Top 10 2014-I8 Insufficient Security Configurability

Back To The Internet of Things Top 10

Consider anyone who has access to the device, the cloud interface or the mobile application.

Attacker uses the lack of granular permissions to access data or controls on the device. The attacker could also us the lack of encryption options and lack of password options to perform other attacks which lead to compromise of the device. Attack could potentially come from any user of the device whether intentional or accidental.

Insufficient security configurability is present when users of the device have limited or no ability to alter its security controls. Insufficient security configurability is apparent when the web interface of the device has no options for creating granular user permissions or forcing the use of strong passwords. Manual review of the web interface and its available options will review these deficiencies.

Insufficient security configurability could lead to compromise of the device whether intentional or accidental.

Data could be stolen or modified and devices taken control of. Could your users be harmed? Could your brand be harmed?

The simplest way to determine if you have security configurability deficiencies is to manually inspect the administrative interface of the device for options to strengthen security such as forcing the creation of strong passwords, the ability to separate admin users from normal users and the ability to enable encryption for data at rest.

Ensuring sufficient security configurability requires:
 * 1) Ensuring the ability to separate normal users from administrative users.
 * 2) Ensuring the ability to encrypt data at rest or in transit.
 * 3) Ensuring the ability to force strong password policies

Scenario #1: No ability to enforce strong password policies.

Example

Scenario #2: No ability to enable encryption of data at rest. Example

In the cases above, the attacker is able to either easily guess the password or is able to capture the credentials as they cross the network and decode it since the credentials are only protected using Base64 Encoding.