URI: Co.C.CoPD.0
Package: IoT
< prev | next >
Description: Data leakage at controller Controller: if the control input data for a controller leaks, it is modelled as a loss of confidentiality for the controller.
Threat Type: Secondary Threat
Matching Pattern:
Finds a Controller and its control input data, and optionally a human manager.
Data Data entered via Process leaks by shoulder surfing Human in space Space: if Human is not careful, someone with access to space Space could shoulder surf a session during which Human enters Data via the user interface of Process on host device Host.
Data Data entered via Process leaks by shoulder surfing Human in space Space: if Human is not careful, someone with access to space Space could shoulder surf a session in which Human enters Data via the user interface of Process accessed from remote access client RemoteAccessClient on host device Host.
Data Data sent from FlowsFrom to Process leaks by shoulder surfing Human in space Space: if Human is not careful, someone with access to space Space could shoulder surf a session during which Human views Data via the user interface of Process on host device Host.
Data Data displayed by Process leaks by shoulder surfing Human in space Space: if Human is not careful, someone with access to space Space could shoulder surf a session during which Human views Data via the user interface of Process on host device Host.
Data Data displayed by Process leaks by shoulder surfing Human in space Space: if Human is not careful, someone with access to space Space could shoulder surf a session during which Human views Data via the user interface of Process accessed from remote access client RemoteAccessClient on host device Host.
Use of Process to access Data stored on Host: someone with the rights of Process on its host device Host can exploit the rights of Process to read and serve the locally stored copy of Data.
Use of Process to access Data stored on Host: someone with the rights of Process on its host device Host can exploit the rights of Process to read and process the locally stored copy of Data.
Use of compromised key at Process to access Data stored on Host: someone with the rights of Process on its host device Host can access the local encrypted copy of data Data by using a cryptographic key assigned to Process allowing it to serve the data.
Use of admin privileges at Host to access stored data Data: anyone with admin rights at Host can read (unencrypted) copies of Data stored on the Host.
Use of user privileges at Host to access stored data Data: anyone with user privileges at Host can read copies of Data stored on the Host.
Compromised service Service reads the flow of data Data from FlowsFrom to FlowsTo sent from Client: if an attacker can compromise or impersonate service Service, they can read data in messages from Client.
Encrypted flow of data Data from FlowsFrom leaked to false client of compromised service Service: if service Service is compromised by an attacker, they can access its cryptographic key to decrypt data and accept a request for it from a false client acting as Client.
Flow of data Data from FlowsFrom to FlowsTo leaked to false client of compromised service Service: if service Service is compromised by an attacker, they can allow a false client to request data by acting as Client.
Compromised service Service reads the encrypted flow of Data from/via Client: if an attacker can compromise service Service, they can they can access its cryptographic key and read data Data flowing to Service from FlowsFrom.
Imposter posing as service Service intercepts flow of Data from FlowsFrom and FlowsTo sent by Client: if an attacker can impersonate service Service, they can intercept content in the flow of data Data between FlowsFrom and FlowsTo via the service and its client Client.
Snooped flow of data Data from FlowsFrom to FlowsTo between Client and Service: if communications between Client and Service are subject to snooping, the snooper could read data Data flowing from FlowsFrom to FlowsTo.
Compromised or impersonated client Client reads data Data flowing from FlowsFrom to FlowsTo when sent from Service: if an attacker can compromise or impersonate Client, they can read Data sent by FlowsFrom to FlowsTo in messages from Service.
Snooped flow of data Data from FlowsFrom to FlowsTo between Service and Client: if communications between Service and Client are subject to snooping, the snooper could read data Data flowing from FlowsFrom to FlowsTo.
Compromised client Client reads the encrypted flow of Data from/via Service: if an attacker can compromise client Client, they can they can access its cryptographic key and read data Data flowing to Client from FlowsFrom.
Flow of data from/via Process leaked to compromised client Client via confused deputy Service: if service Service does not send data Data to its client Client , it is still possible for the client to request the data flow using a confused deputy attack against Service. The attack itself is responsible for the upstream loss of DeputyUserTW (see threat causes).
Flow of data from/via Process leaked to compromised client Client via confused deputy Proxy: if client Client is compromised or impersonated, and does not receive data Data from its service Proxy, it is still possible to get the data indirectly using a confused deputy attack via Proxy and Service. The attack itself is responsible for the upstream loss of DeputyUserTW (see threat causes), in this case propagated by at least one reverse proxy.
Malicious query from Client via database Service leaks data Data : an attacker having the ability to send arbitrary queries to Service from or via Client injects a query to retrieve data Data. In this scenario, a selection query for Data would not be expected to come via Client, so the attack can be prevented using database access controls at Service.
Use of Process to access Data stored on Host: someone with the rights of Process on its host device Host, and able to obtain a key from Vault can exploit the rights of Process to read the locally stored copy of Data.
Client Client on stolen host CHost reads the encrypted flow of Data from/via Service: if an attacker has possession of host CHost and can access client Client, they can they can access its cryptographic key and read data Data flowing to Client from FlowsFrom.
Physical access to data Data on stolen host Host: an attacker in possession of device PhysicalHost can physically transfer its storage media to another device to access data stored there.
Use of admin rights on stolen device Host to access stored data Data: if an attacker gains access to stolen device Host, they can read (unencrypted) copies of Data stored on the Host.
Use of Process to access Data stored on stolen device Host: if an attacker can access Process on stolen device Host, they can exploit the rights of Process to read and serve the locally stored copy of Data.
Use of Process to access Data on stolen device Host: if an attacker can access Process on stolen device Host, they can use the rights of Process to read a local stored copy of Data.
Use of compromised key at Process to access Data stored on stolen device Host: if an attacker can access Process on stolen device Host, they can access the local encrypted copy of data Data by using a cryptographic key assigned to Process allowing it to serve the data.
Attacker exploit at Host accesses stored data Data: the attacker is able to exploit a vulnerability in device Host gaining access to its stored copy of Data.
Attacker exploit at Process accesses Data: the attacker is able to exploit a vulnerability in process Process and gains access to the stored copy of Data on device Host which is served by the process.
Attacker exploit at Process accesses its input Data: the attacker is able to exploit a vulnerability in process Process, gaining access to the stored copy of Data used by the process on its host device Host.
(empty)
LossOfConfidentiality at Role_Controller