(Tanpa) perangkat pintar: 10 kerentanan OWASP IoT teratas

Bukan rahasia lagi bahwa penerapan mekanisme keamanan untuk perangkat IoT jauh dari sempurna. Kategori kerentanan yang dikenal dalam perangkat pintar didokumentasikan dengan baik di Top IoT Vulnerabilities dari 2018. Versi dokumen sebelumnya dari 2014 telah mengalami banyak perubahan: beberapa titik telah hilang sama sekali, yang lain telah diperbarui, dan yang baru telah muncul.



Untuk menunjukkan relevansi daftar ini, kami menemukan contoh perangkat IoT yang rentan untuk setiap jenis kerentanan. Tujuan kami adalah untuk menunjukkan risiko yang dihadapi pengguna perangkat pintar setiap hari.



Perangkat yang rentan bisa sangat berbeda - dari mainan anak-anak dan alarm hingga mobil dan lemari es. Beberapa perangkat muncul di daftar kami lebih dari sekali. Semua ini, tentu saja, berfungsi sebagai indikator rendahnya tingkat keamanan perangkat IoT secara umum.





Untuk detail, ikuti di bawah kucing.



I1 Kata sandi yang lemah, dapat diprediksi, dan kode-keras



Menggunakan rentan terhadap kekerasan, tersedia untuk umum (misalnya, dari manual) atau kata sandi yang tidak dapat diubah, termasuk pintu belakang dalam firmware atau perangkat lunak klien, yang memungkinkan akses tidak sah ke sistem.



Tipe perangkat Nama CWE Kurangnya keamanan
Router Netgear CWE-601: URL Redirection to Untrusted Site ('Open Redirect') , , DNS .
Loxone Smart Home CWE-261: Weak Encoding for Password , , .
AGFEO smart home ES 5xx/6xx CWE-261: Weak Encoding for Password , , .
Industrial wireless access point Moxa AP CWE-260: Password in Configuration File - , , .
Heatmiser Thermostat CWE-260: Password in Configuration File - , , .
Digital video recorder Mvpower CWE-521: Weak Password Requirements , .
DBPOWER U818A WIFI quadcopter drone CWE-276: Incorrect Default Permissions , .
Nuuo NVR (network video recorder) and Netgear CWE-259: Use of Hard-coded Password , , - .
Vacuum Cleaner LG CWE-287: Improper Authentication .
Eminent EM6220 Camera CWE-312: Cleartext Storage of Sensitive Information 123456, .
LIXIL Satis Toilet CWE-259: Use of Hard-coded Password Bluetooth , .
FUEL Drill CWE-259: Use of Hard-coded Password .
Billion Router 7700NR4 CWE-798: Use of Hard-coded Credentials .
Canon Printers CWE-269: Improper Privilege Management & CWE-295: Improper Certificate Validation , .
Parrot AR.Drone 2.0 CWE-285: Improper Authorization - .
Camera Amazon Ring CWE-285: Improper Authorization .


I2



( ) , / .



CWE
Smart Massager CWE-284: Improper Access Control , .
Implantable Cardiac Device CWE-284: Improper Access Control , / .
Hikvision Wi-Fi IP Camera CWE-284: Improper Access Control .
Foscam C1 Indoor HD Cameras CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') .
Toy Furby CWE-284: Improper Access Control .
Toy My Friend Cayla CWE-284: Improper Access Control .
iSmartAlarm CWE-20: Improper Input Validation "" , .
iSPY Camera Tank CWE-284: Improper Access Control .
DblTek GoIP CWE-598: Information Exposure Through Query Strings in GET Request .
Nuuo NVR (network video recorder) and Netgear CWE-259: Use of Hard-coded Password , .
Sony IPELA Engine IP Cameras CWE-287: Improper Authentication , Mirai .
iSmartAlarm CWE-295: Improper Certificate Validation SSL-.
Routers Dlink 850L CWE-798: Use of Hard-coded Credentials - .
Amazon’s Ring Video Doorbell CWE-419: Unprotected Primary Channel .
Cacagoo IP camera CWE-287: Improper Authentication , .
Trifo Ironpie M6 Vacuum cleaner CWE-284: Improper Access Control .


I3



API, , , . : /, , /.



CWE
Industrial wireless access point Moxa AP CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') , .
AXIS cameras CWE-20: Improper Input Validation , .
Belkin’s smart home products CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') & CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') .
Routers D-Link DIR-300 CWE-352: Cross-Site Request Forgery (CSRF) .
AVTECH IP Camera, NVR, DVR CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CSRF (, ).
AGFEO smart home ES 5xx/6xx CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') , . .
Loxone Smart Home CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') -.
Switch TP-Link TL-SG108E CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') XSS- "" Javascript- .
Hanbanggaoke IP Camera CWE-650: Trusting HTTP Permission Methods on the Server Side .
iSmartAlarm CWE-287: Improper Authentication , .
Western Digital My Cloud CWE-287: Improper Authentication .
In-Flight Entertainment Systems CWE-287: Improper Authentication . , (, .).
Smart key KeyWe CWE-327: Use of a Broken or Risky Cryptographic Algorithm , .


I4



. , ( ), , , , .



CWE
Devices by GeoVision CWE-295: Improper Certificate Validation .
Canon Printers CWE-295: Improper Certificate Validation : / .
Smart Nest Thermostat CWE-940: Improper Verification of Source of a Communication Channel , .


I5



/ , - . , .



CWE
Amazon Echo CWE-1233: Improper Hardware Lock Protection for Security Sensitive Control , .
Light bulb CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls .


I6



, , .



CWE
Gator 2 smartwatch CWE-359: Exposure of Private Information ('Privacy Violation') , IMEI, , (GPS/Wi-Fi), .
Routers D-Link DIR-600 and DIR-300 CWE-200: Information Exposure .
Samsung Smart TV CWE-200: Information Exposure , .
Home security camera CWE-359: Exposure of Private Information ('Privacy Violation') .
Smart sex toys We-Vibe CWE-359: Exposure of Private Information ('Privacy Violation') .
iBaby M6 baby monitor CWE-359: Exposure of Private Information ('Privacy Violation') , .


I7



– , .



CWE
Owlet Wi-Fi baby heart monitor CWE-201: Information Exposure Through Sent Data .
Samsung fridge CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') Google- .
Volkswagen car CWE CATEGORY: Cryptographic Issues .
HS-110 Smart Plug CWE-201: Information Exposure Through Sent Data , , .
Loxone Smart Home CWE-201: Information Exposure Through Sent Data , , .
Samsung Smart TV CWE-200: Information Exposure , .
Routers Dlink 850L CWE-319: Cleartext Transmission of Sensitive Information .
Skaterboards Boosted, Revo, E-Go CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') , .
LIFX smart LED light bulbs CWE-327: Use of a Broken or Risky Cryptographic Algorithm , .
Stuffed toys CWE-521: Weak Password Requirements , .
IoT Smart Deadbolt CWE-922: Insecure Storage of Sensitive Information , .
Router ASUS CWE-200: Exposure of Sensitive Information to an Unauthorized Actor .


I8



, , , , , .



CWE
TP-LINK IP Surveillance Camera CWE-? ( CWE) , .


I9



, , .



CWE
ikettle Smarter Coffee machines CWE-15: External Control of System or Configuration Setting - , , .
Parrot AR.Drone 2.0 CWE-284: Improper Access Control .
HP Fax machine CWE-276: Incorrect Default Permissions .
Smart speakers CWE-1068: Inconsistency Between Implementation and Documented Design , , .


I10



, .



CWE
Baby monitors Mi-Cam CWE-284: Improper Access Control .
TOTOLINK router CWE-20: Improper Input Validation .
Router TP-Link CWE-284: Improper Access Control UART.
Smart Nest Thermostat CWE-284: Improper Access Control USB UART.
Blink XT2 Sync Module CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls .
Amazon Echo CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls , .


, . IoT-, . IoT- , : Safegadget, Exploitee Awesome IoT Hacks



, OWASP, , IoT- . . , , , .



(IoT). . , IoT- , , .



IoT- , . : , . – IoT- , , . OpenWrt, IoT-, , "" .



IoT . , (, ).






All Articles