25/4/2024
Use of easily brute-forced, publicly available, or unchangeable credentials, including backdoors in firmware grants unauthorized access to systems.
Unneeded or insecure services running on the device risk exposure to the internet and unauthorized remote control.
Web, Backend API, Cloud, Mobile Common issues include lack of authentication and authorization, weak or missing encryption, and inadequate input and output filtering
The device's firmware updates are insecure, lacking validation, encryption, rollback protection, and update notifications.
Using outdated or insecure software components, including OS customizations and third-party additions, can compromise the device.
User's personal information stored on the device or within the ecosystem may be used insecurely, improperly, or without permission.
Category
Sensitive data within the ecosystem lacks encryption or access control, whether at rest, in transit, or during processing.
Devices deployed in production lack security support, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.
Devices or systems are shipped with insecure default settings and lack the ability to enhance security by restricting operators from modifying configurations.
The lack of physical hardening measures allows potential attackers to gain sensitive information for future remote attacks or to take local control of the device.