Shostack + Friends Blog


IoT Security & Threat Modeling

Expanding on the UK Government's ‘The Uk Code of Practice for Consumer IoT Security’ and how it aligns with Threat Modeling.

There's a new report out from the UK Government, The UK Code of Practice for Consumer IoT Security.

One of the elements I want to draw attention to is:

The use of IoT devices by perpetrators of domestic abuse is a pressing and deeply concerning problem that is largely hidden from view. Collecting data (and therefore evidence) on this is challenging for a number of reasons outlined in this section by Leonie Tanczer. There are concrete steps that both industry and the policy community could take to address the misuse of consumer IoT in this setting and we include a number of these as well as lessons from other countries.

But all three of the elements in the report, IoT-Facilitated tech abuse, Fitness systems, and childrens things, require technologists to start thinking more deeply and broadly about the questions of what can go wrong with their products. We are past time when we can look reactively, or use a list of 'vulnerabilities' and avert our eyes from the other impacts our technology has.

And that means a lot more threat modeling, where the way we answer 'what can go wrong' moves beyond STRIDE.