IoT-Security-Verification-Standard-ISVS icon indicating copy to clipboard operation
IoT-Security-Verification-Standard-ISVS copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Missing Freeze and Mix & Match attack cases

Open cbassem opened this issue 4 years ago • 1 comments

The firmware update chapter currently explicitly covers roll-back attacks. The Freeze and Mix & Match attack cases are not (explicitly) covered.

  • Freeze attacks: an attacker tricks the device / ecosystem in believing the device is up to date while in reality it is not.
  • Mix & Match attacks: an attacker supplies combinations of packages or package metadata that never existed in the upstream repository. Can occur if for example individual packages are signed, but package indexes are not.

These, together with others that we potentially overlooked, can be found here: https://theupdateframework.io/security/

cbassem avatar Mar 12 '21 14:03 cbassem

We'll need to think more about this threat model. It's not possible to cover every case but want to ensure we capture the most common.

scriptingxss avatar Mar 12 '21 14:03 scriptingxss