owasp-iot-top-10
SKILL.md
OWASP IoT Top 10
This skill encodes the OWASP IoT Top 10 for secure IoT device and ecosystem design and review. References are loaded per risk. Based on OWASP IoT Top 10 2018.
When to Read Which Reference
| Risk | Read |
|---|---|
| I1 Weak, Guessable, or Hardcoded Passwords | references/i1-weak-passwords.md |
| I2 Insecure Network Services | references/i2-insecure-network-services.md |
| I3 Insecure Ecosystem Interfaces | references/i3-insecure-ecosystem-interfaces.md |
| I4 Lack of Secure Update Mechanism | references/i4-secure-update-mechanism.md |
| I5 Using Insecure or Outdated Components | references/i5-outdated-components.md |
| I6 Insecure Data Transfer and Storage | references/i6-insecure-data-transfer-storage.md |
| I7 Absence of Device Management | references/i7-device-management.md |
| I8 Insecure Default Settings | references/i8-insecure-default-settings.md |
| I9 Lack of Physical Hardening | references/i9-physical-hardening.md |
| I10 Insufficient Privacy Protection | references/i10-privacy-protection.md |
Quick Patterns
- Eliminate default/hardcoded passwords; use secure update with signing; minimize exposed network services. Encrypt data in transit and at rest; support device lifecycle and decommissioning. Harden physically and protect user privacy.
Quick Reference / Examples
| Task | Approach |
|---|---|
| Eliminate default passwords | Force password change on first use; generate unique per-device. See I1. |
| Secure updates | Sign firmware, verify before install, support rollback. See I4. |
| Minimize attack surface | Disable unused services, close unnecessary ports. See I2. |
| Encrypt data | TLS for transit, AES for storage, secure key storage. See I6. |
| Physical hardening | Disable debug interfaces (JTAG/UART), tamper detection. See I9. |
Safe - firmware signature verification (pseudocode):
bool verify_firmware(uint8_t* firmware, size_t len, uint8_t* signature) {
// Verify Ed25519 signature with embedded public key
return ed25519_verify(signature, firmware, len, VENDOR_PUBLIC_KEY);
}
// Only install if verify_firmware() returns true
Unsafe - no update verification:
void install_firmware(uint8_t* firmware) {
flash_write(firmware); // No signature check - accepts malicious updates
}
Unique per-device credentials (manufacturing):
# During manufacturing, generate and store unique credentials
device_password = secrets.token_urlsafe(16)
store_in_secure_element(device_id, device_password)
Workflow
Load the reference for the risk you are addressing. See OWASP IoT Top 10 for the official list.
Weekly Installs
6
Repository
yariv1025/skillsGitHub Stars
1
First Seen
Feb 15, 2026
Security Audits
Installed on
cursor6
gemini-cli4
github-copilot4
codex4
kimi-cli4
opencode4