search

w3c / wot-security

a repo exclusively for security to better manage issues and security considerations for WoT
https://w3c.github.io/wot-security/
18 stars 22 forks source link

Feedback on section 3.2 Threat Model #235

Open simoneonofri opened 4 months ago

simoneonofri commented 4 months ago

During a discussion on Threat Modelling, where it was appreciated that we had public Threat Models, I received this feedback from Loren Kohnfelder.

I am just quoting it here, hoping that it will be useful:

3.2.1 WoT Primary Stakeholders: System User should include excessive bandwidth consumption, as well as device being bricked by OEM such as a bad update Denial of Service threats. 3.2.2 Assets: System Provider Data says Others: no access, but I would think System User needs readonly access to configuration data. 3.2.3 Adversaries: Disappointed to see the Careless OEM threat out of scope because today I think this is the biggest problem with connected devices. Also Careless System Provider. It seems that more transparent devices (see 3.2.2 comment) could help System Users see what's going on.

mmccool commented 2 months ago

Thanks, that is useful feedback! Regarding "Careless OEM" - there's also the "Malicious OEM"... we will have to think about what we can do here. But you're right, more transparency would help.

mmccool commented 2 months ago

Speaking of OEMs: https://foundation.mozilla.org/en/privacynotincluded/categories/smart-home/