IoTデバイスのセキュリティメカニズムの実装が完全とはほど遠いことは明らかです。スマートデバイスの既知の脆弱性のカテゴリは、2018年の上位IoT脆弱性に詳しく文書化されています。2014年のドキュメントの以前のバージョンには多くの変更が加えられました。いくつかの点は完全に消え、他の点は更新され、新しいものが現れました。
このリストの関連性を示すために、脆弱性のタイプごとに脆弱なIoTデバイスの例を見つけました。私たちの目標は、スマートデバイスユーザーが日常的に直面するリスクを示すことです。
脆弱なデバイスは、子供のおもちゃや警報器から車や冷蔵庫までさまざまです。一部のデバイスは、リストに複数回表示されます。もちろん、これらすべては、一般的なIoTデバイスの低レベルのセキュリティの指標です。
.
I1 ,
, (, ) , , .
| CWE | |||
|---|---|---|---|
 |
Routers Netgear | CWE-601: URL Redirection to Untrusted Site ('Open Redirect') | , , DNS . |
 |
Loxone Smart Home | CWE-261: Weak Encoding for Password | , , . |
|
AGFEO smart home ES 5xx/6xx | CWE-261: Weak Encoding for Password | , , . |
 |
Industrial wireless access point Moxa AP | CWE-260: Password in Configuration File | - , , . |
 |
Heatmiser Thermostat | CWE-260: Password in Configuration File | - , , . |
 |
Digital video recorder Mvpower | CWE-521: Weak Password Requirements | , . |
 |
DBPOWER U818A WIFI quadcopter drone | CWE-276: Incorrect Default Permissions | , . |
|
Nuuo NVR (network video recorder) and Netgear | CWE-259: Use of Hard-coded Password | , , - . |
 |
Vacuum Cleaner LG | CWE-287: Improper Authentication | . |
 |
Eminent EM6220 Camera | CWE-312: Cleartext Storage of Sensitive Information | 123456, . |
 |
LIXIL Satis Toilet | CWE-259: Use of Hard-coded Password | Bluetooth , . |
 |
FUEL Drill | CWE-259: Use of Hard-coded Password | . |
|
Billion Router 7700NR4 | CWE-798: Use of Hard-coded Credentials | . |
 |
Canon Printers | CWE-269: Improper Privilege Management & CWE-295: Improper Certificate Validation | , . |
|
Parrot AR.Drone 2.0 | CWE-285: Improper Authorization | - . |
|
Camera Amazon Ring | CWE-285: Improper Authorization | . |
I2
( ) , / .
| CWE | |||
|---|---|---|---|
 |
Smart Massager | CWE-284: Improper Access Control | , . |
|
Implantable Cardiac Device | CWE-284: Improper Access Control | , / . |
|
Hikvision Wi-Fi IP Camera | CWE-284: Improper Access Control | . |
|
Foscam C1 Indoor HD Cameras | CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | . |
 |
Toy Furby | CWE-284: Improper Access Control | . |
|
Toy My Friend Cayla | CWE-284: Improper Access Control | . |
 |
iSmartAlarm | CWE-20: Improper Input Validation | "" , . |
|
iSPY Camera Tank | CWE-284: Improper Access Control | . |
 |
DblTek GoIP | CWE-598: Information Exposure Through Query Strings in GET Request | . |
|
Nuuo NVR (network video recorder) and Netgear | CWE-259: Use of Hard-coded Password | , . |
|
Sony IPELA Engine IP Cameras | CWE-287: Improper Authentication | , Mirai . |
|
iSmartAlarm | CWE-295: Improper Certificate Validation | SSL-. |
|
Routers Dlink 850L | CWE-798: Use of Hard-coded Credentials | - . |
 |
Amazon’s Ring Video Doorbell | CWE-419: Unprotected Primary Channel | . |
|
Cacagoo IP camera | CWE-287: Improper Authentication | , . |
|
Trifo Ironpie M6 Vacuum cleaner | CWE-284: Improper Access Control | . |
I3
API, , , . : /, , /.
| CWE | |||
|---|---|---|---|
|
Industrial wireless access point Moxa AP | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | , . |
|
AXIS cameras | CWE-20: Improper Input Validation | , . |
|
Belkin’s smart home products | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') & CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | . |
|
Routers D-Link DIR-300 | CWE-352: Cross-Site Request Forgery (CSRF) | . |
|
AVTECH IP Camera, NVR, DVR | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | CSRF (, ). |
|
AGFEO smart home ES 5xx/6xx | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | , . . |
|
Loxone Smart Home | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | -. |
 |
Switch TP-Link TL-SG108E | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | XSS- "" Javascript- . |
|
Hanbanggaoke IP Camera | CWE-650: Trusting HTTP Permission Methods on the Server Side | . |
|
iSmartAlarm | CWE-287: Improper Authentication | , . |
 |
Western Digital My Cloud | CWE-287: Improper Authentication | . |
 |
In-Flight Entertainment Systems | CWE-287: Improper Authentication | . , (, .). |
 |
Smart key KeyWe | CWE-327: Use of a Broken or Risky Cryptographic Algorithm | , . |
I4
. , ( ), , , , .
| CWE | |||
|---|---|---|---|
|
Devices by GeoVision | CWE-295: Improper Certificate Validation | . |
|
Canon Printers | CWE-295: Improper Certificate Validation | : / . |
|
Smart Nest Thermostat | CWE-940: Improper Verification of Source of a Communication Channel | , . |
I5
/ , - . , .
| CWE | |||
|---|---|---|---|
 |
Amazon Echo | CWE-1233: Improper Hardware Lock Protection for Security Sensitive Control | , . |
 |
Light bulb | CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls | . |
I6
, , .
| CWE | |||
|---|---|---|---|
 |
Gator 2 smartwatch | CWE-359: Exposure of Private Information ('Privacy Violation') | , IMEI, , (GPS/Wi-Fi), . |
|
Routers D-Link DIR-600 and DIR-300 | CWE-200: Information Exposure | . |
 |
Samsung Smart TV | CWE-200: Information Exposure | , . |
|
Home security camera | CWE-359: Exposure of Private Information ('Privacy Violation') | . |
 |
Smart sex toys We-Vibe | CWE-359: Exposure of Private Information ('Privacy Violation') | . |
|
iBaby M6 baby monitor | CWE-359: Exposure of Private Information ('Privacy Violation') | , . |
I7
– , .
| CWE | |||
|---|---|---|---|
|
Owlet Wi-Fi baby heart monitor | CWE-201: Information Exposure Through Sent Data | . |
 |
Samsung fridge | CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') | Google- . |
 |
Volkswagen car | CWE CATEGORY: Cryptographic Issues | . |
 |
HS-110 Smart Plug | CWE-201: Information Exposure Through Sent Data | , , . |
|
Loxone Smart Home | CWE-201: Information Exposure Through Sent Data | , , . |
|
Samsung Smart TV | CWE-200: Information Exposure | , . |
|
Routers Dlink 850L | CWE-319: Cleartext Transmission of Sensitive Information | . |
 |
Skaterboards Boosted, Revo, E-Go | CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') | , . |
|
LIFX smart LED light bulbs | CWE-327: Use of a Broken or Risky Cryptographic Algorithm | , . |
|
Stuffed toys | CWE-521: Weak Password Requirements | , . |
|
IoT Smart Deadbolt | CWE-922: Insecure Storage of Sensitive Information | , . |
|
Router ASUS | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | . |
I8
, , , , , .
| CWE | |||
|---|---|---|---|
|
TP-LINK IP Surveillance Camera | CWE-? ( CWE) | , . |
I9
, , .
| CWE | |||
|---|---|---|---|
 |
ikettle Smarter Coffee machines | CWE-15: External Control of System or Configuration Setting | - , , . |
|
Parrot AR.Drone 2.0 | CWE-284: Improper Access Control | . |
|
HP Fax machine | CWE-276: Incorrect Default Permissions | . |
|
Smart speakers | CWE-1068: Inconsistency Between Implementation and Documented Design | , , . |
I10
, .
| CWE | |||
|---|---|---|---|
|
Baby monitors Mi-Cam | CWE-284: Improper Access Control | . |
|
TOTOLINK router | CWE-20: Improper Input Validation | . |
|
Router TP-Link | CWE-284: Improper Access Control | UART. |
|
Smart Nest Thermostat | CWE-284: Improper Access Control | USB UART. |
|
Blink XT2 Sync Module | CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls | . |
|
Amazon Echo | CWE-1233: Improper Hardware Lock Protection for Security Sensitive Controls | , . |
, . IoT-, . IoT- , : Safegadget, Exploitee Awesome IoT Hacks
, OWASP, , IoT- . . , , , .
(IoT). . , IoT- , , .
IoT- , . : , . – IoT- , , . OpenWrt, IoT-, , "" .
IoT . , (, ).