owasp-iot-top-10

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

OWASP IoT Top 10

This skill encodes the OWASP IoT Top 10 for secure IoT device and ecosystem design and review. References are loaded per risk. Based on OWASP IoT Top 10 2018.

本Skill整合了OWASP IoT Top 10内容，用于指导安全的IoT设备及生态系统设计与评审。针对每类风险都提供了参考资料，基于2018版OWASP IoT Top 10制定。

When to Read Which Reference

何时查阅对应参考资料

Risk	Read
I1 Weak, Guessable, or Hardcoded Passwords	references/i1-weak-passwords.md
I2 Insecure Network Services	references/i2-insecure-network-services.md
I3 Insecure Ecosystem Interfaces	references/i3-insecure-ecosystem-interfaces.md
I4 Lack of Secure Update Mechanism	references/i4-secure-update-mechanism.md
I5 Using Insecure or Outdated Components	references/i5-outdated-components.md
I6 Insecure Data Transfer and Storage	references/i6-insecure-data-transfer-storage.md
I7 Absence of Device Management	references/i7-device-management.md
I8 Insecure Default Settings	references/i8-insecure-default-settings.md
I9 Lack of Physical Hardening	references/i9-physical-hardening.md
I10 Insufficient Privacy Protection	references/i10-privacy-protection.md

风险项	查阅链接
I1 弱口令、易猜测或硬编码密码	references/i1-weak-passwords.md
I2 不安全的网络服务	references/i2-insecure-network-services.md
I3 不安全的生态系统接口	references/i3-insecure-ecosystem-interfaces.md
I4 缺乏安全更新机制	references/i4-secure-update-mechanism.md
I5 使用不安全或过时组件	references/i5-outdated-components.md
I6 不安全的数据传输与存储	references/i6-insecure-data-transfer-storage.md
I7 缺乏设备管理机制	references/i7-device-management.md
I8 不安全的默认设置	references/i8-insecure-default-settings.md
I9 缺乏物理加固	references/i9-physical-hardening.md
I10 隐私保护不足	references/i10-privacy-protection.md

Quick Patterns

快速实践准则

Eliminate default/hardcoded passwords; use secure update with signing; minimize exposed network services. Encrypt data in transit and at rest; support device lifecycle and decommissioning. Harden physically and protect user privacy.

消除默认/硬编码密码；使用带签名的安全更新；最小化暴露的网络服务。加密传输中及存储中的数据；支持设备生命周期管理与退役流程。进行物理加固并保护用户隐私。

Quick Reference / Examples

快速参考/示例

Task	Approach
Eliminate default passwords	Force password change on first use; generate unique per-device. See I1.
Secure updates	Sign firmware, verify before install, support rollback. See I4.
Minimize attack surface	Disable unused services, close unnecessary ports. See I2.
Encrypt data	TLS for transit, AES for storage, secure key storage. See I6.
Physical hardening	Disable debug interfaces (JTAG/UART), tamper detection. See I9.

Safe - firmware signature verification (pseudocode):

bool verify_firmware(uint8_t* firmware, size_t len, uint8_t* signature) {
    // Verify Ed25519 signature with embedded public key
    return ed25519_verify(signature, firmware, len, VENDOR_PUBLIC_KEY);
}
// Only install if verify_firmware() returns true

Unsafe - no update verification:

void install_firmware(uint8_t* firmware) {
    flash_write(firmware);  // No signature check - accepts malicious updates
}

Unique per-device credentials (manufacturing):

python

undefined

任务	实现方法
消除默认密码	强制首次使用时修改密码；为每个设备生成唯一密码。详见I1。
安全更新	对固件进行签名，安装前验证签名，支持回滚机制。详见I4。
最小化攻击面	禁用未使用的服务，关闭不必要的端口。详见I2。
数据加密	传输时使用TLS，存储时使用AES，确保密钥安全存储。详见I6。
物理加固	禁用调试接口（JTAG/UART），添加篡改检测机制。详见I9。

安全示例 - 固件签名验证（伪代码）：

bool verify_firmware(uint8_t* firmware, size_t len, uint8_t* signature) {
    // Verify Ed25519 signature with embedded public key
    return ed25519_verify(signature, firmware, len, VENDOR_PUBLIC_KEY);
}
// Only install if verify_firmware() returns true

不安全示例 - 无更新验证：

void install_firmware(uint8_t* firmware) {
    flash_write(firmware);  // No signature check - accepts malicious updates
}

每设备唯一凭证（生产阶段）：

python

undefined

During manufacturing, generate and store unique credentials

device_password = secrets.token_urlsafe(16) store_in_secure_element(device_id, device_password)

undefined

device_password = secrets.token_urlsafe(16) store_in_secure_element(device_id, device_password)

undefined

Workflow

工作流程

Load the reference for the risk you are addressing. See OWASP IoT Top 10 for the official list.

针对你正在处理的风险，加载对应的参考资料。官方列表可查看OWASP IoT Top 10。