Copyright © 2009 Open Geospatial Consortium, Inc. 77
9.6.6 GetObservationById operation
Asset: observation offering provided by SOS
Cause Man-In-The-Middle
Effect SOS will receive fraudulent GetObservtationById request sent by the user client.
Result SOS will provide observation offering to user if the tampered ObservationId is
served by the SOS. Scope
Application specific knowledge is available. In particular, the attacker needs to have a valid ObservationId so that the response
contains sabotaged data. Example
Likelihood Medium
Impact on Asset No direct affect on the asset but the unveiling of the observation based on the
tampered ObservationId in case it is served by the SOS. Impact on User
Impact on the user of the active client as the returned observation is not associated to the actual request.
Potential NA
Reason Espionage
Requirement Integrity
Table 72: Modify GetObservationById request
Cause Man-In-The-Middle
Effect User client will receive fraudulent GetObservationById response that might contain
fictitious observation data. Result
User does not get the observation data associated with the actual request. Scope
Application specific knowledge is required. Example
Likelihood Medium
Impact on Asset None
Impact on User Direct affect on asset.
Potential NA
78 Copyright © 2009 Open Geospatial Consortium, Inc.
Reason Sabotage
Requirement Integrity
Table 73: Modify GetObservationById response
Cause Adversary’s client is able to execute SOS.
Effect GetObservationById operation of the SOS is invoked.
Result The adversary might receive observation data if the ObservationId of the created
request is served by the SOS. Scope
Application specific knowledge is required. In particular, the attacker needs to have a valid ObservationId.
Example Likelihood
Low Impact on Asset
Unveiling of asset. Impact on User
None Potential
NA Reason
Espionage Requirement
Access Control to prevent unauthorized requests.
Table 74: Create GetObservationById request
Cause Eavesdropping and adversary’s client can execute SOS.
Effect Adversary’s client will send recorded GetObservationById requests to SOS
Result Adversary gets observation data, associated with the recorded request.
Scope No application specific knowledge required.
Example Likelihood
High Impact on Asset
Unveiling of asset Impact on User
None
Copyright © 2009 Open Geospatial Consortium, Inc. 79
Potential NA
Reason Espionage
Requirement Unique request id and time stamp to detect replay.
Table 75: Replay GetObservationById request
Cause ARP spoofing
Effect User client will send GetObservationById request to adversary’s SOS.
Result The adversary’s SOS will receive the request and return fictitious observation data
to the user. Scope
Application specific knowledge is required. Example
Likelihood Low
Impact on Asset Direct affect on asset.
Impact on User Impact on the user of the active client as the response will not come from the actual
SOS. Potential
NA Reason
Sabotage Requirement
Service authentication and authenticity on the response.
Table 76: Redirect GetObservationById request
Cause Eavesdropping
Effect NA
Result The adversary can obtain the observation.
Scope No application specific knowledge is required to exercise the attack.
Example Likelihood
High Impact on Asset
None Impact on User
None
80 Copyright © 2009 Open Geospatial Consortium, Inc.
Potential NA
Reason Espionage
Requirement Confidentiality
Table 77: Record GetObservationById requestresponse
9.6.7 GetResult operation