2022年设备威胁报告

Spirent 2022 Device Threat Report Introduction This report showcases thewidespread threats a rangeof organizations face with IoT(Internet of Things) devices, andcites the top threats discoveredin 2022 by Spirent SecurityLabs.These vulnerabilities wereidentified with state-of-the-arttesting programs and validatedby their extensive industry-recognized experience andcredentialed certifications insecurity testing. The device security attack surface As the presence of IoT devices continues to rise across a range of industries, with noend in sight, so too does the myriad of attack surfaces. This means organizationsface a range of security requirements for IoT devices in networks, their systems,services, firewalls, IDS, IPS solutions, and more. All must be secure. Applications,authentication, authorization, and input validation must be secure. Device hardwareposes other challenges, such as unauthorized access, encryption, and datasecurity. Mobile devices must address client data storage, data transport, and APIsecurity requirements. Cloud devices must ensure security in the backend server,authorization, and update security. Device areas of testing To secure the attack surfaces of IoT devices, a comprehensive testing strategy shouldbe in place. A range of IoT devices have different testing requirements for securityassurance. They include the following categories: •Device networks.The following must be tested, including insecure serverconfiguration, default system passwords, unpatched systems, knownvulnerabilities and exploits, insecure firewall configuration, information leakage,improper error handling, weak cryptographic keys, vulnerable ciphers andprotocols, and data exfiltration. •Device application, API, and cloud.These factors must be tested: authentication,authorization, encryption usage lockout, brute force login, injection attacks (XSSand SQL), weak password, and privilege escalation. •Device hardware.These elements must be tested: device firmware analysis,binary code analysis, spoofing, JTAG/UART review, fuzzing, underlying softwareand application evaluation, and unencrypted communication. •Device mobile interface.These security components must be tested: device endsecurity (addressing sensitive information stored in caches, unencrypted datastorage, files inspection, excess permissions and privileges, and device lockoutpolicy), dynamic analysis, authentication, authorization, and encryption usage. Spirent SecurityLabs essential testing criteria The fundamental framework of Spirent SecurityLabs testing approach addresses issues with authentication and authorization;firmware update mechanisms; security of interfaces, including JTAG/UART/SPI review; in-depth binary code analysis; securityof wireless communication (Wi-Fi, Bluetooth, BLE, Zigbee, LoRaWAN, etc.); fuzzing protocols (on software and hardware levels);security of data in transit; and consideration of side-channel attacks, if needed, such as: NAND glitching, power glitching or faultInduction, memory scrapping, and differential power analysis (DPA). Penetration Testing.Penetration tests are designed togauge and demonstrate real-world vulnerability to current,authentic attacks. With a scope tailored to suit the systemunder test, these assessments reflect the multi-facetedchallenges and realities of securing assets against modern,skilled adversaries. Methodologies should be aligned withwell-known industry standards, including NIST InternationalCybersecurity Standardization for the Internet of Things(IoT), CTIA, and OWASP IoT guidelines. SecurityLabs devicepenetration testing methodology is utilized to discoverconfiguration weaknesses and uncover exploitablevulnerabilities in the following areas: Device Testing: Examples.Spirent has performed devicepenetration testing in virtually every industry and has testedIoT and Industrial Internet of Things (IIoT) devices including: •Router gateways•Hotspots•Broadband modems•Cameras•Location trackers•Wearables•Sensor hubs•Security sensors•Camera-based surveillance and monitoring devices•Asset trackers•Electronic logging devices for fleet management•IoT hubs•Oilfield monitoring radio and controllers•Automotive real-time diagnostics devices•Infotainment systems•Robotic systems•Toughbook-type devices •Obtaining unauthorized access to sensitive data•Making unauthorized changes to data or program•Bypassing authentication and authorization mechanisms•Elevation of privilege•Code injection•Service crashes•Memory leaks•Input validation weaknesses•Serialization issues•Man-in-the-middle (MITM) attacks SecurityLabs Findings: The Top Device Vulnerabilities – 2022 The top device vulnerabilities found by SecurityLabs in 2022 were: •Unencrypted communications•Hardcoded cryptographic keys•Reprogrammable components•Insecure boot process•Weak and non-standard cryptographic algorithms•Weak and common credentials•Unencrypted storage•Accessible serial console•Outdated software•Insecure APIs•High privileged running se