owasp-iot-top-10
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseOWASP IoT Top 10
OWASP IoT Top 10
This skill encodes the OWASP IoT Top 10 for secure IoT device and ecosystem design and review. References are loaded per risk. Based on OWASP IoT Top 10 2018.
本Skill整合了OWASP IoT Top 10内容,用于指导安全的IoT设备及生态系统设计与评审。针对每类风险都提供了参考资料,基于2018版OWASP IoT Top 10制定。
When to Read Which Reference
何时查阅对应参考资料
| Risk | Read |
|---|---|
| I1 Weak, Guessable, or Hardcoded Passwords | references/i1-weak-passwords.md |
| I2 Insecure Network Services | references/i2-insecure-network-services.md |
| I3 Insecure Ecosystem Interfaces | references/i3-insecure-ecosystem-interfaces.md |
| I4 Lack of Secure Update Mechanism | references/i4-secure-update-mechanism.md |
| I5 Using Insecure or Outdated Components | references/i5-outdated-components.md |
| I6 Insecure Data Transfer and Storage | references/i6-insecure-data-transfer-storage.md |
| I7 Absence of Device Management | references/i7-device-management.md |
| I8 Insecure Default Settings | references/i8-insecure-default-settings.md |
| I9 Lack of Physical Hardening | references/i9-physical-hardening.md |
| I10 Insufficient Privacy Protection | references/i10-privacy-protection.md |
| 风险项 | 查阅链接 |
|---|---|
| I1 弱口令、易猜测或硬编码密码 | references/i1-weak-passwords.md |
| I2 不安全的网络服务 | references/i2-insecure-network-services.md |
| I3 不安全的生态系统接口 | references/i3-insecure-ecosystem-interfaces.md |
| I4 缺乏安全更新机制 | references/i4-secure-update-mechanism.md |
| I5 使用不安全或过时组件 | references/i5-outdated-components.md |
| I6 不安全的数据传输与存储 | references/i6-insecure-data-transfer-storage.md |
| I7 缺乏设备管理机制 | references/i7-device-management.md |
| I8 不安全的默认设置 | references/i8-insecure-default-settings.md |
| I9 缺乏物理加固 | references/i9-physical-hardening.md |
| I10 隐私保护不足 | references/i10-privacy-protection.md |
Quick Patterns
快速实践准则
- Eliminate default/hardcoded passwords; use secure update with signing; minimize exposed network services. Encrypt data in transit and at rest; support device lifecycle and decommissioning. Harden physically and protect user privacy.
- 消除默认/硬编码密码;使用带签名的安全更新;最小化暴露的网络服务。加密传输中及存储中的数据;支持设备生命周期管理与退役流程。进行物理加固并保护用户隐私。
Quick Reference / Examples
快速参考/示例
| Task | Approach |
|---|---|
| Eliminate default passwords | Force password change on first use; generate unique per-device. See I1. |
| Secure updates | Sign firmware, verify before install, support rollback. See I4. |
| Minimize attack surface | Disable unused services, close unnecessary ports. See I2. |
| Encrypt data | TLS for transit, AES for storage, secure key storage. See I6. |
| Physical hardening | Disable debug interfaces (JTAG/UART), tamper detection. See I9. |
Safe - firmware signature verification (pseudocode):
c
bool verify_firmware(uint8_t* firmware, size_t len, uint8_t* signature) {
// Verify Ed25519 signature with embedded public key
return ed25519_verify(signature, firmware, len, VENDOR_PUBLIC_KEY);
}
// Only install if verify_firmware() returns trueUnsafe - no update verification:
c
void install_firmware(uint8_t* firmware) {
flash_write(firmware); // No signature check - accepts malicious updates
}Unique per-device credentials (manufacturing):
python
undefined| 任务 | 实现方法 |
|---|---|
| 消除默认密码 | 强制首次使用时修改密码;为每个设备生成唯一密码。详见I1。 |
| 安全更新 | 对固件进行签名,安装前验证签名,支持回滚机制。详见I4。 |
| 最小化攻击面 | 禁用未使用的服务,关闭不必要的端口。详见I2。 |
| 数据加密 | 传输时使用TLS,存储时使用AES,确保密钥安全存储。详见I6。 |
| 物理加固 | 禁用调试接口(JTAG/UART),添加篡改检测机制。详见I9。 |
安全示例 - 固件签名验证(伪代码):
c
bool verify_firmware(uint8_t* firmware, size_t len, uint8_t* signature) {
// Verify Ed25519 signature with embedded public key
return ed25519_verify(signature, firmware, len, VENDOR_PUBLIC_KEY);
}
// Only install if verify_firmware() returns true不安全示例 - 无更新验证:
c
void install_firmware(uint8_t* firmware) {
flash_write(firmware); // No signature check - accepts malicious updates
}每设备唯一凭证(生产阶段):
python
undefinedDuring manufacturing, generate and store unique credentials
During manufacturing, generate and store unique credentials
device_password = secrets.token_urlsafe(16)
store_in_secure_element(device_id, device_password)
undefineddevice_password = secrets.token_urlsafe(16)
store_in_secure_element(device_id, device_password)
undefinedWorkflow
工作流程
Load the reference for the risk you are addressing. See OWASP IoT Top 10 for the official list.
针对你正在处理的风险,加载对应的参考资料。官方列表可查看OWASP IoT Top 10。