Attack Surface |
Vulnerability |
Ecosystem (general) |
- Interoperability standards
- Data governance
- System wide failure
- Individual stakeholder risks
|
Ecosystem Access Control |
- Implicit trust between components
- Enrolment security
- Decommissioning system
- Lost access procedures
|
Device Memory |
- Cleartext usernames
- Cleartext passwords
- Third-party credentials
- Encryption keys
|
Device Physical Interfaces |
- Firmware extraction
- User CLI
- Admin CLI
- Privilege escalation
- Reset to insecure state
- Removal of storage media
- Tamper resistance
- Debug port
- Device ID/Serial number exposure
|
Device Web Interface |
- SQL injection
- Cross-site scripting
- Cross-site Request Forgery
- Username enumeration
- Weak passwords
- Account lockout
- Known default credentials
|
Device Firmware |
- Hardcoded credentials
- Sensitive information disclosure
- Sensitive URL disclosure
- Encryption keys
- Encryption (Symmetric, Asymmetric)
- Firmware version display and/or last update date
- Backdoor accounts
- Vulnerable services (web, ssh, tftp, etc.)
- Security related function API exposure
- Firmware downgrade
|
Device Network Services |
- Information disclosure
- User CLI
- Administrative CLI
- Injection
- Denial of Service
- Unencrypted Services
- Poorly implemented encryption
- Test/Development Services
- Buffer Overflow
- UPnP
- Vulnerable UDP Services
- DoS
- Device Firmware OTA update block
- Replay attack
- Lack of payload verification
- Lack of message integrity check
|
Administrative Interface |
- SQL injection
- Cross-site scripting
- Cross-site Request Forgery
- Username enumeration
- Weak passwords
- Account lockout
- Known default credentials
- Security/encryption options
- Logging options
- Two-factor authentication
- Inability to wipe device
|
Local Data Storage |
- Unencrypted data
- Data encrypted with discovered keys
- Lack of data integrity checks
- Use of static same enc/dec key
|
Cloud Web Interface |
- SQL injection
- Cross-site scripting
- Cross-site Request Forgery
- Username enumeration
- Weak passwords
- Account lockout
- Known default credentials
- Transport encryption
- Insecure password recovery mechanism
- Two-factor authentication
|
Third-party Backend APIs |
- Unencrypted PII sent
- Encrypted PII sent
- Device information leaked
- Location leaked
|
Update Mechanism |
- Update sent without encryption
- Updates not signed
- Update location writable
- Update verification
- Update authentication
- Malicious update
- Missing update mechanism
- No manual update mechanism
|
Mobile Application |
- Implicitly trusted by device or cloud
- Username enumeration
- Account lockout
- Known default credentials
- Weak passwords
- Insecure data storage
- Transport encryption
- Insecure password recovery mechanism
- Two-factor authentication
|
Vendor Backend APIs |
- Inherent trust of cloud or mobile application
- Weak authentication
- Weak access controls
- Injection attacks
- Hidden services
|
Ecosystem Communication |
- Health checks
- Heartbeats
- Ecosystem commands
- Deprovisioning
- Pushing updates
|
Network Traffic |
- LAN
- LAN to Internet
- Short range
- Non-standard
- Wireless (WiFi, Z-wave, Zigbee, Bluetooth)
- Protocol fuzzing
|
Authentication/Authorization |
- Authentication/Authorization related values (session key, token, cookie, etc.) disclosure
- Reusing of session key, token, etc.
- Device to device authentication
- Device to mobile Application authentication
- Device to cloud system authentication
- Mobile application to cloud system authentication
- Web application to cloud system authentication
- Lack of dynamic authentication
|
Privacy |
- User data disclosure
- User/device location disclosure
- Differential privacy
|
Hardware (Sensors) |
- Sensing Environment Manipulation
- Tampering (Physically)
- Damaging (Physically)
|
Leave a Reply
Want to join the discussion?Feel free to contribute!