With the recent DDoS attack that utilized IoT devices to shut down major internet traffic, security of these devices is in the spotlight. The market continues to grow with devices filling up our smart homes, cities and businesses. You may be concerned about your lack of a testing procedure for these. Or maybe you have one defined but want to know if it’s sufficient. Below you’ll find 20 questions to ask when testing the security of your IoT devices, based on the Open Web Application Security Project (OWASP), which put forth excellent testing guidelines for securing Internet of Things devices. For more detailed information, stop on by the OWASP website or give us a call.
- Are weak passwords allowed?
- Does transmitted info use HTTPS?
- Will the account lock a user out after multiple failed logins?
- Is the web interface vulnerable to XSS, SQLi or other web app vulnerabilities?
- Is two-factor authentication implemented?
- What are password recovery mechanisms?
- Do passwords expire?
- Can a user change the default username and password?
- What personal information is collected?
- Is personal data encrypted both at rest and in transit?
- Is data de-identified?
- Lack of Transport Encryption
- Is a firewall option available?
- Are security events logged?
- Can you enable AES-256 encryption?
- Is there an unnecessary USB port that would allow physical access?
- Does it have update capabilities, and when it updates, are the files encrypted?
- Prior to installing, does the device require signed files?
- How does it respond to buffer overflow or denial of service attacks?
- Are any test ports present?