IoT testing guides__ Hardware hacking

(DRAFT)

The goal of this page was to help testers assess IoT devices and applications in the Internet of things spaces. The guidance below is at a basic level, giving testers of devices and applications a basic set of guidelines to consider F Rom their perspective. This isn't a comprehensive list of considerations, and should is treated as such, but ensuring s are covered would greatly improve the security of any IoT product.

Category	IoT Security Consideration
i1:insecure web Interface	Assess any web Interface to determine if weak passwords are allowed assess lockout mechanism assess the Web interface for XSS, Sqli and CSRF vulnerabilities and othe R Web application Vulnerabilities assess the use of HTTPS to protect transmitted information assess the ability to change The username and password determine if Web application firewalls are used to protect web interfaces
I2:insufficient authentication/authorization	Assess the solution for the "use of" strong passwords where authentication is needed assess the solution for multi-user ENVI Ronments and ensure it includes functionality for role separation assess the solution for implementation Two-factor tication where possible assess password recovery mechanisms The assess for the option to solution require Assess the solution for the option to force password expiration after a specific period the assess for the solution N to change the default username and password
I3:insecure Network Services	Assess the solution to ensure network services don ' t respond poorly to buffer overflow, fuzzing or denial of service Attac KS assess the solution to ensure test ports are are not present
I4:lack of Transport encryption	Assess the solution to determine the use of encrypted communication between devices and between devices and the Internet A Ssess the solution to determine if accepted encryption practices are used and if proprietary protocols are avoided assess The solution to determine if a firewall option available is available
I5:privacy concerns	Assess the solution to determine the amount of personal information collected assess the solution to determine if collecte D Personal the data is properly protected using encryption on rest and in transit assess the solution to determine if ensuring The data is de-identified or anonymized assess the solution to ensure end-users are given a choice for data collected beyond What is needed for proper operation of the device
i6:insecure Cloud Interface	Assess the Cloud interfaces for security Vulnerabilit IES (e.g. API interfaces and cloud-based web interfaces) assess the Cloud-based Web interface to ensure it disallows weak Passwords assess the cloud-based Web interface to ensure it includes a account lockout mechanism assess the cloud-based W EB interface To determine if Two-factor authentication are used assess any cloud interfaces for XSS, Sqli and CSRF Vulnerab Ilities and other vulnerabilities assess all cloud interfaces to ensure transport encryption is used assess the cloud inte Rfaces to determine if the option to require strong passwords are available assess the cloud interfaces to determine if the option to force password expiration after a specific period be available assess the cloud interfaces to determine if the Option to change the default username and password is available
i7:insecure mobile Interface	assess the mobile Interface to ensure it disallows W Eak passwords assess the mobile interface to ensure it includes a account lockout mechanism assess the mobile interface T o Determine if it Implements two-factor authentication (e.g Apple ' s touch ID) assess the mobile interface to determine if It uses transport encryption assess the mobile interface to determine if the option to require strong passwords are Availab Le assess the mobile interface to determine if the option to force password expiration after a specific period is availabl e assess the mobile interface to determine if the option to change the default username and password is available assess T He mobile interface to determine the amount of personal information collected
I8:insufficient Security configurability	Assess the solution to determine if password security options (e.g. enabling character or passwords enabling Authentication) are available assess the solution to determine if encryption options (e.g. enabling AES-256 where AES-128 is the default setting) are available assess the solution to determine if logging for security events are available assess The solution to determine if alerts and notifications to the user for security events are available
I9:insecure Software/firmware	Assess the device to ensure it includes update capability and can is updated quickly when vulnerabilities are discovered A Ssess the device to ensure it uses encrypted update files and that the files are transmitted using encryption assess the D Evice to ensure are uses signed files and then validates that file before
I10:poor Physical Security	Assess the device to ensure it utilizes a minimal number of physical external-ports (e.g. USB ports) on the device assess The device to determine if it can is accessed via unintended methods such as through an unnecessary USB port assess the de Vice to determine if it allows for disabling of unused physical ports such as USB assess the device to determine if it Inc Ludes the ability to limit administrative capabilities-a local interface only

General Recommendations

Consider the following recommendations for all user interfaces (local device, cloud-based and mobile): Avoid potential ACC Ount Harvesting issues by:ensuring Valid user accounts can ' t be identified by interface error messages ensuring strong PA Sswords are required by users implementing account lockout after 3-5 failed login attempts