Updating and Patching The Internet of Things

From OWASP
Jump to: navigation, search

Note: This page is a work in progress to capture major ideas on the topic. It will be formalized as the community provides more information and review.

Background

Discussion on OWASP-Community mailing list - Internet of Things and criticality of patching

Major Topics

Seamless & Reliable Update vs Secure Update

Explain the difference in the intent of the topics

Different Categories of IoT Devices

Life impacting vs internet as a feature

  • Category 1 - Medical & other life impacting systems, cars, what else?
  • Category 2 - Non-life systems - Ovens, refrigerators, pedometers, thermostats

Methodology to Determine Cat 1 vs Cat 2

Prescriptive process to determine if an IoT is cat 1 or cat 2

  • Ideas for consideration to determine cat 1
    • A malfunction to the device results in immediate impact to safety/wellbeing of individuals

ToDo: Review other risk frameworks and determine applicability

Expectations for Updates

Cat 1

Delivered under supervision

Cat 2

  • Delivered remotely
  • Point of consideration - whether to allow users to delay update for X # of hours, force reboot, etc

Examples of IoT Devices

  • Smart Appliances - GE, tmio
    • "Preheat your oven from the grocery store."
    • "The World's Finest Professional Cooking Ovens. Telephone, Cell Phone, and Internet Command & Control"
  • Webcams
  • Personal Health
    • Pedometers
  • Locks
  • Medical Devices
  • Multiple Devices listed at these sites:

References