The new OWASP IoT Top 10[1] released on December 25th 2018 is an attempt to unify several problems that multiple parts of an organization face when designing and implementing IoT devices.
Whilst there have been other lists like this, they were prepared by multiple organizations for whom, most of the time, security is not their main business and for the large part, were addressed for a specific audience or to tackle specific technology.
The IoT market has been growing rapidly in the last several years and some guidelines were needed, as the IoT field is starting to mature. The most recent guideline was OWASP’s IoT Top 10 for 2014[2] which was mainly directed to developers and IT professionals.
To put the number of IoT devices currently deployed into perspective, the number of active IoT devices grew to more than 7 billion during 2018 and is expected to triple by 2025[3].
One of the biggest problems IoT security faces is the inability to manage device manufacturers who may supply cheap products for the consumer who may find out later that there is a hidden price tag to the product that was purchased and that security does not come for free.
These manufacturers may just not be security aware in the best case scenario, and in the worst case, they may not care and even when notified will do nothing to fix the vulnerabilities that were found.
The implication for this attitude can be devastating for consumers and small businesses and might impact big businesses as well.
As even the better manufacturers neglect to update their devices frequently and are making their devices obsolete after only a few years (which is the best case), the small or mass production manufacturers do not update their devices at all and do not even have an update mechanism (the worst case). On top of this, many times a generic configuration using the same set of keys and credentials may be the default (or only) option..
This created an opportunity in which the Mirai and the Reaper malwares (discovered in 2016 and 2017 respectively) were able to operate and demonstrate that hidden price tag for security. Whilst they were mainly used for DDoS attacks, future attacks may not be so “nice” and may use devices to gain a foothold into the victim’s network where additional attacks can be performed in order to access sensitive information.
If, for example, an internal IP camera or the router of the network is compromised, the implications can include extortion, knowing when to rob a house, stealing credit card information, infecting more devices and so on.
In order to create a more secure ecosystem, both regulatory action and better education is needed on every level: from the architecture design to the device end of life – from the business perspective, the threat modeling, architectural design, development to the implementation and long term support.
The OWASP IoT Top 10 2018 list is trying to achieve the education part on these different levels for different users although it is designed as a high level list and does not go down to the details that matters the most when creating a secure platform.
More in-depth guidelines, including not only more details on each of the components mentioned in the sections in the list, but also guidelines on creating a Secure SDLC, can be found in the OWASP site but, this information is scattered and as a result there is a risk that the target audience may miss important steps or requirements in appropriately securing the product.
If you are interested in hearing more of our thoughts about IoT security or discussing how we can help you address your challenges in this area or any area of Product Security, feel free to get in touch with us.
[1] https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf
[2] https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014)
[3] https://iot-analytics.com/state-of-the-iot-update-q1-q2-2018-number-of-iot-devices-now-7b/
