OWASP Internet of Things Project

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP Internet of Things (IoT) Project
Oxford defines the Internet of Things as: “A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.”

The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.



Licensing
The OWASP Internet of Things Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

What is the OWASP Internet of Things Project?
The OWASP Internet of Things Project provides:


 * IoT Attack Surface Areas
 * IoT Testing Guides
 * Top IoT Vulnerabilities

Project Leaders

 * Daniel Miessler
 * Craig Smith

Related Projects

 * The OWASP Mobile Top 10 Project
 * The OWASP Web Top 10 Project


 * valign="top" style="padding-left:25px;width:200px;" |

Classifications

 * }

= IoT Attack Surface Areas =

The OWASP IoT Attack Surface Areas (DRAFT) are as follows:

= IoT Testing Guides =

Tester IoT Security Guidance
(DRAFT)

The goal of this page is to help testers assess IoT devices and applications in the Internet of Things space. The guidance below is at a basic level, giving testers of devices and applications a basic set of guidelines to consider from their perspective. This is not a comprehensive list of considerations, and should not be treated as such, but ensuring that these fundamentals are covered will greatly improve the security of any IoT product.

General Recommendations
Consider the following recommendations for all user interfaces (local device, cloud-based and mobile):
 * Avoid potential Account Harvesting issues by:
 * Ensuring valid user accounts can't be identified by interface error messages
 * Ensuring strong passwords are required by users
 * Implementing account lockout after 3 - 5 failed login attempts

= Top IoT Vulnerabilities =

For each attack surface areas, the following sections are included:


 * A description of the attack surface
 * Threat agents
 * Attack vectors
 * Security weaknesses
 * Technical impacts
 * Business impacts
 * Example vulnerabilities
 * Example attacks
 * Guidance on how to avoid the issue
 * References to OWASP and other related resources


 * I1 Insecure Web Interface
 * I2 Insufficient Authentication/Authorization
 * I3 Insecure Network Services
 * I4 Lack of Transport Encryption
 * I5 Privacy Concerns
 * I6 Insecure Cloud Interface
 * I7 Insecure Mobile Interface
 * I8 Insufficient Security Configurability
 * I9 Insecure Software/Firmware
 * I10 Poor Physical Security