220.127.116.11 Lab – Investigate IoT Security Requirements (Instructor Version)
In this lab, you will learn about IoT security requirements by investigating OWASP critical IoT security vulnerabilities.
- Investigate OWASP.
- Investigate the OWASP IoT Top 10 Vulnerabilities.
- Investigate Vulnerabilities, Vulnerability Assessment, and Mitigation Measures.
Background / Scenario
In this lab, you will review a list of the top 10 IoT security vulnerabilities as documented by the Open Web Application Security Project (OWASP). These vulnerabilities are generic weaknesses in IoT devices, communications, or applications that can be exploited by threat actors. The vulnerabilities are directly related to the IoT security requirements.
Instructor Note: The purpose of this lab is for students to begin thinking about how the critical security requirements for IoT systems relate to specific vulnerabilities. The OWASP Internet of Things Project is a valuable resource for learning about IoT security. Although some things discussed in it are beyond the scope of this course, familiarity with the OWASP resources will help students continue in their learning about the IoT security topic.
- PC with Internet access
Step 1: Investigate OWASP.
a. Visit the home page for The OWASP Foundation.
What is the purpose of the OWASP foundation?
OWASP is a foundation that that is dedicated to driving visibility and evolution in the safety and security of the world’s software.
b. Visit the OWASP Internet of Things Project page.
c. Explore the resources that are available on the page and the tabs at the top of the page to answer the following questions.
What is the purpose of the OWASP IoT Project?
It is designed to help manufactures, developers, and customers understand the security issues associated with creating or purchasing IoT devices.
For what specific IoT use cases does OWASP offer recommendations?
OWASP offers guidelines for medical and manufacturing (ICS/SCADA) IoT use cases.
Look at the IoT Event Logging Project tab. Give three examples of the security events that OWASP recommends should be logged.
Answers will vary. Students will not understand all of this, however, they should pick out a few things that make sense to them, such as high rate of password attempts, traffic from unenrolled systems, device case tampering, and device entered administrative mode. Encourage students to research and discuss events that are new to them.
Step 2: Investigate the OWASP IoT Top 10 Vulnerabilities.
Vulnerabilities are weaknesses in IoT systems that can be exploited by threat actors in various types of attacks. The goal of IoT security is the identification of vulnerabilities in system components before they are selected or deployed and during the operation of the IoT system. In 2014 OWASP collected the top 10 IoT vulnerabilities and documented how to identify and address the vulnerabilities. Although this list is due to be updated, it is still useful very for understanding IoT security.
a. Go to the OWASP IoT Top 10 Vulnerabilities page. Click several vulnerabilities in the list. Look at the linked page. What information is provided for each vulnerability?
Each vulnerability has a page that gives information about who might pose a threat, features of potential attacks and the security weaknesses and impacts. In addition, there are questions that can be used to assess system elements for the vulnerability and suggestions for addressing the vulnerability.
b. What is the first vulnerability? What needs to be checked to determine if this vulnerability is present in a system?
In the 2014 version of the top 10, the first vulnerability, 2014-I1 is Insecure Web Interface:
– Determine if a system has this vulnerability
– Determine if the web interface allows the username and password to be changed and if there is an account lock out feature
– Attempt password recovery to see if account validity can be determined
What are some of the things that can be done to verify that an IoT web interface is secure?
Default passwords and usernames are required to be changed after initial setup. Password recovery mechanisms do not verify to an attacker that a username is valid. For example, an attacker can enter a random username at the interface and click “Forgot Password.” The web frontend should require entry of additional information, such as an email address as part of the recovery process. If the email address is unknown to the system, then an error message is posted and the process will not continue. In addition, passwords should be strong, account lock out should be implemented, and no passwords should be transmitted in clear text.
Step 3: Investigate Vulnerabilities, Vulnerability Assessment, and Mitigation Measures
Become familiar with the features of some of the other OWASP IoT Top 10 vulnerabilities.
Work in the table below, or in your notebook using the table as a guide. Investigate the other top 10 vulnerabilities. Select three and complete the table below. List the vulnerability, some of the vulnerability assessment questions, and some of the mitigation techniques for each.
Note: You are not expected to understand all of the information provided for each vulnerability. However, you should understand enough to provide a few entries for at least three of them. Take time to research some of the things that you don’t currently understand, if possible.