IoT risk vector | Quantitative weightage (W) | Risk score(S) | Rank = W × S | Description/implication |
---|---|---|---|---|
IoT device does not have a unique built-in identifier | 75 | 0.8 | 60 (medium) | Remote access and vulnerability management are affected |
IoT device’s external dependencies are not revealed by the manufacturer | 60 | 0.7 | 42 (medium) | Managing the risk of external software and services are not possible |
Patches or upgrades for the IoT device are not released by the manufacturer | 50 | 0.6 | 30 (low) | Known vulnerabilities cannot be removed |
IoT device is not capable of having its software patched or upgraded | 60 | 0.6 | 36 (medium) | Known vulnerabilities cannot be removed |
No vulnerability scanner that can run on or against the IoT device | 60 | 0.6 | 36 (medium) | Cannot automatically identify known vulnerabilities |
The IoT device does not support the concealment of displayed password characters | 80 | 0.7 | 56 (medium) | Increases the likelihood of credential theft |
The IoT device does not support strong credentials cryptographic tokens or multifactor authentication) | 95 | 0.9 | 85 (high) | Tampering through credential misuse is possible |
The IoT device does not support enterprise user authentication system | 90 | 0.8 | 72 (medium) | Each user needs more credentials |
The IoT device is not able to log its operational and security events | 70 | 0.6 | 42 (medium) | Probability of detection of malicious activities are very less |