Introduction

Even in traditional web app testing, we could write an entire book about authentication/authorization and when the interfaces to control a device get obscured a bit more, the problem does not get muffled away with it. In web apps, we would speak of weak passwords but the same can go for ssh or any type of authentication (Including and especially custom-written code).

Overview

Threat Agents	We have to consider both internal and external threat agents for this vulnerability.
Attack vectors	In this vulnerability we can notice several issues. Default passwords, weak passwords that are easy to guess or brute force, The password reset vulnerabilities and the different levels of authorization.
Security Weakness	This vulnerability type can occur in several ways. First of all, the lowest hanging fruit would be insecure passwords but that’s by far the only issue. Password reset mechanisms may contain issues that are exploitable to gain access to internal interfaces. When the attacker does get access to a system, they should be stopped by not only allowing accounts access to settings they should have access to and by disabling any admin accounts.
Technical impact	Besides the obvious device takeover, we need to consider that data might get corrupted or lost or that we can even get locked out of our own devices.
Business impact	Besides the harm to the customer, serious harm to the image of a brand can occur.

Exploitability	Average
Prevalence	Common
Detectability	Easy
Impact	Severe

Steps to secure yourself

The properties of a secure Authentication/Authorization

Introduction

Overview

Steps to secure yourself

The properties of a secure Authentication/Authorization

Conclusion