Shostack + Friends Blog

IoT Security & Threat Modeling

Expanding on the UK Government's ‘The Uk Code of Practice for Consumer IoT Security’ and how it aligns with Threat Modeling.

There's a new report out from the UK Government, The UK Code of Practice for Consumer IoT Security.

One of the elements I want to draw attention to is:

The use of IoT devices by perpetrators of domestic abuse is a pressing and deeply concerning problem that is largely hidden from view. Collecting data (and therefore evidence) on this is challenging for a number of reasons outlined in this section by Leonie Tanczer. There are concrete steps that both industry and the policy community could take to address the misuse of consumer IoT in this setting and we include a number of these as well as lessons from other countries.

But all three of the elements in the report, IoT-Facilitated tech abuse, Fitness systems, and childrens things, require technologists to start thinking more deeply and broadly about the questions of what can go wrong with their products. We are past time when we can look reactively, or use a list of 'vulnerabilities' and avert our eyes from the other impacts our technology has.

And that means a lot more threat modeling, where the way we answer 'what can go wrong' moves beyond STRIDE.

Originally published by Adam on 22 Apr 2021
Categories: doing it differently government information security reports and data software engineering threat model thursday threat modeling

Our Favorite Content

General threat modeling posts

The Security Principles of Saltzer and Schroeder, illustrated with Star Wars

Subscribe (RSS/Mail)

RSS/ATOM: The ATOM feed is here. We recommend RSS as the best way to follow this blog, and think generally RSS is the best way to take control of the information you take in. You can read our thinking here.

Email: If you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed. We include a subset of posts in each.