92 Copyright © 2009 Open Geospatial Consortium, Inc. Cause Man-In-The-Middle Effect Sensor will receive fraudulent response that does not reflect the result of the processing done by the SAS. Result Advertisements that have resulted in a processing error will not be available as offerings. But the sensor does not know that as the status might have set to ―confirmed‖ by the attack. Scope Application specific knowledge is required. Example Likelihood Medium Impact on Asset Leads to potentially invalid offerings no data production Impact on User Impact on the client if the response is modified from success to failure This would cause the user to re-initiate the RenewAdvertisement over and over again. Potential NA Reason Sabotage Requirement Integrity Table 97: Modify RenewAdvertisement response

9.7.4 CancelAdvertisement operation

From the attacker’s point of view, the semantic for this operation is identical to RenewAdvertisement―current time‖. Therefore, the possible attacks and effects are identical with the attacks for the RenewAdvertisement operation as described above with using the current time as a parameter. Requirement: Access Control to prevent unauthorized cancellation of advertisements.

9.7.5 Subscribe operation

Asset: Alert Subscription Cause Man-In-The-Middle Effect User client Subscribe request is send to the adversary’s SAS. Result User receives fraudulent or no alerts from the adversar y’s SAS. Copyright © 2009 Open Geospatial Consortium, Inc. 93 Scope Application specific knowledge is required. Example Likelihood Medium Impact on Asset None Impact on User Impact on the user of the active client as the request will not be received by the actual SAS and therefore the user will not receive alerts. Potential NA Reason Sabotage Requirement SAS authentication and authenticity on the response. Table 98: Redirect Subscribe request Cause Man-In-The-Middle Effect SAS will receive fraudulent conditions for sending alerts to the user client. Result The user receives fraudulent alerts on the spoofed MUC or is not able to connect to the spoofed MUC. Scope Application specific knowledge is required. In particular, the attacker needs to know how to operate a XMPP server to provide spoofed MUCs to user clients. Example Likelihood Medium Impact on Asset None Impact on User Impact on the user of the active client as the request received by the actual SAS is modified and therefore the user will not receive the intended alerts. Potetial NA Reason Sabotage Requirement Integrity Table 99: Modify Subscribe request Cause Adversary’s client can execute SAS. 94 Copyright © 2009 Open Geospatial Consortium, Inc. Effect Adversary’s client will send Subscribe requests to SAS. Result Adversary can create theoretically unlimited offerings which might prevent the SAS to operate properly too many subscriptions to handle. Exercising this attack frequently can cause slow processing of the SAS. Scope Application specific knowledge is required. In particular, the attacker needs to know offerings as contained in the capabilities document. Example Likelihood Low Impact on Asset None Impact on User None Potential NA Reason Denial of Service Requirement Access Control to ensure only authorized users can execute the operation. Table 100: Create Subscribe request Cause Eavesdropping and adversary’s client can execute SAS. Effect Adversary’s client sends a recorded Subscribe message to SAS. Result If the adversary re-sends the recorded message after the SAS has received a CancelSubscription message for that subscription, the SAS will keep a subscription and a MUC for the client of the adversary. Scope No application specific knowledge required unless the adversary wants to receive alerts on the MUC. Then, the attacker needs to know how to use a XMPP client. Example Likelihood High Impact on Asset Unveiling of the asset to the adversary. Impact to User None Potential NA Reason Espionage Requirement Unique request id and timestamp to detect the replay. Copyright © 2009 Open Geospatial Consortium, Inc. 95 Table 101: Replay Subscribe request Cause Eavesdropping Effect None Result Recorded Subscribe requests that contain a MUC, can be replayed by the adversary to connect to that MUC and record the published alerts. Scope No application specific knowledge is required but the attacker needs to know how to use an XMPP client. Example Likelihood High Impact on Asset None Impact on User None Potential The adversary can fetch XMPP MUC URI if provided by the client to connect to in order to record alerts. Reason Espionage Requirement Confidentiality on requests that contain a MUC address. Table 102: Record Subscribe request Cause Eavesdropping Effect None Result A recorded Subscribe response that contain both a MUC and a subscription ID, the adversary can disconnect the client from that MUC by sending a CancelSubscription request message, using the obtained subscription ID. Scope Application specific knowledge is required. Example Likelihood High Impact on Asset None Impact on User None Potential The adversary can fetch XMPP MUC URI to connect to in order to record alerts. Reason Espionage 96 Copyright © 2009 Open Geospatial Consortium, Inc. Requirement Confidentiality Table 103: Record Subscribe response Cause Man-In-The-Middle Effect User client will receive fraudulent response that does not reflect the result of the user processing done by the SAS. Result i XMPPURI might be fraudulent with the effect that the user client would either not receive any or fraudulent alerts. ii The processing status might be fraudulent, e.g. ―OK‖ which would hide processing errors. Scope Application specific knowledge is required. Example Likelihood Medium Impact on Asset None Impact on Asset Impact on user of the active client as he will not receive the MUC information associated to the request. Potential NA Reason Sabotage Requirement Integrity Table 104: Modify Subscribe response

9.7.6 RenewSubscription operation