Es ist kein Geheimnis, dass die Implementierung von Sicherheitsmechanismen für IoT-Geräte alles andere als perfekt ist. Bekannte Schwachstellenkategorien für intelligente Geräte sind in den Top IoT-Schwachstellen von 2018 ausführlich beschrieben . Die vorherige Version des Dokuments aus dem Jahr 2014 hat viele Änderungen erfahren: Einige Punkte verschwanden vollständig, andere wurden aktualisiert und neue erschienen.
Um die Relevanz dieser Liste zu verdeutlichen, haben wir Beispiele für anfällige IoT-Geräte für jeden Schwachstellentyp gefunden. Unser Ziel ist es, die Risiken aufzuzeigen, denen Benutzer von Smart Devices täglich ausgesetzt sind.
Anfällige Geräte können völlig anders sein - von Kinderspielzeug und Alarmanlagen bis hin zu Autos und Kühlschränken. Einige Geräte erscheinen mehrmals in unserer Liste. All dies dient natürlich als Indikator für das niedrige Sicherheitsniveau von IoT-Geräten im Allgemeinen.
.
I1 ,
, (, ) , , .
CWE | |||
---|---|---|---|
Routers Netgear | CWE-601: URL Redirection to Untrusted Site ('Open Redirect') | , , DNS . | |
Loxone Smart Home | CWE-261: Weak Encoding for Password | , , . | |
AGFEO smart home ES 5xx/6xx | CWE-261: Weak Encoding for Password | , , . | |
Industrial wireless access point Moxa AP | CWE-260: Password in Configuration File | - , , . | |
Heatmiser Thermostat | CWE-260: Password in Configuration File | - , , . | |
Digital video recorder Mvpower | CWE-521: Weak Password Requirements | , . | |
DBPOWER U818A WIFI quadcopter drone | CWE-276: Incorrect Default Permissions | , . | |
Nuuo NVR (network video recorder) and Netgear | CWE-259: Use of Hard-coded Password | , , - . | |
Vacuum Cleaner LG | CWE-287: Improper Authentication | . | |
Eminent EM6220 Camera | CWE-312: Cleartext Storage of Sensitive Information | 123456, . | |
LIXIL Satis Toilet | CWE-259: Use of Hard-coded Password | Bluetooth , . | |
FUEL Drill | CWE-259: Use of Hard-coded Password | . | |
Billion Router 7700NR4 | CWE-798: Use of Hard-coded Credentials | . | |
Canon Printers | CWE-269: Improper Privilege Management & CWE-295: Improper Certificate Validation | , . | |
Parrot AR.Drone 2.0 | CWE-285: Improper Authorization | - . | |
Camera Amazon Ring | CWE-285: Improper Authorization | . |
I2
( ) , / .
CWE | |||
---|---|---|---|
Smart Massager | CWE-284: Improper Access Control | , . | |
Implantable Cardiac Device | CWE-284: Improper Access Control | , / . | |
Hikvision Wi-Fi IP Camera | CWE-284: Improper Access Control | . | |
Foscam C1 Indoor HD Cameras | CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | . | |
Toy Furby | CWE-284: Improper Access Control | . | |
Toy My Friend Cayla | CWE-284: Improper Access Control | . | |
iSmartAlarm | CWE-20: Improper Input Validation | "" , . | |
iSPY Camera Tank | CWE-284: Improper Access Control | . | |
DblTek GoIP | CWE-598: Information Exposure Through Query Strings in GET Request | . | |
Nuuo NVR (network video recorder) and Netgear | CWE-259: Use of Hard-coded Password | , . | |
Sony IPELA Engine IP Cameras | CWE-287: Improper Authentication | , Mirai . | |
iSmartAlarm | CWE-295: Improper Certificate Validation | SSL-. | |
Routers Dlink 850L | CWE-798: Use of Hard-coded Credentials | - . | |
Amazon’s Ring Video Doorbell | CWE-419: Unprotected Primary Channel | . | |
Cacagoo IP camera | CWE-287: Improper Authentication | , . | |
Trifo Ironpie M6 Vacuum cleaner | CWE-284: Improper Access Control | . |
I3
API, , , . : /, , /.
CWE | |||
---|---|---|---|
Industrial wireless access point Moxa AP | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | , . | |
AXIS cameras | CWE-20: Improper Input Validation | , . | |
Belkin’s smart home products | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') & CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | . | |
Routers D-Link DIR-300 | CWE-352: Cross-Site Request Forgery (CSRF) | . | |
AVTECH IP Camera, NVR, DVR | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | CSRF (, ). | |
AGFEO smart home ES 5xx/6xx | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | , . . | |
Loxone Smart Home | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | -. | |
Switch TP-Link TL-SG108E | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | XSS- "" Javascript- . | |
Hanbanggaoke IP Camera | CWE-650: Trusting HTTP Permission Methods on the Server Side | . | |
iSmartAlarm | CWE-287: Improper Authentication | , . | |
Western Digital My Cloud | CWE-287: Improper Authentication | . | |
In-Flight Entertainment Systems | CWE-287: Improper Authentication | . , (, .). | |
Smart key KeyWe | CWE-327: Use of a Broken or Risky Cryptographic Algorithm | , . |
I4
. , ( ), , , , .
CWE | |||
---|---|---|---|
Devices by GeoVision | CWE-295: Improper Certificate Validation | . | |
Canon Printers | CWE-295: Improper Certificate Validation | : / . | |
Smart Nest Thermostat | CWE-940: Improper Verification of Source of a Communication Channel | , . |
I5
/ , - . , .
CWE | |||
---|---|---|---|
Amazon Echo | CWE-1233: Improper Hardware Lock Protection for Security Sensitive Control | , . | |
Light bulb | CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls | . |
I6
, , .
CWE | |||
---|---|---|---|
Gator 2 smartwatch | CWE-359: Exposure of Private Information ('Privacy Violation') | , IMEI, , (GPS/Wi-Fi), . | |
Routers D-Link DIR-600 and DIR-300 | CWE-200: Information Exposure | . | |
Samsung Smart TV | CWE-200: Information Exposure | , . | |
Home security camera | CWE-359: Exposure of Private Information ('Privacy Violation') | . | |
Smart sex toys We-Vibe | CWE-359: Exposure of Private Information ('Privacy Violation') | . | |
iBaby M6 baby monitor | CWE-359: Exposure of Private Information ('Privacy Violation') | , . |
I7
– , .
CWE | |||
---|---|---|---|
Owlet Wi-Fi baby heart monitor | CWE-201: Information Exposure Through Sent Data | . | |
Samsung fridge | CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') | Google- . | |
Volkswagen car | CWE CATEGORY: Cryptographic Issues | . | |
HS-110 Smart Plug | CWE-201: Information Exposure Through Sent Data | , , . | |
Loxone Smart Home | CWE-201: Information Exposure Through Sent Data | , , . | |
Samsung Smart TV | CWE-200: Information Exposure | , . | |
Routers Dlink 850L | CWE-319: Cleartext Transmission of Sensitive Information | . | |
Skaterboards Boosted, Revo, E-Go | CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') | , . | |
LIFX smart LED light bulbs | CWE-327: Use of a Broken or Risky Cryptographic Algorithm | , . | |
Stuffed toys | CWE-521: Weak Password Requirements | , . | |
IoT Smart Deadbolt | CWE-922: Insecure Storage of Sensitive Information | , . | |
Router ASUS | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | . |
I8
, , , , , .
CWE | |||
---|---|---|---|
TP-LINK IP Surveillance Camera | CWE-? ( CWE) | , . |
I9
, , .
CWE | |||
---|---|---|---|
ikettle Smarter Coffee machines | CWE-15: External Control of System or Configuration Setting | - , , . | |
Parrot AR.Drone 2.0 | CWE-284: Improper Access Control | . | |
HP Fax machine | CWE-276: Incorrect Default Permissions | . | |
Smart speakers | CWE-1068: Inconsistency Between Implementation and Documented Design | , , . |
I10
, .
CWE | |||
---|---|---|---|
Baby monitors Mi-Cam | CWE-284: Improper Access Control | . | |
TOTOLINK router | CWE-20: Improper Input Validation | . | |
Router TP-Link | CWE-284: Improper Access Control | UART. | |
Smart Nest Thermostat | CWE-284: Improper Access Control | USB UART. | |
Blink XT2 Sync Module | CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls | . | |
Amazon Echo | CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls | , . |
, . IoT-, . IoT- , : Safegadget, Exploitee Awesome IoT Hacks
, OWASP, , IoT- . . , , , .
(IoT). . , IoT- , , .
IoT- , . : , . – IoT- , , . OpenWrt, IoT-, , "" .
IoT . , (, ).