OWASP: Weak passwords are biggest threat to IoT security

Insecure credentials present biggest risk for IoT top 10 update

An update to the OWASP Internet of Things (IoT) top 10 vulnerabilities has been announced, with secure passwords marked as the number one defense against attackers.

The IoT top 10 project, which launched in 2014, has been rewritten for 2018 to reflect the current security climate.

Coming in at number one, weak or easily guessable passwords was cited as the biggest risk to consumer IoT devices.

In at number two was insecure network services, and number three was insecure ecosystem interfaces such as APIs, cloud, or mobile interfaces outside of the devices that can lead to compromise of the machine.

Insufficient privacy protection, lack of device managements, and inability to securely update the device are also featured in the top 10.

Speaking to The Daily Swig, project lead Daniel Miessler said that the OWASP research team had no doubts when it came to the number one threat.

“The number one issue was remarkably easy, and everyone we show seems to agree. It’s the use of weak credentials, which leads to many types of remote compromise. It was the combination of probability and impact (both being off the charts) that made it the obvious choice,” Miessler told The Daily Swig.

The list largely relates to consumer IoT devices such as smart speakers, fitness trackers, and other internet-connected devices in the home.

It was agreed upon by more than 16 security researchers with different expertise from around the world.

The security of consumer IoT devices is a hot topic, especially due to the number of products discovered to be either leaking data, being vulnerable to hackers, or both.

Miessler warned that in the current climate, consumers need to be aware of both the risks and what to do to protect themselves.

“The big thing that consumers need to be aware of is the fact that they are part of the risk equation when they purchase and install these devices. It shouldn’t be that way.

“And it won’t be forever. But right now, consumers need to understand that these devices can carry their own risks, and they need to know how to mitigate them,” he added.

He advised: “Use secure passwords on all your IoT devices and apps (avoid defaults). Make sure your IoT devices and apps stay updated, and isolate your IoT systems from the rest of your home network using a firewall or router.”