92 Copyright © 2009 Open Geospatial Consortium, Inc.
Cause Man-In-The-Middle
Effect Sensor will receive fraudulent response that does not reflect the result of the
processing done by the SAS. Result
Advertisements that have resulted in a processing error will not be available as offerings. But the sensor does not know that as the status might have set to
―confirmed‖ by the attack. Scope
Application specific knowledge is required. Example
Likelihood Medium
Impact on Asset Leads to potentially invalid offerings no data production
Impact on User Impact on the client if the response is modified from success to failure This would
cause the user to re-initiate the RenewAdvertisement over and over again. Potential
NA Reason
Sabotage Requirement
Integrity
Table 97: Modify RenewAdvertisement response
9.7.4 CancelAdvertisement operation
From the attacker’s point of view, the semantic for this operation is identical to RenewAdvertisement―current time‖. Therefore, the possible attacks and effects are
identical with the attacks for the RenewAdvertisement operation as described above with using the current time as a parameter.
Requirement: Access Control to prevent unauthorized cancellation of advertisements.
9.7.5 Subscribe operation
Asset: Alert Subscription
Cause Man-In-The-Middle
Effect User client Subscribe request is send to the adversary’s SAS.
Result User receives fraudulent or no alerts from the adversar
y’s SAS.
Copyright © 2009 Open Geospatial Consortium, Inc. 93
Scope Application specific knowledge is required.
Example Likelihood
Medium Impact on Asset
None Impact on User
Impact on the user of the active client as the request will not be received by the actual SAS and therefore the user will not receive alerts.
Potential NA
Reason Sabotage
Requirement SAS authentication and authenticity on the response.
Table 98: Redirect Subscribe request
Cause Man-In-The-Middle
Effect SAS will receive fraudulent conditions for sending alerts to the user client.
Result The user receives fraudulent alerts on the spoofed MUC or is not able to connect to
the spoofed MUC. Scope
Application specific knowledge is required. In particular, the attacker needs to know how to operate a XMPP server to provide
spoofed MUCs to user clients. Example
Likelihood Medium
Impact on Asset None
Impact on User Impact on the user of the active client as the request received by the actual SAS is
modified and therefore the user will not receive the intended alerts. Potetial
NA Reason
Sabotage Requirement
Integrity
Table 99: Modify Subscribe request
Cause Adversary’s client can execute SAS.
94 Copyright © 2009 Open Geospatial Consortium, Inc.
Effect Adversary’s client will send Subscribe requests to SAS.
Result Adversary can create theoretically unlimited offerings which might prevent the
SAS to operate properly too many subscriptions to handle. Exercising this attack frequently can cause slow processing of the SAS.
Scope Application specific knowledge is required.
In particular, the attacker needs to know offerings as contained in the capabilities document.
Example Likelihood
Low Impact on Asset
None Impact on User
None Potential
NA Reason
Denial of Service Requirement
Access Control to ensure only authorized users can execute the operation.
Table 100: Create Subscribe request
Cause Eavesdropping and adversary’s client can execute SAS.
Effect Adversary’s client sends a recorded Subscribe message to SAS.
Result If the adversary re-sends the recorded message after the SAS has received a
CancelSubscription message for that subscription, the SAS will keep a subscription and a MUC for the client of the adversary.
Scope No application specific knowledge required unless the adversary wants to receive
alerts on the MUC. Then, the attacker needs to know how to use a XMPP client. Example
Likelihood High
Impact on Asset Unveiling of the asset to the adversary.
Impact to User None
Potential NA
Reason Espionage
Requirement Unique request id and timestamp to detect the replay.
Copyright © 2009 Open Geospatial Consortium, Inc. 95
Table 101: Replay Subscribe request
Cause Eavesdropping
Effect None
Result Recorded Subscribe requests that contain a MUC, can be replayed by the
adversary to connect to that MUC and record the published alerts. Scope
No application specific knowledge is required but the attacker needs to know how to use an XMPP client.
Example Likelihood
High Impact on Asset
None Impact on User
None Potential
The adversary can fetch XMPP MUC URI if provided by the client to connect to in order to record alerts.
Reason Espionage
Requirement Confidentiality on requests that contain a MUC address.
Table 102: Record Subscribe request
Cause Eavesdropping
Effect None
Result A recorded Subscribe response that contain both a MUC and a subscription ID, the
adversary can disconnect the client from that MUC by sending a CancelSubscription request message, using the obtained subscription ID.
Scope Application specific knowledge is required.
Example Likelihood
High Impact on Asset
None Impact on User
None Potential
The adversary can fetch XMPP MUC URI to connect to in order to record alerts. Reason
Espionage
96 Copyright © 2009 Open Geospatial Consortium, Inc.
Requirement Confidentiality
Table 103: Record Subscribe response
Cause Man-In-The-Middle
Effect User client will receive fraudulent response that does not reflect the result of the
user processing done by the SAS. Result
i XMPPURI might be fraudulent with the effect that the user client would
either not receive any or fraudulent alerts. ii
The processing status might be fraudulent, e.g. ―OK‖ which would hide processing errors.
Scope Application specific knowledge is required.
Example Likelihood
Medium Impact on Asset
None Impact on Asset
Impact on user of the active client as he will not receive the MUC information associated to the request.
Potential NA
Reason Sabotage
Requirement Integrity
Table 104: Modify Subscribe response
9.7.6 RenewSubscription operation