Comments (2)
Notes (will tidy up).
WPA2:
- Use Management Frame Protection
- KRACK, October 2017
- Kr00k, August 2019
WPA3:
- Dragonblood, April 2019
Bluetooth 4.2 (December 2014) and up offer four pairing models, depending on HW capability:
https://www.bluetooth.com/blog/bluetooth-pairing-part-1-pairing-feature-exchange/
- Just works.
- Vulnerable to MITM.
- Numeric comparison. Both devices must have screens and input mechanisms. The user compares the 6 digit PIN displayed by both devices and confirms it's the same using an input mechanism.
- Passkey Entry.
- Uses a 6 digit PIN that can be cracked.
- Out Of Band (OOB).
Bluetooth vulnerabilities:
- BlueBorne, April 2017
- Fixed Coordinate Invalid Curve Attack, July 2018
- Key Negotiation of Bluetooth Attack, August 2019
from iot-security-verification-standard-isvs.
Our goal is cover common IoT Wi-Fi and BT implementations. Usually devices will act as an AP to onboard onto a network, act as a gateway to sensor devices communicating to the internet via BT/ZigBee, or requiring BT pairing in combination with Wi-Fi for management functionality.
Not sure if we should add specifics around LTK or LK based on BLURtooth but it may not be prevalent in IoT since this is specific to dual mode devices.
WPA3 support is not widely used in IoT AFAIK. Could be too early to add requirements until industry adoption. Interested in hearing benefits and use cases.
Looking forward to your additions.
from iot-security-verification-standard-isvs.
Related Issues (20)
- Difficulties to check 1.1.1. HOT 5
- 1.2.3. Security-by-default HOT 4
- 1.2.5. Remove debug for all interfaces HOT 4
- Create 1.2.9. Integrity (and authenticity?) verification HOT 1
- Create 1.2.10 Secure update provisions HOT 2
- 2.x Configuration backup HOT 1
- 2.1.16 is confusing HOT 1
- 2.3.5. Privacy Policy HOT 1
- 3.4.12. Secure communications HOT 4
- 3.4.13. Authorization to update HOT 1
- Usability regarding WPS HOT 1
- Modify or remove 3.2.10 IMA HOT 1
- Missing Freeze and Mix & Match attack cases HOT 1
- LoRaWAN security requirements requested
- Replace GitBook
- Detect & Response set of requirements missing HOT 1
- V2: Missing anti-bruteforce & reauthentication requirements in authentication section HOT 2
- 3.2.9 RAM scrambling? HOT 1
- 4.1.2: Align recommendation on TLS with ASVS HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from iot-security-verification-standard-isvs.