photos.
Baby monitors Mi-Cam CWE-284: Improper Access Control An attacker can spy on users.
TOTOLINK router CWE-20: Improper Input Validation An attacker can plant a backdoor in the device.
Router TP-Link CWE-284: Improper Access Control An attacker can obtain root privilegies and make the devise a part of a botnet.
Smart Nest Thermostat CWE-284: Improper Access Control An attacker can boot the processor from a peripheral device, such as USB or UART.

Conclusion

This list can be developed indefinitely since there are much more devices, as well as the opportunities attackers may use to achieve their goals. You can find the information on more devices in our latest article. Also, you can read these lists to learn more about vulnerable devices: Safegadget, Exploitee and Awesome IoT Hacks

As you can see, these types of vulnerabilities are common. Most of the vulnerabilities belong to application security. Some of these devices have already become a part of botnets because the measures taken by their vendors to improve the security of their devices have turned out to be insufficient.

National Institute of Standards and Technology recently released a whitepaper Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT), where they listed software assurance standards describing the requirements and providing guidance to significantly decrease the likelihood of software having vulnerabilities. Also, they recommend vendors to use the software that is capable of preventing, deterring, detecting, and mitigating malware.

Daniel Miessler and Craig Smith (OWASP IoT Project Leaders) recently announced they’re going to develop their project and bring it up to date providing greater details on the subject. They encourage the IoT community members to contribute to the project and share their knowledge, experience, and bright ideas (OWASP IoT 2018 Plans).

Our company can offer some practical solutions to improve the security of smart devices. As you can see WebGuard and AntiExploit can decrease a risk posed by cyber-attacks exploiting the most critical vulnerabilities.

On the picture below, you can see how our solution may be applied.

See also: