-
Notifications
You must be signed in to change notification settings - Fork 128
IoTGoat challenges
Listed below are vulnerability challenges included in IoTGoat. If a crucial challenge is missing, please reach out to the project leaders, file an issue, or submit a pull request. As new challenges and vulnerabilities are introduced, this page will be updated. For assistance, follow OWASP methodologies and testing guides such as the Firmware Security Testing Methodology and Web Security Testing Guide.
No 1: Weak, Guessable, or Hardcoded Passwords:
- Hardcoded user credentials compiled into firmware.
No 2: Insecure Network Services:
- Vulnerable miniupnp configuration allowing unauthorized devices permission to modify network configurations such as firewall rules. This attack can be demonstrated using the Miranda tool
- Legacy network services listening upon start up.
- Dnsmasq is vulnerable to heap and stack overflows. See Dnsmasq setup instructions.
No 3: Insecure Ecosystem Interfaces:
- A "secret" developer diagnostics page not directly accessible and exposes shell access to users.
- Persistent backdoor daemon configured to run during start up.
- Multiple cross-site scripting (XSS) vulnerabilities.
No 4: Lack of Secure Update Mechanism:
- Insecure package update configuration defaults including CVE-2020-7982.
- Insecure firmware over the air update system.
No 5: Use of Insecure or Outdated Components:
- Several insecure and outdated software components with CVEs such as Dnsmasq, pppd, Linux Kernel, BusyBox, wpa_supplicant, and more.
No 6: Insufficient Privacy Protection:
- PII data captured and stored insecurely.
No 7: Insecure Data Transfer and Storage:
- Improperly configured encryption settings enabled.
No 8: Lack of Device Management:
- System logs, monitoring, or auditing capabilities are not enabled.
No 9: Insecure Default Settings:
- Many included in IoTGoat such as missing secure headers to prevent framing as well as CSRF protections on sensitive requests.
No 10: Lack of Physical Hardening:
- Hardware challenges will be introduced in future versions of IoTGoat.