Security Threats & Mitigations
Potential Security Threats
ID | Label | STRIDE Attribute | Assets | Interactions | Attack potential vector/rating | Damage potential vector/rating | Risk Vector/Rating |
---|---|---|---|---|---|---|---|
––––– |
–––––––––––––––––––––––– |
––––––––––––––––––––––––––– |
––––––––––––––––––––––––––––––––– |
––––––––––––––––––– |
–––––––––––––––––––––––––––––––––––––––––––– |
––––––––––––––––––––––––––– |
––––––––––––––––––––––––––––––––––––––––––––––– |
Spoofing of Admin UI |
Spoofing |
Client credentials |
Anyone → Web API |
[exp:exp/acc:unl/tim:day/equ:std/kno:pub]/39 |
[saf:hig/fin:ver/ope:nor]/10 |
[spe:exp/acc:unl/equ:std/tim:day/kno:pub]/36 |
|
Node sniffing |
Information Disclosure |
Client credentials |
Anyone → Web API |
[exp:exp/acc:unl/tim:wee/equ:std/kno:pub]/37 |
[saf:nor/fin:nor/ope:hig]/5 |
[spe:exp/acc:unl/equ:std/tim:day/kno:pub]/36 |
|
Invalid package configuration injection |
Tampering |
Vehicle installed software state |
Admin UI → Web API |
[exp:mul/acc:mod/tim:wee/equ:std/kno:res]/26 |
[saf:ver/fin:hig/ope:hig]/12 |
[spe:mul/acc:mod/tim:wee/equ:std/kno:res]/19 |
|
Repudiation of vehicle SW configuration |
Repudiation |
Vehicle installed software state |
Admin UI → Web API |
[exp:mul/acc:eas/tim:wee/equ:spe/kno:sen]/23 |
[saf:ver/fin:hig/ope:hig]/12 |
[spe:mul/acc:eas/tim:wee/equ:spe/kno:sen]/15 |
|
Web API Denial of Service attack |
Denial of service |
Quality of Service |
Anyone → Web API |
[exp:lay/acc:unl/tim:hou/equ:std/kno:res]/29 |
[saf:nor/fin:nor/ope:hig]/5 |
[acc:lay/acc:unl/tim:hou/equ:std/kno:res]/41 |
|
Brute force password cracking |
Elevation of Privilege |
Access to vehicle data, vehicle installed software state |
Admin UI → Web API |
[exp:lay/acc:unl/tim:wee/equ:std/kno:pub]/31 |
[saf:ver/fin:hig/ope:ver]/15 |
[spe:lay/acc:unl/tim:wee/equ:std/kno:pub]/39 |
|
Spoofing of External Resolver |
Spoofing |
Vehicle installed software state |
External Resolver → SOTA Server |
[exp:mul/acc:eas/tim:wee/equ:spe/kno:sen]/23 |
[saf:hig/fin:nor/ope:hig]/7 |
[spe:mul/acc:eas/tim:wee/equ:spe/kno:sen]/15 |
|
Tampering of package dependencies |
Tampering |
Vehicle installed software state, vehicle software security |
External Resolver → SOTA Server |
[exp:mul/acc:eas/tim:wee/equ:spe/kno:sen]/23 |
[saf:ver/fin:hig/ope:hig]/12 |
[spe:mul/acc:eas/ela:wee/equ:spe/kno:sen]/15 |
|
Information leak of installed packages per VIN |
Information Disclosure |
Vehicle installed software state |
External Resolver → SOTA Server |
[exp:exp/acc:unl/tim:day/equ:std/kno:res]/35 |
[saf:nor/fin:nor/ope:nor]/3 |
[spe:exp/acc:unl/equ:std/tim:day/kno:res]/32 |
|
RVI node spoofing |
Spoofing |
Information on vehicle software state |
SOTA Server → RVI Node |
[exp:exp/acc:unl/tim:day/equ:std/kno:res]/35 |
[saf:/ver/fin:nor/ope:nor]/5 |
[spe:exp/acc:unl/tim:day/equ:std/kno:sen]/28 |
|
Retrieving false package installation results |
Tampering |
Package information, software configuration per VIN |
RVI Node → SOTA Server |
[exp:exp/acc:unl/tim:day/equ:std/know:sen]/31 |
[saf:ver/fin:hig/ope:hig]/12 |
[spe:exp/acc:unl/tim:day/equ:std/kno:sen]/28 |
|
Denying the installation of a software package |
Repudiation |
Vehicle software security |
RVI Node → SOTA Server |
[exp:exp/acc:unl/tim:day/equ:std/kno:sen]/31 |
[saf:hig/fin:nor/ope:ver]/10 |
[spe:exp/acc:unl/tim:day/equ:std/kno:sen]/28 |
|
RVI node sniffing |
Information Disclosure |
Vehicle installed software state |
SOTA Server → RVI Node |
[exp:exp/acc:unl/equ:std/tim:day/kno:res]/35 |
[saf:nor/fin:nor/ope:nor]/3 |
[spe:exp/acc:unl/equ:std/tim:day/kno:res]/32 |
|
RVI node Denial of Service attack |
Denial of service |
Service Availability |
Anyone → RVI Node |
[exp:lay/acc:unl/tim:hou/equ:std/kno:res]/40 |
[saf:ver/fin:nor/ope:ver]/13 |
[acc:lay/acc:unl/tim:hou/equ:std/kno:res]/41 |
|
Logistics & Provisioning API Spoofing |
Spoofing |
Vehicle software security |
Logistics & Provisioning → SOTA Server |
[exp:exp/acc:unl/tim:day/equ:std/kno:sen]/31 |
[saf:nor/fin:ver/ope:ver]/13 |
[spe:exp/acc:unl/tim:day/equ:std/kno:sen]/28 |
|
Associating a part number with a malicious package |
Tampering |
Vehicle software security |
Logistics & Provisioning → SOTA Server |
[exp:mul/acc:unl/tim:wee/equ:std/kno:res]/35 |
[saf:ver/fin:ver/ope:ver]/18 |
[spe:mul/acc:unl/tim:wee/equ:std/kno:res]/27 |
|
VIN, part number, configurations compromise |
Information Disclosure |
Corporate data, vehicle software configuration, vehicle software security. |
Logistics & Provisioning → SOTA Server |
[exp:mul/acc:unl/tim:wee/equ:std/kno:res]/35 |
[saf:nor/fin:hig/ope:ver]/10 |
[spe:mul/acc:unl/tim:wee/equ:std/kno:res]/27 |
|
Charging & Billing API Spoofing |
Spoofing |
Financial loss |
Charging & Billing → SOTA Server |
[exp:exp/acc:unl/tim:day/equ:std/kno:sen]/31 |
[saf:nor/fin:ver/ope:ver]/13 |
[spe:exp/acc:unl/tim:day/equ:std/kno:sen]/28 |
|
Associating an update with the wrong cost |
Tampering |
Financial loss |
Charging & Billing → SOTA Server |
[exp:mul/acc:unl/tim:wee/equ:std/kno:res]/35 |
[saf:nor/fin:ver/ope:ver]/13 |
[spe:mul/acc:unl/tim:wee/equ:std/kno:res]/27 |
|
VIN, configurations, financial information compromise |
Information Disclosure |
Financial loss |
Charging & Billing → SOTA Server |
[exp:exp/acc:unl/tim:day/equ:std/kno:sen]/31 |
[saf:ver/fin:ver/ope:ver]/18 |
[spe:exp/acc:unl/tim:day/equ:std/kno:sen]/28 |
|
Spoofing SOTA Core Server |
Spoofing |
User data, VINs, Package information, Vehicle configurations |
SOTA Core Server → MariaDB |
[exp:exp/acc:unl/tim:day/equ:std/kno:sen]/31 |
[saf:ver/fin:hig/ope:ver]/15 |
[spe:exp/acc:unl/tim:day/equ:std/kno:sen]/28 |
|
Persistence of false data |
Tampering |
User data, VINs, Package information, Vehicle configurations |
Anyone → MariaDB |
[exp:exp/acc:eas/tim:day/equ:std/kno:res]/29 |
[saf:nor/fin:ver/ope:ver]/13 |
[spe:exp/acc:eas/tim:day/equ:std/kno:res]/26 |
|
Compromise of sensitive data |
Information Disclosure |
User data, VINs, Package information, Vehicle configurations |
Anyone → MariaDB |
[exp:exp/acc:eas/tim:day/equ:std/kno:res]/29 |
[saf:hig/fin:hig/ope:hig]/9 |
[spe:exp/acc:eas/tim:day/equ:std/kno:res]/26 |
|
MariaDB Denial of Service attack |
Denial of service |
Service Availability |
Anyone → MariaDB |
[exp:lay/acc:unl/tim:hou/equ:std/kno:res]/33 |
[saf:nor/fin:nor/ope:ver]/8 |
[acc:lay/acc:unl/tim:hou/equ:std/kno:res]/41 |
|
Getting admin rights |
Elevation of Privilege |
User data, VINs, Package information, Vehicle configurations, data store state |
Anyone → MariaDB |
[exp:pro/acc:unl/tim:day/equ:std/kno:pub]/36 |
[saf:ver/fin:ver/ope:ver]/18 |
[acc:pro/acc:unl/tim:day/equ:std/kno:pub]/39 |
|
Spoofing External Resolver |
Spoofing |
User data, VINs, Package information, Vehicle configurations |
External Resolver → MariaDB |
[exp:exp/acc:unl/tim:day/equ:std/kno:sen]/31 |
[saf:hig/fin:ver/ope:ver]/15 |
[spe:exp/acc:unl/tim:day/equ:std/kno:sen]/28 |
|
In-vehicle process spoofing |
Spoofing |
VINs, Package information |
Anyone → SOTA Client |
[exp:exp/acc:unl/tim:day/equ:std/kno:sen]/31 |
[saf:ver/fin:hig/ope:hig]/12 |
[spe:exp/acc:unl/tim:day/equ:std/kno:sen]/28 |
|
SOTA Client sniffing |
Tampering |
VINs, Package information |
In vehicle process → SOTA Client |
[exp:exp/acc:unl/tim:day/equ:std/kno:sen]/31 |
[saf:ver/fin:hig/ope:hig]/12 |
[spe:exp/acc:unl/tim:day/equ:std/kno:sen]/28 |
|
SOTA Client Denial of Service attack |
Denial of service |
Service Availability |
Anyone → SOTA Client |
[exp:lay/acc:unl/tim:hou/equ:std/kno:res]/33 |
[saf:nor/fin:nor/ope:ver]/12 |
[acc:lay/acc:unl/tim:hou/equ:std/kno:res]/41 |
T01 — Spoofing of Admin UI
Description |
A malicious person may try to gain administrator-level access to the web server’s admin console to gain information about the system’s structure. |
---|---|
Rationale |
|
Mitigations |
T02 — Node sniffing
Description |
Sniffing software installed on the load balancing node may lead to the leak of the credentials of all clients connecting to the given cluster. |
---|---|
Rationale |
A node sniffer could intercept the credentials of all incoming client connections. |
Mitigations |
T03 — Invalid package configuration injection
Description |
An invalid combination of software packages or versions may be attempted to be installed in order to create exploits or vulnerabilities. |
---|---|
Rationale |
|
Mitigations |
|
T04 — Repudiation of vehicle SW configuration
Description |
A configuration that may create exploits or vulnerabilities on the vehicle’s software environment may be injected and a modified web interface may be used to repudiate the traces of the installation of the malicious configuration to a group of vehicles. |
---|---|
Rationale |
Javascript code running on the browser can be modified and a repudiation attack against a group of vehicles may be attempted. |
Mitigations |
|
T05 — Web API Denial of Service attack
Description |
A large amount of false or dummy requests from a malicious group may saturate the load balancer and prevent the service of legitimate clients. |
---|---|
Rationale |
An easy to orchestrate DOS attack may disrupt the system’s operations. |
Mitigations |
T06 — Brute force password cracking
Description |
A password cracker may break an account and provide access to a malicious, unauthorized user. |
---|---|
Rationale |
Weak passwords may be cracked in a short amount of time with a password cracker. |
Mitigations |
T07 — Spoofing of External Resolver
Description |
A malicious person may use a fake external resolver to gain information about the workings of the SOTA server and leak information about VINs and the software packages they have installed. |
---|---|
Rationale |
A fake external resolver may be used to gain information about the SOTA server which may be used in a composite attack vector. |
Mitigations |
T08 — Tampering of package dependencies
Description |
A maliciously compiled dependency tree may include dependencies that open vulnerabilities or provide access to attackers, or it sets package versions known to have bugs or open vulnerabilities. |
---|---|
Rationale |
A package that may open a backdoor, or that functions as a Trojan can be added as a package dependency. |
Mitigations |
|
T09 — Information leak of installed packages per VIN
Description |
A verbose API may reveal information on which software packages are installed on which vehicle, which is unnecessary on a need-to-know basis. |
---|---|
Rationale |
|
Mitigations |
|
T10 — RVI node spoofing
Description |
An RVI node may be spoofed and become a leaking sink for vehicle and package data. |
---|---|
Rationale |
A spoofed RVI node may cause a huge leak of sensitive information. |
Mitigations |
T11 — Retrieving false package installation results
Description |
A compromised RVI node may send incorrect status reports for package installation in order to skip the installation of bugfixes or exploit fixes, intercept packages, and acquire information about VINs and their software configuration. |
---|---|
Rationale |
Knowing or sending over to a spoofed vehicle software packages may help to analyze them and find potential attack vectors. |
Mitigations |
|
T12 — Denying the installation of a software package
Description |
A compromised RVI node may block the installation of security-critical software packages and return a false status that they were installed, leaving open security vulnerabilities. |
---|---|
Rationale |
A non-installed package may leave backdoors and exploits open for attackers. |
Mitigations |
None |
T13 — RVI node sniffing
Description |
Sniffing software installed on a RVI node can intercept VINs, their configuration, and the latest package configuration for every VIN. |
---|---|
Rationale |
A node sniffer may intercept all VINs and their associated software packages. |
Mitigations |
|
T14 — RVI node Denial of Service attack
Description |
A Denial-Of-Service (DOS) attack may block the installation of software packages or updates. |
---|---|
Rationale |
A DOS attack on the RVI node/s may block the installation of zero-days or other crucial updates and leave vehicles vulnerable for a prolonged period of time. |
Mitigations |
T15 — Logistics & Provisioning API Spoofing
Description |
An attacker may use a spoofed Logistics API to install trojans or packages with known vulnerabilities. |
---|---|
Rationale |
Responses from a spoofed Logistics API may lead to the installation of malicious or vulnerable packages. |
Mitigations |
T16 — Associating a part number with a malicious package
Description |
An attacker may assign a valid part number to a malicious package which may provide backdoor or related system vulnerabilities after being installed. |
---|---|
Rationale |
A malicious packaged related with a valid part number will be installed without any warning or any alarm raised. |
Mitigations |
|
T17 — VIN, part number, configurations compromise
Description |
A malicious person may try to intercept the data exchanged between the SOTA server and the Logistics & Provisioning API. |
---|---|
Rationale |
Information leak may compromise sensitive corporate and vehicle data. |
Mitigations |
T18 — Charging & Billing API Spoofing
Description |
An attacker may used a spoofed Billing API to install updates without being charged or by charging a third person excessively. |
---|---|
Rationale |
Responses from a spoofed Billing API may lead to the installation of updates for no or excessive cost. |
Mitigations |
T19 — Associating an update with the wrong cost
Description |
A compromised Charging & Billing endpoint may provide false charging information. |
---|---|
Rationale |
|
Mitigations |
None |
T20 — VIN, configurations, financial information compromise
Description |
A malicious person may try to intercept the data exchanged between the SOTA server and the Charging & Billing API. |
---|---|
Rationale |
Information leak may compromise sensitive corporate and vehicle data. |
Mitigations |
T21 — Spoofing SOTA Core Server
Description |
A spoofed SOTA Server may retrieve most of the sensitive data stored in the data store. |
---|---|
Rationale |
A spoofed SOTA Server may retrieve most of the sensitive data stored in the datastore. |
Mitigations |
None |
T22 — Persistence of false data
Description |
A MariaDB client with access to the data store can manipulate the persisted data. |
---|---|
Rationale |
Persisting false data in the datastore may open the door for more pervasive attack vectors. |
Mitigations |
T23 — Compromise of sensitive data
Description |
A MariaDB client with access to the data store can retrieve all of the sensitive data stored in it. |
---|---|
Rationale |
|
Mitigations |
T24 — MariaDB Denial of Service attack
Description |
An attacker may orchestrate a Denial-Of-Service (DOS) attack to interrupt the system’s operation or as part of a phishing attack. |
---|---|
Rationale |
|
Mitigations |
T25 — Getting admin rights
Description |
A malicious user may pursue elevating his access rights to administrator or superuser, allowing him to perform any arbitrary operation on the data store. |
---|---|
Rationale |
Getting administrator rights can lead to data theft, tampering and complete loss of data. |
Mitigations |
T26 — Spoofing External Resolver
Description |
A spoofed External Resolver may retrieve most of the sensitive data stored in the data store. |
---|---|
Rationale |
A spoofed External Resolver may retrieve most of the data stored in the datastore. |
Mitigations |
T27 — In-vehicle process spoofing
Description |
A malicious in-vehicle process can attempt to exchange data with the SOTA Client and intercept information about the vehicle’s software state. |
---|---|
Rationale |
A third party process can intercept information about every package installed from an unsecured client. |
Mitigations |
T28 — SOTA Client sniffing
Description |
A malicious in-vehicle process can attempt to intercept the communication between the SOTA Client and the RVI Node and alter the contents of the messages before delivering them to the SOTA Client. |
---|---|
Rationale |
A third party process may attempt to intercept the communication between the SOTA Client and the RVI node and alter the contents of the received data. |
Mitigations |
|
T29 — SOTA Client Denial of Service attack
Description |
An attacker may orchestrate a Denial-Of-Service (DOS) attack to interrupt the system’s operation or as part of a phishing attack. |
---|---|
Rationale |
|
Mitigations |
|
Mitigations
C01 Password complexity check
Applicable threats |
|
---|---|
Purpose |
deterrence |
Goal |
|
Depends |
C02 TLS Transport Integrity, Confidentiality
Applicable threats |
|
---|---|
Purpose |
prevention |
Goal |
|
Depends |
C03 Enforce only SSL connections
Applicable threats |
|
---|---|
Purpose |
deterrence |
Goal |
|
Depends |
C04 Log transactions to and from SOTA Server
Applicable threats |
|
---|---|
Purpose |
monitoring |
Goal |
|
Depends |
C05 Notify administrators for suspicious traffic patterns
Applicable threats |
|
---|---|
Purpose |
monitoring |
Goal |
|
Depends |
C06 Limit login attempts per session
Applicable threats |
|
---|---|
Purpose |
deterrence |
Goal |
|
Depends |
C07 Log VIN and package creations
Applicable threats |
|
---|---|
Purpose |
monitoring |
Goal |
|
Depends |
C08 Avoid exposing unnecessary interfaces to public Internet
Applicable threats |
|
---|---|
Purpose |
prevention |
Goal |
|
Depends |
C09 Verify the VIN/package filter sanity
Applicable threats |
T03 |
---|---|
Purpose |
deterrence |
Goal |
|
Depends |
C10 Allow only Intranet/VPN connections to MariaDB
Applicable threats |
|
---|---|
Purpose |
deterrence |
Goal |
|
Depends |
C11 Don’t use Admin account with MariaDB
Applicable threats |
|
---|---|
Purpose |
deterrence |
Goal |
|
Depends |
C12 SOTA Client should not accept any calls or requests from in-vehicle
processes
Applicable threats |
|
---|---|
Purpose |
prevention |
Goal |
|
Depends |
C13 SOTA Client should authenticate and communicate only with the
Software Loading Manager (from in-vehicle software)
Applicable threats |
|
---|---|
Purpose |
prevention |
Goal |
|
Depends |
C14 SOTA Server-supplied checksum for every package send, recalculated
it and verify it locally.
Applicable threats |
|
---|---|
Purpose |
deterrence |
Goal |
|
Depends |
C15 In case that the SOTA Server is unavailable and a package download has been interrupted, set the download’s state as erroneous and update the Server with the information upon the next notification
Applicable threats |
|
---|---|
Purpose |
deterrence |
Goal |
|
Depends |