During a discussion on Threat Modelling, where it was appreciated that we had public Threat Models, I received this feedback from Loren Kohnfelder.
I am just quoting it here, hoping that it will be useful:
3.2.1 WoT Primary Stakeholders: System User should include excessive bandwidth consumption, as well as device being bricked by OEM such as a bad update Denial of Service threats.
3.2.2 Assets: System Provider Data says Others: no access, but I would think System User needs readonly access to configuration data.
3.2.3 Adversaries: Disappointed to see the Careless OEM threat out of scope because today I think this is the biggest problem with connected devices. Also Careless System Provider. It seems that more transparent devices (see 3.2.2 comment) could help System Users see what's going on.
Thanks, that is useful feedback! Regarding "Careless OEM" - there's also the "Malicious OEM"... we will have to think about what we can do here. But you're right, more transparency would help.
During a discussion on Threat Modelling, where it was appreciated that we had public Threat Models, I received this feedback from Loren Kohnfelder.
I am just quoting it here, hoping that it will be useful: