owasp-iot-top-10

OWASP IoT Top 10 - prevention, detection, and remediation for IoT device and ecosystem security. Use when designing or reviewing IoT devices - passwords, network services, ecosystem interfaces, secure updates, components, data transfer/storage, device management, default settings, physical hardening, privacy.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "owasp-iot-top-10" with this command: npx skills add yariv1025/skills/yariv1025-skills-owasp-iot-top-10

OWASP IoT Top 10

This skill encodes the OWASP IoT Top 10 for secure IoT device and ecosystem design and review. References are loaded per risk. Based on OWASP IoT Top 10 2018.

When to Read Which Reference

RiskRead
I1 Weak, Guessable, or Hardcoded Passwordsreferences/i1-weak-passwords.md
I2 Insecure Network Servicesreferences/i2-insecure-network-services.md
I3 Insecure Ecosystem Interfacesreferences/i3-insecure-ecosystem-interfaces.md
I4 Lack of Secure Update Mechanismreferences/i4-secure-update-mechanism.md
I5 Using Insecure or Outdated Componentsreferences/i5-outdated-components.md
I6 Insecure Data Transfer and Storagereferences/i6-insecure-data-transfer-storage.md
I7 Absence of Device Managementreferences/i7-device-management.md
I8 Insecure Default Settingsreferences/i8-insecure-default-settings.md
I9 Lack of Physical Hardeningreferences/i9-physical-hardening.md
I10 Insufficient Privacy Protectionreferences/i10-privacy-protection.md

Quick Patterns

  • Eliminate default/hardcoded passwords; use secure update with signing; minimize exposed network services. Encrypt data in transit and at rest; support device lifecycle and decommissioning. Harden physically and protect user privacy.

Quick Reference / Examples

TaskApproach
Eliminate default passwordsForce password change on first use; generate unique per-device. See I1.
Secure updatesSign firmware, verify before install, support rollback. See I4.
Minimize attack surfaceDisable unused services, close unnecessary ports. See I2.
Encrypt dataTLS for transit, AES for storage, secure key storage. See I6.
Physical hardeningDisable debug interfaces (JTAG/UART), tamper detection. See I9.

Safe - firmware signature verification (pseudocode):

bool verify_firmware(uint8_t* firmware, size_t len, uint8_t* signature) {
    // Verify Ed25519 signature with embedded public key
    return ed25519_verify(signature, firmware, len, VENDOR_PUBLIC_KEY);
}
// Only install if verify_firmware() returns true

Unsafe - no update verification:

void install_firmware(uint8_t* firmware) {
    flash_write(firmware);  // No signature check - accepts malicious updates
}

Unique per-device credentials (manufacturing):

# During manufacturing, generate and store unique credentials
device_password = secrets.token_urlsafe(16)
store_in_secure_element(device_id, device_password)

Workflow

Load the reference for the risk you are addressing. See OWASP IoT Top 10 for the official list.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

owasp-api-security-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
7-yariv1025
Coding

agent-dev-guardrails

No summary provided by upstream source.

Repository SourceNeeds Review
8-yariv1025
General

owasp-mobile-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
6-yariv1025
General

owasp-serverless-top-10

No summary provided by upstream source.

Repository SourceNeeds Review
5-yariv1025