Packet Tracer – Threat Modeling at the Device Layer

Topology
The topology is a home IoT system that has been prototyped in Packet Tracer. It shows a cutaway view of a
home with different sensors, actuators, and connections shown.

Objectives
In this Packet Tracer, you will begin the threat modeling process for the device layer of the IoT attack surface.
Part 1: Identifying the Security Objectives
Part 2: Exploring and Diagraming the Physical Network
Part 3: Creating an Inventory of Assets of the Physical Device Attack Surface

 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 12 www.netacad.com
Packet Tracer – Threat Modeling at the Device Layer

Part 4: Identifying Potential Threats with the STRIDE Model

Background / Scenario
A home owner has been reading about the IoT and is very enthusiastic about the capabilities of home
automation IoT systems. The home owner wants to install such a system in his house but does not know how
to do so. He has contacted a company that can design and install the system. The company focuses on
security throughout the system design, provisioning, and development process. They are currently developing
a threat model for the system. You have been hired by the company and your first task is to complete the
threat model.
The house is 3500 sq. ft. and includes two stories and an attic. The customers are away from home regularly
and have requested the safest house possible. The customer wants to be able to remotely monitor the house
and wants the following IoT-supported systems:
• Climate control
• Smoke / fire
• Temperature issues out of the normal range
• Door and window locks
• Lawn watering
• Local alarm and emergency department messaging
The system should be controllable locally and through the cloud. The user should be able to access the
controller from a web browser from inside the network as well as remotely through a smartphone app. This
will allow the customers to monitor or control the system when they are away.
The system should collect and store data from the remote sensors and various actions should take place
based on the input from those sensors. For example, if the temperature goes above the maximum range, it
probably means the AC is not working and someone needs to be notified ASAP. If the system detects smoke,
the local alarm should sound, and the customer and the fire department should be alerted. Data from the
system should be retained and analyzed. In addition, the customer should be able to change the threshold
values that trigger different actuators and events as necessary, either locally or through the mobile app. The
triggers and behaviors, data analytics, and remote-control access are all available through a home
automation cloud application service that the system will interface with.
The home owners should have password protected accounts for access to the system. In addition, the
company should have access to system diagnostics in case problems occur with the system. Only the
homeowner should have access to the cloud applications.
It is also important to make note of these other details of the house:
• 3 bedrooms, 1 den, 2 baths
• 2 stories and an attic
• 1 main front door and 1 side door entry
• 2 sliding doors to the backyard – one coming from the master bedroom
• 2-car garage
The team has designed the system and it is your job to perform threat modeling on the design.
You will start by creating a threat model for system. The home automation system has been prototyped in
Packet Tracer. The system is very similar to the home IoT system that you explored earlier in the course.
Because the threat modeling process is very detailed, we will be breaking it up into four linked labs. The first
three labs are for each layer of the IoT attack surface. In the final Packet Tracer, you will rate the risks and
determine how the risks will be managed.
Required Resources

 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 12 www.netacad.com
Packet Tracer – Threat Modeling at the Device Layer

• Packet Tracer 7.1 or later

Part 1: Identifying the Security Objectives

The first activity in the threat modeling process is to establish the security objectives for the system.

Step 1: Provide objectives for each of the six categories.

There are six categories of security objectives that are often used to define the security needs of a system or
organization. Answer the questions to help develop these objectives. Answer the questions from the point of
view of both the company and the customer, where appropriate.
Identity
Visualize the application and identify the security objectives of this system based on the requirements.
What access and authorization controls should be in place to document who is accessing the IoT system?
Los controles de acceso estan en la puerta de la casa, en el garaje y con el sensor de aperture de la
ventana, situado en el Segundo piso.
Should there be any machine-to-machine (M2M) access controls in place?
Cambiar contraseña por defectos de cada dispositivo, agregar una contraseña segura.
Financial
Document the financial losses that could occur due to a failure of the system, system components, or security
breech.
What is the potential financial impact to the customer if components of the system malfunction?
Perdida de seguridad y datos, perdida de inmuebles y/o objetos de valor.
If a threat actor was able to gain access to the home network in a security breech, what losses could occur?
Perdida de datos e información, perfilamiento de los usuarios.
Reputation
Document any possible impact on the customer’s reputation if the IoT safety/security system is attacked.
What would be the repercussions for the owner if their home-based safety/security system was attacked?
Robo de información personal(fotos, videos, acceso a cuentas.).

Privacy and Regulation

Document the impact of any privacy concerns as well as regulation requirements for this system.
Are there any privacy concerns for any of the data collected or used by this system?
Robo de información personal (fotos, videos, acceso a cuentas.)perdida de confidencialidad frente al control
de los dispositivos del hogar como (contraseñas de fabrica), confidencialidad.
Does the owner care that logs are being kept about their access and movement throughout the house (motion
sensors)?
Es muy importante ya que habran personas que quieran saber los movientos de los habitantes de la casa.
Identify any data that could cause privacy concerns for the owner of this system.
Contraseñas mas que todo las que estan por defecto o fabrica, acceso en lugares no confiables, acceso a
redes wifi, llaves o tarjetas de acceso.

 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 12 www.netacad.com
Packet Tracer – Threat Modeling at the Device Layer

Availability Guarantees
Document the expected availability and guaranteed uptime of the IoT system. Is this system required to be
available at all times?
Claro, ya teniendo una disposicion efectiva y que este activo en todo momento, sin importar la operación
especifica.
Is there any acceptable downtime that can be tolerated for this system? Explain.
En caso de una actualización o mantenimiento del Sistema.
En casos de cortes inesperados de energía, mientras se realiza la activación de una energía de respaldo.
En casos extremos de daño de algún sistema importante como es el MCU

Safety
Document the potential impacts to physical welfare of people and physical damage to equipment and
facilities. This is particularly important in industrial control system (ICS) environments.
La generación de un corto circuito en un punto especifico que puede afectar:

Equipos electrónicos, perdidas de elementos internos y reseteo de equipos programados a configuración de

fabrica.

Generación de incendios en caso de generación de chispas.

Part 2: Exploring and Diagraming the Physical Network

Step 1: Open the Packet Tracer Network.
The Packet Tracer network is an interactive demonstration of a home automation IoT network. It is the same
network that was used in Chapter 1.
a. Open the Packet Tracer - Threat Modeling at the IoT Device Layer.pka file.
b. Follow the instructions to become familiar with some of the functions of the network if you do not know
how it works.
c. Feel free to explore the network further.

Step 2: Diagram the network.

Use the blank floor plans that are included in Appendix A of the PDF version of these Packet Tracer
instructions. Diagram the IoT devices on the floor plan. Place the sensors, actuators, and devices at the
locations on the floor plan that seem to match the PT network. Label each device.

Part 3: Creating an Inventory of Assets of the Physical Device Attack

Surface
You will now complete an inventory of the devices in the IoT network by entering them into a table.

Step 1: List all the assets.

Fill in the table that is provided in Appendix B of this Packet Tracer with all the IoT device physical assets
that are part of the home automation network. Also add the device role.

 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 12 www.netacad.com
Packet Tracer – Threat Modeling at the Device Layer

What are some roles that devices can take in an IoT network?
Coaxial spliter
cable modem
Home gateway
Panel Solar
Bateria inteligente
lampara
Ventana
Ventilador
Tablet
Celular
Detector de Humo
Sensor temperatura
TV
Sensor de Humo
Sensor de alarma
MCU
Cafetera
Termostato
Calentador
Aire acondicionado
Puesta acceso y garaje
Sensor de humedad
Rociador

Step 2: Determine the interactions between assets.

Continue to work in the table from Step 1. Fill-in the relationships between the devices in the Works With
column. Which sensors and actuators work together?
Device Device Role Works With

Coaxial spliter controlador internet, ventana y modem

cable modem controlador Coaxial spliter, gateway
Home gateway controlador modem, panel solar
Panel Solar sensor gateway. Bateria
Bateria inteligente actuador ventana, cafetera, panel solar
lampara actuador bateria, wifi
Ventana actuador MCU, wifi
Ventilador actuador MCU, wifi
Tablet controlador wifi
Celular controlador wifi
Detector de Humo sensor wifi
Sensor temperatura sensor wifi
TV actuador Coaxial spliter
Sensor de Humo sensor wifi
Sensor de alarma sensor wifi
MCU controlador ventana, ventilador, sensor de humo, puerta acceso y garaje,
Cafetera actuador bateria, wifi
Termostato controlador calentador, aire acondicionado
Calentador actuador termostato

 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 12 www.netacad.com
Packet Tracer – Threat Modeling at the Device Layer

Aire acondicionado actuador termostato

Puesta acceso y
garaje actuador MCU, wifi
Sensor de humedad sensor wifi, rociador
Rociador actuador sensor de humedad, wifi

Part 4: Identifying Potential Threats with the STRIDE Model

In this part, you will identify threats using the STRIDE methodology. Try to describe as many threats as
possible based on your experience in the course, the OWASP IoT vulnerabilities page, and other information
sources.
Use the STRIDE model to create a list of potential threats
Complete this table with threats for each category in the STRIDE threat model. Add potential threats that
could occur for each STRIDE category. Include the type of threat using the OWASP terminology where
possible.

Threat type Asset type Threats

(S)poofing – can an attacker Sensors No es posible en la generación del control de acceso

pretend to be someone he is ya que necesita ciertos parámetros de la persona
not, or falsify data? asignada, mientras que, si los equipos tienen
conexión a la red wifi, serán vulnerables a spoofing

Threat type Asset type Threats

Actuators Se considera que sí, ya que, por medio de la red, se

pueden vulnerar los datos ó falsificarlo para obtener
acceso al dispositivo actuador para usarlo para
perjudicar el funcionamiento del sistema.
(T)ampering – can an Sensors Es posible y se puede usar para descontrolar el
attacker successfully inject sistema ocasionando problemas financieros.
falsified data into the system?

Actuators Si es posible inyectar por medio de la red, siempre y

cuando haya acceso a esta.

(R)epudiation – can a user Sensors Se puede “suponer” siempre y cuando haya un

pretend that a transaction did registro de datos dónde se evidencia que en este
not happen? caso el sensor actuó de manera incorrecta, pero
debe tener datos completos, como hora y fecha
exacta, y el dato detectado por el sensor cuando
realizó la acción.

 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 12 www.netacad.com
Packet Tracer – Threat Modeling at the Device Layer

Actuators Se puede “suponer” siempre y cuando haya un

registro de datos dónde se evidencia que en este
caso el actuador realizó una acción incorrecta.

(I)nformation Disclosure – Sensors No, ya que en ningún sensor se pueden almacenar

can the device leak datos sensibles, a menos que éste se conecte a la
confidential data to red o tenga la IP del dispositivo.
unauthorized parties?

Actuators No, ya que dónde se encuentran datos

confidenciales es en el celular y Tablet, y aunque
pueden ser vulnerables éstos son controladores, a
menos que éste se conecte a la red o tenga la IP del
dispositivo.

(D)enial of Service – can the Sensors Por medio de la intervención se puede lograr
device be shut down or made denegación del servicio haciendo que los sensores
unavailable maliciously? se reinicien y duren un tiempo

Actuators Sí, ya que están conectados a una red inhalámbrica y

se puede vulnerar la seguridad de los dispositivos
actuadores .

(E)scalation of Privilege – Sensors

can users get access to No tienen ningún dato para obtener privilegios como
privileged resources meant administrador ya que éste no cuenta con un
only for admins or almacenamiento
superusers?
Actuators Sï, ya que es dónde se alamacenan todos los datos
que tengan informacion personal referente a los
habitantes de la casa.

 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 12 www.netacad.com
Packet Tracer – Threat Modeling at the Device Layer

Appendix A: Floor Plans

Ground floor

 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 12 www.netacad.com
Packet Tracer – Threat Modeling at the Device Layer

:
Ground Floor Legend:

Number Room

1 living room

2 dining room

3 TV room

4 closet

5 bathroom

6 kitchen

7 garage

 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 12 www.netacad.com
Packet Tracer – Threat Modeling at the Device Layer

Upper Floor:

 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 10 of 12 www.netacad.com
Packet Tracer – Threat Modeling at the Device Layer

 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 11 of 12 www.netacad.com
Packet Tracer – Threat Modeling at the Device Layer

Upper Floor Legend:

Number Room

8 bedroom

9 bedroom

10 bedroom

11 closet

12 bathroom

 2018 - 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 12 of 12 www.netacad.com