IoT-Security-Verification-Standard-ISVS icon indicating copy to clipboard operation
IoT-Security-Verification-Standard-ISVS copied to clipboard

Published 20 hours ago verified publisher icon OWASP

L3 requirements for Bluetooth and Wifi aren't high enough

Open parsley72 opened this issue 4 years ago • 2 comments

The suggestions for Bluetooth and Wifi are reasonable but for L3 I think they need to go further:

  • WPA3 for Wifi.
  • Minimum of Bluetooth 4.2 - improved security over 4.1 with Secure Connections. -- I can't find any reference to improved security for 5, 5.1 and 5.2.
  • Recommendations on the different pairing models. I'm still researching this, but it seems the 6 digit PIN in SSP (Secure Simple Pairing) isn't particularly strong - ~~see tools like https://github.com/mikeryan/crackle/~~ Crackle only works on Legacy Pairing, not Secure Connections, see https://github.com/mikeryan/crackle/blob/master/FAQ.md#is-my-device-using-le-legacy-pairing-or-le-secure-connections

parsley72 avatar Mar 18 '21 05:03 parsley72

Notes (will tidy up).

WPA2:

WPA3:

Bluetooth 4.2 (December 2014) and up offer four pairing models, depending on HW capability: https://www.bluetooth.com/blog/bluetooth-pairing-part-1-pairing-feature-exchange/

  1. Just works.
    • Vulnerable to MITM.
  2. Numeric comparison. Both devices must have screens and input mechanisms. The user compares the 6 digit PIN displayed by both devices and confirms it's the same using an input mechanism.
  3. Passkey Entry.
    • Uses a 6 digit PIN that can be cracked.
  4. Out Of Band (OOB).

Bluetooth vulnerabilities:

parsley72 avatar Mar 22 '21 03:03 parsley72

Our goal is cover common IoT Wi-Fi and BT implementations. Usually devices will act as an AP to onboard onto a network, act as a gateway to sensor devices communicating to the internet via BT/ZigBee, or requiring BT pairing in combination with Wi-Fi for management functionality.

Not sure if we should add specifics around LTK or LK based on BLURtooth but it may not be prevalent in IoT since this is specific to dual mode devices.

WPA3 support is not widely used in IoT AFAIK. Could be too early to add requirements until industry adoption. Interested in hearing benefits and use cases.

Looking forward to your additions.

scriptingxss avatar Mar 28 '21 23:03 scriptingxss