Trustworthiness Attribute OwnerControl

URI: OwnerControl

Package: Theft

Description: A device or a process running on the device is still controlled by a trustworthy actor or process in some context after the device has been stolen by an attacker.

This attribute is undermined by the misbehaviour TheftOfControl

AccessContext	Model of access rights, restricted to specific contexts.
Host	A device that can store, process, transmit or receive data.
Process	Represents a process (usually implemented by software running on a Host) that can read, update or create data, or exchange data with other processes.

CC.AuC.CACHLSS.2

Client Client on stolen host CHost used to access Service via LogicalSubnet: if an attacker in possession of stolen device CHost can control the installed client Client when CHost is connected to LogicalSubnet, the attacker can use Client to access Service using a privileged network path, thus acting as a false (impersonated) client.

DF.Auth.AC-iDFVFC.2.6

Client Client on stolen host CHost injects fake content into the encrypted flow of Data via Service: if an attacker has possession of host CHost and can access client Client, they can access its cryptographic key and inject malicious content into the flow of Data from Client to FlowsTo.

DF.Auth.AC-iDF-VFC.2.6

DF.C.AC-iDFVTC.2.6

Client Client on stolen host CHost reads the encrypted flow of Data from/via Service: if an attacker has possession of host CHost and can access client Client, they can they can access its cryptographic key and read data Data flowing to Client from FlowsFrom.

DF.C.AC-iDF-VTC.2.6

DS.C.HDS-V.2.2

Use of admin rights on stolen device Host to access stored data Data: if an attacker gains access to stolen device Host, they can read (unencrypted) copies of Data stored on the Host.

DS.C.HPsACr-pDS-V.2

Use of Process to access Data stored on stolen device Host: if an attacker can access Process on stolen device Host, they can exploit the rights of Process to read and serve the locally stored copy of Data.

DS.C.HPsACrpDS-V.2

Use of Process to access Data on stolen device Host: if an attacker can access Process on stolen device Host, they can use the rights of Process to read a local stored copy of Data.

DS.C.HPsACr-pDS-V.2.6

Use of compromised key at Process to access Data stored on stolen device Host: if an attacker can access Process on stolen device Host, they can access the local encrypted copy of data Data by using a cryptographic key assigned to Process allowing it to serve the data.

H.M.MHHS.2.1

Reconnection of stolen device Host in Space: an attacker with possession of device MobileClient and access to Space can reconnect the device to networks accessible from that space.

H.M.PHdH.2

Control of host Host provisioned on stolen physical host PhysicalHost: if an attacker has access to admin rights on stolen device PhysicalHost, they can gain access to virtual host Host.

I.IS.INC.2

Access from stolen host Host to LogicalSubnet re-enabled: if an attacker gains access to stolen device Host, they can override a policy not to connect it to subnet LogicalSubnet.

LS.L.HL3S.2

Stolen host Host used to communicate on subnet LogicalSubnet: if an attacker gains access to stolen device Host, they can use it to send messages on LogicalSubnet.

P.IS.HP.2

Process Process re-enabled on stolen device Host: if an attacker gains access to stolen device Host, they can restart Process, overriding the policy to disable Process.

P.L.PMHHS.2.1

Use of Process by reconnecting stolen device Host to networks in Space: an attacker with possession of physical device MobileClient and access to Space can reconnect Host to networks accessible from Space and exploit their ability to control how Process makes use of that connectivity to access services.

P.L.SHP.2

Use of admin privilege at Host to control Process: someone with admin rights on stolen device Host can control process Process hosted by that device and use its privileges.