HoT-TAI-0008: Weak or no transport encryption

Summary:

CWE-326 Inadequate Encryption Strength: In this case the software transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods andresources.

In addition, there may not be any transport encryption at all due to the fact that the service/protocol natively does not support encryption (e.g. Telnet, HTTP). This allows an attacker to easily capture sensitive data such as passwords. See also:

• CWE-311 Missing Encryption of Sensitive Data
• CWE-319 Cleartext Transmission of Sensitive Information
• CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
• CWE-327 Use of a Broken or Risky Cryptographic Algorithm

Estimated Overall Risk Assessment: HIGH

• Technical Impacts: HIGH

  • In the case of weak transport encryption, an attacker may be able to decrypt the data. In the case of no transport encryption, and attacker can read sensitive data (e.g. passwords) without any special tools.

• Business Impacts: HIGH

  • Data confidentiality of network traffic could be compromised revealing sensitive data (e.g. passwords) to an attacker. Subsequently, an attacker could use this sensitive data to gain control over the IoT device and could establish a foothold within your network for further actions-on-objective (e.g. further exploitation of internal network OR to utilize the IoT device as part of a botnet to launch attacks against national critical infrastructure).

• Detectability: EASY

• Prevalence: COMMON

• Exploitability: EASY

Attack Surfaces Grouped By Layer of Cyberspace

• Physical Network Layer

  • Network Traffic / Device Network Services
  • Device Web Interface

  • Ecosystem Communications

  • Mobile Application

• Logical Network Layer

  • Vendor Backend APIs
  • 3rd Party Backend APIs
  • Cloud Web Interface

Known Intrusion / Exploit / Attack Cases and Threats

TBD

Identify, Detect, Protect, Respond, and Recover (NIST FICIC)

TBD

Analysis Tools and Training

TBD

Associated CVEs / Manufacturers / Devices

Use this link, this link, or this link to identify the latest access control vulnerabilities. This search query is not specific to the IoT.

References

TBD