owasp-iot-top-10

Original：🇺🇸 English

Translated

OWASP IoT Top 10 - prevention, detection, and remediation for IoT device and ecosystem security. Use when designing or reviewing IoT devices - passwords, network services, ecosystem interfaces, secure updates, components, data transfer/storage, device management, default settings, physical hardening, privacy.

1installs

Sourceyariv1025/skills

Added on2026-02-15

NPX Install

npx skill4agent add yariv1025/skills owasp-iot-top-10

SKILL.md Content

View Translation Comparison →

OWASP IoT Top 10

This skill encodes the OWASP IoT Top 10 for secure IoT device and ecosystem design and review. References are loaded per risk. Based on OWASP IoT Top 10 2018.

When to Read Which Reference

Risk	Read
I1 Weak, Guessable, or Hardcoded Passwords	references/i1-weak-passwords.md
I2 Insecure Network Services	references/i2-insecure-network-services.md
I3 Insecure Ecosystem Interfaces	references/i3-insecure-ecosystem-interfaces.md
I4 Lack of Secure Update Mechanism	references/i4-secure-update-mechanism.md
I5 Using Insecure or Outdated Components	references/i5-outdated-components.md
I6 Insecure Data Transfer and Storage	references/i6-insecure-data-transfer-storage.md
I7 Absence of Device Management	references/i7-device-management.md
I8 Insecure Default Settings	references/i8-insecure-default-settings.md
I9 Lack of Physical Hardening	references/i9-physical-hardening.md
I10 Insufficient Privacy Protection	references/i10-privacy-protection.md

Quick Patterns

Eliminate default/hardcoded passwords; use secure update with signing; minimize exposed network services. Encrypt data in transit and at rest; support device lifecycle and decommissioning. Harden physically and protect user privacy.

Quick Reference / Examples

Task	Approach
Eliminate default passwords	Force password change on first use; generate unique per-device. See I1.
Secure updates	Sign firmware, verify before install, support rollback. See I4.
Minimize attack surface	Disable unused services, close unnecessary ports. See I2.
Encrypt data	TLS for transit, AES for storage, secure key storage. See I6.
Physical hardening	Disable debug interfaces (JTAG/UART), tamper detection. See I9.

Safe - firmware signature verification (pseudocode):

c

bool verify_firmware(uint8_t* firmware, size_t len, uint8_t* signature) {
    // Verify Ed25519 signature with embedded public key
    return ed25519_verify(signature, firmware, len, VENDOR_PUBLIC_KEY);
}
// Only install if verify_firmware() returns true

Unsafe - no update verification:

c

void install_firmware(uint8_t* firmware) {
    flash_write(firmware);  // No signature check - accepts malicious updates
}

Unique per-device credentials (manufacturing):

python

# During manufacturing, generate and store unique credentials
device_password = secrets.token_urlsafe(16)
store_in_secure_element(device_id, device_password)

Workflow

Load the reference for the risk you are addressing. See OWASP IoT Top 10 for the official list.