2019-002-part 2 of the OWASP IoT Top 10 with Aaron Guzman

intro

CFP for Bsides Barcelona is open! https://bsides.barcelona

Aaron Guzman: @scriptingxss

https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive

https://www.owasp.org/index.php/IoT_Attack_Surface_Areas

https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html

OWASP SLACK: https://owasp.slack.com/

https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg

Team of 10 or so… list of “do’s and don’ts”

Sub-projects? Embedded systems, car hacking

Embedded applications best practices? *potential show*

Standards: https://xkcd.com/927/

CCPA:  https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act

California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327

How did you decide on the initial criteria?

1. Weak, Guessable, or Hardcoded passwords
2. Insecure Network Services
3. Insecure Ecosystem interfaces
4. Lack of Secure Update mechanism
5. Use of insecure or outdated components
6. Insufficient Privacy Mechanisms
7. Insecure data transfer and storage
8. Lack of device management
9. Insecure default settings
10. Lack of physical hardening

2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014)

2014 list:

• I1 Insecure Web Interface
• I2 Insufficient Authentication/Authorization
• I3 Insecure Network Services
• I4 Lack of Transport Encryption
• I5 Privacy Concerns
• I6 Insecure Cloud Interface
• I7 Insecure Mobile Interface
• I8 Insufficient Security Configurability
• I9 Insecure Software/Firmware
• I10 Poor Physical Security

BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3

OWASP SLACK: https://owasp.slack.com/

What didn’t make the list? How do we get Devs onboard with these?

How does someone interested get involved with OWASP Iot working group?

https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices

https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf

https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf

https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf

 

https://www.mocana.com/news/mocana-xilinx-avnet-infineon-and-microsoft-join-forces-to-secure-industrial-control-and-iot-devices

 

https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

 

Here is a new episode of Brakeing Down Security Podcast!