(Un) Smart Devices: Top 10 IoT-Schwachstellen von OWASP

Es ist kein Geheimnis, dass die Implementierung von Sicherheitsmechanismen für IoT-Geräte alles andere als perfekt ist. Bekannte Schwachstellenkategorien für intelligente Geräte sind in den Top IoT-Schwachstellen von 2018 ausführlich beschrieben . Die vorherige Version des Dokuments aus dem Jahr 2014 hat viele Änderungen erfahren: Einige Punkte verschwanden vollständig, andere wurden aktualisiert und neue erschienen.



Um die Relevanz dieser Liste zu verdeutlichen, haben wir Beispiele für anfällige IoT-Geräte für jeden Schwachstellentyp gefunden. Unser Ziel ist es, die Risiken aufzuzeigen, denen Benutzer von Smart Devices täglich ausgesetzt sind.



Anfällige Geräte können völlig anders sein - von Kinderspielzeug und Alarmanlagen bis hin zu Autos und Kühlschränken. Einige Geräte erscheinen mehrmals in unserer Liste. All dies dient natürlich als Indikator für das niedrige Sicherheitsniveau von IoT-Geräten im Allgemeinen.





.



I1 ,



, (, ) , , .



CWE
Routers Netgear CWE-601: URL Redirection to Untrusted Site ('Open Redirect') , , DNS .
Loxone Smart Home CWE-261: Weak Encoding for Password , , .
AGFEO smart home ES 5xx/6xx CWE-261: Weak Encoding for Password , , .
Industrial wireless access point Moxa AP CWE-260: Password in Configuration File - , , .
Heatmiser Thermostat CWE-260: Password in Configuration File - , , .
Digital video recorder Mvpower CWE-521: Weak Password Requirements , .
DBPOWER U818A WIFI quadcopter drone CWE-276: Incorrect Default Permissions , .
Nuuo NVR (network video recorder) and Netgear CWE-259: Use of Hard-coded Password , , - .
Vacuum Cleaner LG CWE-287: Improper Authentication .
Eminent EM6220 Camera CWE-312: Cleartext Storage of Sensitive Information 123456, .
LIXIL Satis Toilet CWE-259: Use of Hard-coded Password Bluetooth , .
FUEL Drill CWE-259: Use of Hard-coded Password .
Billion Router 7700NR4 CWE-798: Use of Hard-coded Credentials .
Canon Printers CWE-269: Improper Privilege Management & CWE-295: Improper Certificate Validation , .
Parrot AR.Drone 2.0 CWE-285: Improper Authorization - .
Camera Amazon Ring CWE-285: Improper Authorization .


I2



( ) , / .



CWE
Smart Massager CWE-284: Improper Access Control , .
Implantable Cardiac Device CWE-284: Improper Access Control , / .
Hikvision Wi-Fi IP Camera CWE-284: Improper Access Control .
Foscam C1 Indoor HD Cameras CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') .
Toy Furby CWE-284: Improper Access Control .
Toy My Friend Cayla CWE-284: Improper Access Control .
iSmartAlarm CWE-20: Improper Input Validation "" , .
iSPY Camera Tank CWE-284: Improper Access Control .
DblTek GoIP CWE-598: Information Exposure Through Query Strings in GET Request .
Nuuo NVR (network video recorder) and Netgear CWE-259: Use of Hard-coded Password , .
Sony IPELA Engine IP Cameras CWE-287: Improper Authentication , Mirai .
iSmartAlarm CWE-295: Improper Certificate Validation SSL-.
Routers Dlink 850L CWE-798: Use of Hard-coded Credentials - .
Amazon’s Ring Video Doorbell CWE-419: Unprotected Primary Channel .
Cacagoo IP camera CWE-287: Improper Authentication , .
Trifo Ironpie M6 Vacuum cleaner CWE-284: Improper Access Control .


I3



API, , , . : /, , /.



CWE
Industrial wireless access point Moxa AP CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') , .
AXIS cameras CWE-20: Improper Input Validation , .
Belkin’s smart home products CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') & CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') .
Routers D-Link DIR-300 CWE-352: Cross-Site Request Forgery (CSRF) .
AVTECH IP Camera, NVR, DVR CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CSRF (, ).
AGFEO smart home ES 5xx/6xx CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') , . .
Loxone Smart Home CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') -.
Switch TP-Link TL-SG108E CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') XSS- "" Javascript- .
Hanbanggaoke IP Camera CWE-650: Trusting HTTP Permission Methods on the Server Side .
iSmartAlarm CWE-287: Improper Authentication , .
Western Digital My Cloud CWE-287: Improper Authentication .
In-Flight Entertainment Systems CWE-287: Improper Authentication . , (, .).
Smart key KeyWe CWE-327: Use of a Broken or Risky Cryptographic Algorithm , .


I4



. , ( ), , , , .



CWE
Devices by GeoVision CWE-295: Improper Certificate Validation .
Canon Printers CWE-295: Improper Certificate Validation : / .
Smart Nest Thermostat CWE-940: Improper Verification of Source of a Communication Channel , .


I5



/ , - . , .



CWE
Amazon Echo CWE-1233: Improper Hardware Lock Protection for Security Sensitive Control , .
Light bulb CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls .


I6



, , .



CWE
Gator 2 smartwatch CWE-359: Exposure of Private Information ('Privacy Violation') , IMEI, , (GPS/Wi-Fi), .
Routers D-Link DIR-600 and DIR-300 CWE-200: Information Exposure .
Samsung Smart TV CWE-200: Information Exposure , .
Home security camera CWE-359: Exposure of Private Information ('Privacy Violation') .
Smart sex toys We-Vibe CWE-359: Exposure of Private Information ('Privacy Violation') .
iBaby M6 baby monitor CWE-359: Exposure of Private Information ('Privacy Violation') , .


I7



– , .



CWE
Owlet Wi-Fi baby heart monitor CWE-201: Information Exposure Through Sent Data .
Samsung fridge CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') Google- .
Volkswagen car CWE CATEGORY: Cryptographic Issues .
HS-110 Smart Plug CWE-201: Information Exposure Through Sent Data , , .
Loxone Smart Home CWE-201: Information Exposure Through Sent Data , , .
Samsung Smart TV CWE-200: Information Exposure , .
Routers Dlink 850L CWE-319: Cleartext Transmission of Sensitive Information .
Skaterboards Boosted, Revo, E-Go CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') , .
LIFX smart LED light bulbs CWE-327: Use of a Broken or Risky Cryptographic Algorithm , .
Stuffed toys CWE-521: Weak Password Requirements , .
IoT Smart Deadbolt CWE-922: Insecure Storage of Sensitive Information , .
Router ASUS CWE-200: Exposure of Sensitive Information to an Unauthorized Actor .


I8



, , , , , .



CWE
TP-LINK IP Surveillance Camera CWE-? ( CWE) , .


I9



, , .



CWE
ikettle Smarter Coffee machines CWE-15: External Control of System or Configuration Setting - , , .
Parrot AR.Drone 2.0 CWE-284: Improper Access Control .
HP Fax machine CWE-276: Incorrect Default Permissions .
Smart speakers CWE-1068: Inconsistency Between Implementation and Documented Design , , .


I10



, .



CWE
Baby monitors Mi-Cam CWE-284: Improper Access Control .
TOTOLINK router CWE-20: Improper Input Validation .
Router TP-Link CWE-284: Improper Access Control UART.
Smart Nest Thermostat CWE-284: Improper Access Control USB UART.
Blink XT2 Sync Module CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls .
Amazon Echo CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls , .


, . IoT-, . IoT- , : Safegadget, Exploitee Awesome IoT Hacks



, OWASP, , IoT- . . , , , .



(IoT). . , IoT- , , .



IoT- , . : , . – IoT- , , . OpenWrt, IoT-, , "" .



IoT . , (, ).






All Articles