(Des) dispositivos inteligentes: las 10 principales vulnerabilidades de IoT de OWASP

No es ningún secreto que la implementación de mecanismos de seguridad para dispositivos IoT está lejos de ser perfecta. Las categorías conocidas de vulnerabilidades en dispositivos inteligentes están bien documentadas en las principales vulnerabilidades de IoT de 2018. La versión anterior del documento de 2014 ha sufrido muchos cambios: algunos puntos han desaparecido por completo, otros se han actualizado y han aparecido otros nuevos.



Para mostrar la relevancia de esta lista, encontramos ejemplos de dispositivos IoT vulnerables para cada tipo de vulnerabilidad. Nuestro objetivo es demostrar los riesgos que enfrentan los usuarios de dispositivos inteligentes a diario.



Los dispositivos vulnerables pueden ser completamente diferentes, desde juguetes y alarmas para niños hasta automóviles y refrigeradores. Algunos dispositivos aparecen en nuestra lista más de una vez. Todo esto, por supuesto, sirve como un indicador del bajo nivel de seguridad de los dispositivos IoT en general.





.



I1 ,



, (, ) , , .



CWE
Routers Netgear CWE-601: URL Redirection to Untrusted Site ('Open Redirect') , , DNS .
Loxone Smart Home CWE-261: Weak Encoding for Password , , .
AGFEO smart home ES 5xx/6xx CWE-261: Weak Encoding for Password , , .
Industrial wireless access point Moxa AP CWE-260: Password in Configuration File - , , .
Heatmiser Thermostat CWE-260: Password in Configuration File - , , .
Digital video recorder Mvpower CWE-521: Weak Password Requirements , .
DBPOWER U818A WIFI quadcopter drone CWE-276: Incorrect Default Permissions , .
Nuuo NVR (network video recorder) and Netgear CWE-259: Use of Hard-coded Password , , - .
Vacuum Cleaner LG CWE-287: Improper Authentication .
Eminent EM6220 Camera CWE-312: Cleartext Storage of Sensitive Information 123456, .
LIXIL Satis Toilet CWE-259: Use of Hard-coded Password Bluetooth , .
FUEL Drill CWE-259: Use of Hard-coded Password .
Billion Router 7700NR4 CWE-798: Use of Hard-coded Credentials .
Canon Printers CWE-269: Improper Privilege Management & CWE-295: Improper Certificate Validation , .
Parrot AR.Drone 2.0 CWE-285: Improper Authorization - .
Camera Amazon Ring CWE-285: Improper Authorization .


I2



( ) , / .



CWE
Smart Massager CWE-284: Improper Access Control , .
Implantable Cardiac Device CWE-284: Improper Access Control , / .
Hikvision Wi-Fi IP Camera CWE-284: Improper Access Control .
Foscam C1 Indoor HD Cameras CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') .
Toy Furby CWE-284: Improper Access Control .
Toy My Friend Cayla CWE-284: Improper Access Control .
iSmartAlarm CWE-20: Improper Input Validation "" , .
iSPY Camera Tank CWE-284: Improper Access Control .
DblTek GoIP CWE-598: Information Exposure Through Query Strings in GET Request .
Nuuo NVR (network video recorder) and Netgear CWE-259: Use of Hard-coded Password , .
Sony IPELA Engine IP Cameras CWE-287: Improper Authentication , Mirai .
iSmartAlarm CWE-295: Improper Certificate Validation SSL-.
Routers Dlink 850L CWE-798: Use of Hard-coded Credentials - .
Amazon’s Ring Video Doorbell CWE-419: Unprotected Primary Channel .
Cacagoo IP camera CWE-287: Improper Authentication , .
Trifo Ironpie M6 Vacuum cleaner CWE-284: Improper Access Control .


I3



API, , , . : /, , /.



CWE
Industrial wireless access point Moxa AP CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') , .
AXIS cameras CWE-20: Improper Input Validation , .
Belkin’s smart home products CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') & CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') .
Routers D-Link DIR-300 CWE-352: Cross-Site Request Forgery (CSRF) .
AVTECH IP Camera, NVR, DVR CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CSRF (, ).
AGFEO smart home ES 5xx/6xx CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') , . .
Loxone Smart Home CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') -.
Switch TP-Link TL-SG108E CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') XSS- "" Javascript- .
Hanbanggaoke IP Camera CWE-650: Trusting HTTP Permission Methods on the Server Side .
iSmartAlarm CWE-287: Improper Authentication , .
Western Digital My Cloud CWE-287: Improper Authentication .
In-Flight Entertainment Systems CWE-287: Improper Authentication . , (, .).
Smart key KeyWe CWE-327: Use of a Broken or Risky Cryptographic Algorithm , .


I4



. , ( ), , , , .



CWE
Devices by GeoVision CWE-295: Improper Certificate Validation .
Canon Printers CWE-295: Improper Certificate Validation : / .
Smart Nest Thermostat CWE-940: Improper Verification of Source of a Communication Channel , .


I5



/ , - . , .



CWE
Amazon Echo CWE-1233: Improper Hardware Lock Protection for Security Sensitive Control , .
Light bulb CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls .


I6



, , .



CWE
Gator 2 smartwatch CWE-359: Exposure of Private Information ('Privacy Violation') , IMEI, , (GPS/Wi-Fi), .
Routers D-Link DIR-600 and DIR-300 CWE-200: Information Exposure .
Samsung Smart TV CWE-200: Information Exposure , .
Home security camera CWE-359: Exposure of Private Information ('Privacy Violation') .
Smart sex toys We-Vibe CWE-359: Exposure of Private Information ('Privacy Violation') .
iBaby M6 baby monitor CWE-359: Exposure of Private Information ('Privacy Violation') , .


I7



– , .



CWE
Owlet Wi-Fi baby heart monitor CWE-201: Information Exposure Through Sent Data .
Samsung fridge CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') Google- .
Volkswagen car CWE CATEGORY: Cryptographic Issues .
HS-110 Smart Plug CWE-201: Information Exposure Through Sent Data , , .
Loxone Smart Home CWE-201: Information Exposure Through Sent Data , , .
Samsung Smart TV CWE-200: Information Exposure , .
Routers Dlink 850L CWE-319: Cleartext Transmission of Sensitive Information .
Skaterboards Boosted, Revo, E-Go CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') , .
LIFX smart LED light bulbs CWE-327: Use of a Broken or Risky Cryptographic Algorithm , .
Stuffed toys CWE-521: Weak Password Requirements , .
IoT Smart Deadbolt CWE-922: Insecure Storage of Sensitive Information , .
Router ASUS CWE-200: Exposure of Sensitive Information to an Unauthorized Actor .


I8



, , , , , .



CWE
TP-LINK IP Surveillance Camera CWE-? ( CWE) , .


I9



, , .



CWE
ikettle Smarter Coffee machines CWE-15: External Control of System or Configuration Setting - , , .
Parrot AR.Drone 2.0 CWE-284: Improper Access Control .
HP Fax machine CWE-276: Incorrect Default Permissions .
Smart speakers CWE-1068: Inconsistency Between Implementation and Documented Design , , .


I10



, .



CWE
Baby monitors Mi-Cam CWE-284: Improper Access Control .
TOTOLINK router CWE-20: Improper Input Validation .
Router TP-Link CWE-284: Improper Access Control UART.
Smart Nest Thermostat CWE-284: Improper Access Control USB UART.
Blink XT2 Sync Module CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls .
Amazon Echo CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls , .


, . IoT-, . IoT- , : Safegadget, Exploitee Awesome IoT Hacks



, OWASP, , IoT- . . , , , .



(IoT). . , IoT- , , .



IoT- , . : , . – IoT- , , . OpenWrt, IoT-, , "" .



IoT . , (, ).






All Articles