Clever Geek Handbook

(Un) appareils intelligents: les 10 principales vulnérabilités IoT de l'OWASP

Ce n'est un secret pour personne que la mise en Ɠuvre de mĂ©canismes de sĂ©curitĂ© pour les appareils IoT est loin d'ĂȘtre parfaite. Les catĂ©gories connues de vulnĂ©rabilitĂ©s dans les appareils intelligents sont bien documentĂ©es dans Top IoT Vulnerabilities de 2018. La version prĂ©cĂ©dente du document de 2014 a subi de nombreux changements: certains points ont complĂštement disparu, d'autres ont Ă©tĂ© mis Ă  jour et de nouveaux sont apparus.



Pour montrer la pertinence de cette liste, nous avons trouvé des exemples d'appareils IoT vulnérables pour chaque type de vulnérabilité. Notre objectif est de démontrer les risques auxquels les utilisateurs d'appareils intelligents sont confrontés chaque jour.



Les appareils vulnérables peuvent aller des jouets et alarmes pour enfants aux voitures et aux réfrigérateurs. Certains appareils figurent plus d'une fois sur notre liste. Tout cela, bien sûr, sert d'indicateur du faible niveau de sécurité des appareils IoT en général.





Pour plus de détails, suivez sous cat.



I1 Mots de passe faibles, prévisibles et codés en dur



Utilisation de mots de passe vulnérables à la force brute, accessibles au public (par exemple, dans le manuel) ou immuables, y compris les portes dérobées dans le micrologiciel ou le logiciel client, ce qui permet un accÚs non autorisé au systÚme.



Type d'appareil Nom CWE Manque de sécurité
Routeurs Netgear CWE-601: URL Redirection to Untrusted Site ('Open Redirect') , , DNS .
Loxone Smart Home CWE-261: Weak Encoding for Password , , .
AGFEO smart home ES 5xx/6xx CWE-261: Weak Encoding for Password , , .
Industrial wireless access point Moxa AP CWE-260: Password in Configuration File - , , .
Heatmiser Thermostat CWE-260: Password in Configuration File - , , .
Digital video recorder Mvpower CWE-521: Weak Password Requirements , .
DBPOWER U818A WIFI quadcopter drone CWE-276: Incorrect Default Permissions , .
Nuuo NVR (network video recorder) and Netgear CWE-259: Use of Hard-coded Password , , - .
Vacuum Cleaner LG CWE-287: Improper Authentication .
Eminent EM6220 Camera CWE-312: Cleartext Storage of Sensitive Information 123456, .
LIXIL Satis Toilet CWE-259: Use of Hard-coded Password Bluetooth , .
FUEL Drill CWE-259: Use of Hard-coded Password .
Billion Router 7700NR4 CWE-798: Use of Hard-coded Credentials .
Canon Printers CWE-269: Improper Privilege Management & CWE-295: Improper Certificate Validation , .
Parrot AR.Drone 2.0 CWE-285: Improper Authorization - .
Camera Amazon Ring CWE-285: Improper Authorization .


I2



( ) , / .



CWE
Smart Massager CWE-284: Improper Access Control , .
Implantable Cardiac Device CWE-284: Improper Access Control , / .
Hikvision Wi-Fi IP Camera CWE-284: Improper Access Control .
Foscam C1 Indoor HD Cameras CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') .
Toy Furby CWE-284: Improper Access Control .
Toy My Friend Cayla CWE-284: Improper Access Control .
iSmartAlarm CWE-20: Improper Input Validation "" , .
iSPY Camera Tank CWE-284: Improper Access Control .
DblTek GoIP CWE-598: Information Exposure Through Query Strings in GET Request .
Nuuo NVR (network video recorder) and Netgear CWE-259: Use of Hard-coded Password , .
Sony IPELA Engine IP Cameras CWE-287: Improper Authentication , Mirai .
iSmartAlarm CWE-295: Improper Certificate Validation SSL-.
Routers Dlink 850L CWE-798: Use of Hard-coded Credentials - .
Amazon’s Ring Video Doorbell CWE-419: Unprotected Primary Channel .
Cacagoo IP camera CWE-287: Improper Authentication , .
Trifo Ironpie M6 Vacuum cleaner CWE-284: Improper Access Control .


I3



API, , , . : /, , /.



CWE
Industrial wireless access point Moxa AP CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') , .
AXIS cameras CWE-20: Improper Input Validation , .
Belkin’s smart home products CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') & CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') .
Routers D-Link DIR-300 CWE-352: Cross-Site Request Forgery (CSRF) .
AVTECH IP Camera, NVR, DVR CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CSRF (, ).
AGFEO smart home ES 5xx/6xx CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') , . .
Loxone Smart Home CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') -.
Switch TP-Link TL-SG108E CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') XSS- "" Javascript- .
Hanbanggaoke IP Camera CWE-650: Trusting HTTP Permission Methods on the Server Side .
iSmartAlarm CWE-287: Improper Authentication , .
Western Digital My Cloud CWE-287: Improper Authentication .
In-Flight Entertainment Systems CWE-287: Improper Authentication . , (, .).
Smart key KeyWe CWE-327: Use of a Broken or Risky Cryptographic Algorithm , .


I4



. , ( ), , , , .



CWE
Devices by GeoVision CWE-295: Improper Certificate Validation .
Canon Printers CWE-295: Improper Certificate Validation : / .
Smart Nest Thermostat CWE-940: Improper Verification of Source of a Communication Channel , .


I5



/ , - . , .



CWE
Amazon Echo CWE-1233: Improper Hardware Lock Protection for Security Sensitive Control , .
Light bulb CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls .


I6



, , .



CWE
Gator 2 smartwatch CWE-359: Exposure of Private Information ('Privacy Violation') , IMEI, , (GPS/Wi-Fi), .
Routers D-Link DIR-600 and DIR-300 CWE-200: Information Exposure .
Samsung Smart TV CWE-200: Information Exposure , .
Home security camera CWE-359: Exposure of Private Information ('Privacy Violation') .
Smart sex toys We-Vibe CWE-359: Exposure of Private Information ('Privacy Violation') .
iBaby M6 baby monitor CWE-359: Exposure of Private Information ('Privacy Violation') , .


I7



– , .



CWE
Owlet Wi-Fi baby heart monitor CWE-201: Information Exposure Through Sent Data .
Samsung fridge CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') Google- .
Volkswagen car CWE CATEGORY: Cryptographic Issues .
HS-110 Smart Plug CWE-201: Information Exposure Through Sent Data , , .
Loxone Smart Home CWE-201: Information Exposure Through Sent Data , , .
Samsung Smart TV CWE-200: Information Exposure , .
Routers Dlink 850L CWE-319: Cleartext Transmission of Sensitive Information .
Skaterboards Boosted, Revo, E-Go CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') , .
LIFX smart LED light bulbs CWE-327: Use of a Broken or Risky Cryptographic Algorithm , .
Stuffed toys CWE-521: Weak Password Requirements , .
IoT Smart Deadbolt CWE-922: Insecure Storage of Sensitive Information , .
Router ASUS CWE-200: Exposure of Sensitive Information to an Unauthorized Actor .


I8



, , , , , .



CWE
TP-LINK IP Surveillance Camera CWE-? ( CWE) , .


I9



, , .



CWE
ikettle Smarter Coffee machines CWE-15: External Control of System or Configuration Setting - , , .
Parrot AR.Drone 2.0 CWE-284: Improper Access Control .
HP Fax machine CWE-276: Incorrect Default Permissions .
Smart speakers CWE-1068: Inconsistency Between Implementation and Documented Design , , .


I10



, .



CWE
Baby monitors Mi-Cam CWE-284: Improper Access Control .
TOTOLINK router CWE-20: Improper Input Validation .
Router TP-Link CWE-284: Improper Access Control UART.
Smart Nest Thermostat CWE-284: Improper Access Control USB UART.
Blink XT2 Sync Module CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls .
Amazon Echo CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls , .


, . IoT-, . IoT- , : Safegadget, Exploitee Awesome IoT Hacks



, OWASP, , IoT- . . , , , .



(IoT). . , IoT- , , .



IoT- , . : , . – IoT- , , . OpenWrt, IoT-, , "" .



IoT . , (, ).





More articles:


All Articles