GSMA IoT Security Assessment Checklist
Description
CLP11_5
11.5 Risk Assessments
N/A
CLP11_6
11.6 Privacy Considerations
I6 Insufficient Privacy Protection
CLP11_7
11.7 Secure Development
I5 Use of Insecure or Outdated Components
CLP11_7.2
11.7.2 Review the current product or service’s Security Model
N/A
CLP12_5.1
5.1 Implement a Service Trusted Computing Base
I5 Use of Insecure or Outdated Components
CLP12_5.2
5.2 Define an Organizational Root of Trust
I7 Insecure Data Transfer and Storage
CLP12_5.3
5.3 Define a Bootstrap Method
I9 Insecure Default Settings
CLP12_5.4
5.4 Define a Security Infrastructure for Systems Exposed to the Public Internet
I2 Insecure Network Services I7 Insecure Data Transfer and Storage
CLP12_5.5
5.5 Define a Persistent Storage Model
I7 Insecure Data Transfer and Storage
CLP12_5.6
5.6 Define an Administration Model
I3 Insecure Ecosystem Interfaces I7 Insecure Data Transfer and Storage
CLP12_5.7
5.7 Define a Systems Logging and Monitoring Approach
I8 Lack of Device Management
CLP12_5.8
5.8 Define an Incident Response Model
I8 Lack of Device Management
CLP12_5.9
5.9 Define a Recovery Model
I8 Lack of Device Management
CLP12_5.10
5.10 Define a Sunsetting Model
I8 Lack of Device Management
CLP12_5.11
5.11 Define a Set of Security Classifications
I8 Lack of Device Management
CLP12_5.12
5.12 Define Classifications for Sets of Data Types
I6 Insufficient Privacy Protection
CLP12_6.1
6.1 Define a Clear Authorization Model
I1 Weak, Guessable, or Hardcoded Passwords I3 Insecure Ecosystem Interfaces
CLP12_6.2
6.2 Manage the Cryptographic Architecture
I3 Insecure Ecosystem Interfaces I7 Insecure Data Transfer and Storage
CLP12_6.3
6.3 Define a Communications Model
I2 Insecure Network Services I7 Insecure Data Transfer and Storage
CLP12_6.4
6.4 Use Network Authentication Services
I2 Insecure Network Services I7 Insecure Data Transfer and Storage
CLP12_6.5
6.5 Provision Servers Where Possible
I8 Lack of Device Management
CLP12_6.6
6.6 Define an Update Model
I4 Lack of Secure Update Mechanism
CLP12_6.7
6.7 Define a Breach Policy for Exposed Data
I6 Insufficient Privacy Protection
CLP12_6.8
6.8 Force Authentication Through the Service Ecosystem
I3 Insecure Ecosystem Interfaces
CLP12_6.9
6.9 Implement Input Validation
I3 Insecure Ecosystem Interfaces
CLP12_6.10
6.10 Implement Output Filtering
I3 Insecure Ecosystem Interfaces
CLP12_6.11
6.11 Enforce Strong Password Policy
I1 Weak, Guessable, or Hardcoded Passwords
CLP12_6.12
6.12 Define Application Layer Authentication and Authorization
I3 Insecure Ecosystem Interfaces
CLP12_6.13
6.13 Default-Open or Fail-Open Firewall Rules and System Hardening
I2 Insecure Network Services I3 Insecure Ecosystem Interfaces I8 Lack of Device Management
CLP12_6.14
6.14 Evaluate the Communications Privacy Model
I6 Insufficient Privacy Protection
CLP12_7.1
7.1 Define an Application Execution Environment
N/A
CLP12_7.2
7.2 Use Partner-Enhanced Monitoring Services
I8 Lack of Device Management
CLP12_7.3
7.3 Use a Private APN for Cellular Connectivity
N/A
CLP12_7.4
7.4 Define a Third-Party Data Distribution Policy
I6 Insufficient Privacy Protection I8 Lack of Device Management
CLP12_7.5
7.5 Build a Third-Party Data Filter
N/A
CLP12_8.1
8.1 Protect Against Rowhammer and Similar Attacks
N/A
CLP12_8.2
8.2 Protect Against Virtual Machine Compromises
N/A
CLP12_8.3
8.3 Build an API for Users to Control Privacy Attributes
I6 Insufficient Privacy Protection
CLP12_8.4
8.4 Define a False Negative/Positive Assessment Model
I9 Insecure Default Settings
CLP13_6.1
6.1 Implement an Endpoint Trusted Computing Base
I9 Insecure Default Settings
CLP13_6.2
6.2 Utilize a Trust Anchor
I9 Insecure Default Settings
CLP13_6.3
6.3 Use a Tamper Resistant Trust Anchor
I9 Insecure Default Settings
CLP13_6.4
6.4 Utilise an API for the TCB
I2 Insecure Network Services I9 Insecure Default Settings
CLP13_6.5
6.5 Defining an Organizational Root of Trust
I3 Insecure Ecosystem Interfaces I10 Lack of Physical Hardening
CLP13_6.6
6.6 Personalize Each Endpoint Device Prior to Fulfilment
I1 Weak, Guessable, or Hardcoded Passwords I9 Insecure Default Settings
CLP13_6.7
6.7 Minimum Viable execution Platform
I3 Insecure Ecosystem Interfaces
CLP13_6.8
6.8 Uniquely Provision Each Endpoint
I1 Weak, Guessable, or Hardcoded Passwords I9 Insecure Default Settings
CLP13_6.9
6.9 Endpoint Password Management
I1 Weak, Guessable, or Hardcoded Passwords
CLP13_6.10
6.10 Use a Proven Random Number Generator
I9 Insecure Default Settings
CLP13_6.11
6.11 Cryptographically Sign Application Images
I9 Insecure Default Settings
CLP13_6.12
6.12 Remote Endpoint Administration
I8 Lack of Device Management
CLP13_6.13
6.13 Logging and Diagnostics
I8 Lack of Device Management
CLP13_6.14
6.14 Enforce Memory Protection
N/A
CLP13_6.15
6.15 Secure Bootloaders
I9 Insecure Default Settings
CLP13_6.16
6.16 Locking Critical Sections of Memory
I7 Insecure Data Transfer and Storage I9 Insecure Default Settings
CLP13_6.18
6.18 Perfect Forward Secrecy
I7 Insecure Data Transfer and Storage
CLP13_6.19
6.19 Endpoint Communications Security
I2 Insecure Network Services I3 Insecure Ecosystem Interfaces I7 Insecure Data Transfer and Storage
CLP13_6.20
6.20 Authenticating an Endpoint Identity
I1 Weak, Guessable, or Hardcoded Passwords
CLP13_7.1
7.1 Use Internal Memory for Secrets
I7 Insecure Data Transfer and Storage
CLP13_7.2
7.2 Anomaly Detection
I8 Lack of Device Management
CLP13_7.3
7.3 Use Tamper Resistant Product Casing
I10 Lack of Physical Hardening
CLP13_7.4
7.4 Enforce Confidentiality and Integrity to/from the Trust Anchor
I9 Insecure Default Settings
CLP13_7.5
7.5 Over the Air Application Updates
I4 Lack of Secure Update Mechanism
CLP13_7.6
7.6 Improperly Engineered or Unimplemented Mutual Authentication
I1 Weak, Guessable, or Hardcoded Passwords I3 Insecure Ecosystem Interfaces
CLP13_7.8
7.8 Privacy and Unique Endpoint Identities
I3 Insecure Ecosystem Interfaces I6 Insufficient Privacy Protection
CLP13_7.9
7.9 Run Applications with Appropriate Privilege Levels
I3 Insecure Ecosystem Interfaces
CLP13_7.10
7.10 Enforce a Separation of Duties in the Application Architecture
I3 Insecure Ecosystem Interfaces
CLP13_7.11
7.11 Enforce Language Security
I5 Use of Insecure or Outdated Components
CLP13_7.12
7.12 Implement Persistent Pentesting
N/A
CLP13_8.1
8.1 Enforce Operating System Level Security Enhancements
I5 Use of Insecure or Outdated Components I9 Insecure Default Settings
CLP13_8.2
8.2 Disable Debugging and Testing Technologies
I9 Insecure Default Settings I10 Lack of Physical Hardening
CLP13_8.3
8.3 Tainted Memory via Peripheral-Based Attacks
I7 Insecure Data Transfer and Storage I9 Insecure Default Settings I10 I10 Lack of Physical Hardening
CLP13_8.4
8.4 User Interface Security
I3 Insecure Ecosystem Interfaces
CLP13_8.6
8.6 Utilize a Private APN
I9 Insecure Default Settings
CLP13_8.7
8.7 Implement Environmental Lock-Out Thresholds
I3 Insecure Ecosystem Interfaces
CLP13_8.8
8.8 Enforce Power Warning Thresholds
I10 Lack of Physical Hardening
CLP13_8.9
8.9 Environments Without Back-End Connectivity
I3 Insecure Ecosystem Interfaces I9 Insecure Default Settings
CLP13_8.10
8.10 Device Decommissioning and Sunsetting
I8 Lack of Device Management
CLP13_8.11
8.11 Unauthorized Metadata Harvesting
I6 Insufficient Privacy Protection
CLP13_9.1
9.1 Intentional and Unintentional Denial of Service
I2 Insecure Network Services I3 Insecure Ecosystem Interfaces I9 Insecure Default Settings
CLP13_9.2
9.2 Safety Critical Analysis
I8 Lack of Device Management
CLP13_9.3
9.3 Defeating Shadowed Components and Untrusted Bridges
I10 Lack of Physical Hardening
CLP13_9.4
9.4 Defeating a Cold Boot Attack
I10 Lack of Physical Hardening
CLP13_9.5
9.5 Non-Obvious Security Risks (Seeing Through Walls)
N/A
CLP13_9.6
9.6 Combating Focused Ion Beams and X-Rays
N/A
CLP13_9.7
9.7 Consider Supply Chain Security
I5 Use of Insecure or Outdated Components I10 Lack of Physical Hardening
Last updated