The Open Web Application Security Project’s (OWASP) List of Top 10 Internet of Things (IoT)Vulnerabilities sums up most of the concerns and attack vectors surrounding the IoT category of devices as below:
- Insecure web interface
- Insufficient authentication/authorization
- Insecure network services
- Lack of transport encryption
- Privacy concerns
- Insecure cloud interface
- Insecure mobile interface
- Insufficient security configurability
- Insecure software/firmware
- Poor physical security
During a research by Symantec in 2015, they found issues such as the following:
- Around 19% of all tested mobile apps that are used to control IoT devices did not use Secure Socket Layer (SSL) connections to the cloud
- None of the analyzed devices provided mutual authentication between the client and the server
- Some devices offered no enforcement and often no possibility of strong passwords
- Some IoT cloud interfaces did not support two-factor authentication (2FA)
- Many IoT services did not have lock-out or delaying measures to protect users’ accounts against brute-force attacks
- Some devices did not implement protections against account harvesting
- Many of the IoT cloud platforms included common web application vulnerabilities
- 10 security issues were found in 15 web portals used to control IoT devices without performing any deep tests. 6 of them were serious issues, allowing unauthorized access to the backend systems.
- Most of the IoT services did not provide signed or encrypted firmware updates, if updates were provided at all
The above information is excerpted from a Symantec white paper regarding the Insecurity in the IoT.