Copyright © 2009 Open Geospatial Consortium, Inc. 77

9.6.6 GetObservationById operation

Asset: observation offering provided by SOS Cause Man-In-The-Middle Effect SOS will receive fraudulent GetObservtationById request sent by the user client. Result SOS will provide observation offering to user if the tampered ObservationId is served by the SOS. Scope Application specific knowledge is available. In particular, the attacker needs to have a valid ObservationId so that the response contains sabotaged data. Example Likelihood Medium Impact on Asset No direct affect on the asset but the unveiling of the observation based on the tampered ObservationId in case it is served by the SOS. Impact on User Impact on the user of the active client as the returned observation is not associated to the actual request. Potential NA Reason Espionage Requirement Integrity Table 72: Modify GetObservationById request Cause Man-In-The-Middle Effect User client will receive fraudulent GetObservationById response that might contain fictitious observation data. Result User does not get the observation data associated with the actual request. Scope Application specific knowledge is required. Example Likelihood Medium Impact on Asset None Impact on User Direct affect on asset. Potential NA 78 Copyright © 2009 Open Geospatial Consortium, Inc. Reason Sabotage Requirement Integrity Table 73: Modify GetObservationById response Cause Adversary’s client is able to execute SOS. Effect GetObservationById operation of the SOS is invoked. Result The adversary might receive observation data if the ObservationId of the created request is served by the SOS. Scope Application specific knowledge is required. In particular, the attacker needs to have a valid ObservationId. Example Likelihood Low Impact on Asset Unveiling of asset. Impact on User None Potential NA Reason Espionage Requirement Access Control to prevent unauthorized requests. Table 74: Create GetObservationById request Cause Eavesdropping and adversary’s client can execute SOS. Effect Adversary’s client will send recorded GetObservationById requests to SOS Result Adversary gets observation data, associated with the recorded request. Scope No application specific knowledge required. Example Likelihood High Impact on Asset Unveiling of asset Impact on User None Copyright © 2009 Open Geospatial Consortium, Inc. 79 Potential NA Reason Espionage Requirement Unique request id and time stamp to detect replay. Table 75: Replay GetObservationById request Cause ARP spoofing Effect User client will send GetObservationById request to adversary’s SOS. Result The adversary’s SOS will receive the request and return fictitious observation data to the user. Scope Application specific knowledge is required. Example Likelihood Low Impact on Asset Direct affect on asset. Impact on User Impact on the user of the active client as the response will not come from the actual SOS. Potential NA Reason Sabotage Requirement Service authentication and authenticity on the response. Table 76: Redirect GetObservationById request Cause Eavesdropping Effect NA Result The adversary can obtain the observation. Scope No application specific knowledge is required to exercise the attack. Example Likelihood High Impact on Asset None Impact on User None 80 Copyright © 2009 Open Geospatial Consortium, Inc. Potential NA Reason Espionage Requirement Confidentiality Table 77: Record GetObservationById requestresponse

9.6.7 GetResult operation